Thinking of investing in the Spanish property market? From December 2, 2024, the Spanish government made new rules that hotels must take a lot of personal information from tourists, like names, bank card numbers, and information about the tourists’ families. These details must then be given to security services. Hotels in Spain already ask for information from guests’ ID cards or passports, but these new rules are likely to be the strictest in the EU, collecting up to 42 pieces of personal information.
The updated rules are part of Royal Decree 933/2021, a law that was put off until now. It sets the requirements for filing of documents and information for people or businesses renting out rooms and cars. We know everything about the new rules that are causing a stir in Spain and around the world.
Spain’s method for registering travellers
A traveller registration system was put in place, which requires companies in the sector to give up to 42 pieces of information about bookings and travellers. This is the major change. Hoteliers and tour agencies are thinking about going to court because they think that the implementation needs information that European data security agencies don’t allow to be collected, like credit card information.
The rule says that ticket information must be shared. This includes contract identifiers like reference numbers, booking, check-in, and check-out times, as well as information about the business (type, name, and address). Along with traveler numbers and payment options, it needs personal information like name, last name, ID, email address, and phone number of the person making the reservation. Depending on the case, fines for not following the rules run from €100 to €30,000.
The Ministry of the Interior has already said that it will soon hold a public comment on Royal Decree 933/2021. The survey will last for two weeks and give companies a chance to suggest ways to make the law better, such as by automating data systems.
As of December 2, 2024, all tourist accommodations, travel agents, digital platforms, and car rental companies must provide user data through the Ses.Hospedajes platform. This is in addition to any changes that might be made after the public feedback process.
“Big Brother” rules for tourists and trouble
The Senate passed a move from the PP on November 20th asking the government to stop enforcing Royal Decree 933/2021 for good. This is because the main opposition party calls it the “Big Brother of Tourism.”
There were 153 votes for, 6 votes against, and 6 abstentions. But unlike early fall, the government has not changed the plans for what is going to happen.
The planned start date was October 1, but it was pushed back for technical reasons, as described at the time by the Interior Ministry, to make it easier for businesses in autonomous communities to share data and connect with regional police forces.
The Ministry, which is run by Fernando Grande-Marlaska, supports the change by saying it will make the people safer. It says that since it started in 2022, the system has helped 18,584 people who are in national or foreign records be found.
At the moment, the platform has more than 61,000 hotel properties, almost 2,000 travel agents, 220 digital platforms, and 1,720 car rental companies listed. In total, they have kept track of 4.77 million related user data records. From now on, everyone in the field will have to register.
Hotels and booking companies are thinking about going to court.
The tourism industry says the government has ignored its worries and warns that the rule can’t be put into action in real life. They also think it will make them less competitive in the national and European markets, and because it will cost businesses more, it will make prices go up for visitors.
In a statement, Cehat, the Spanish Confederation of Hotels and Tourist Accommodation, criticised the government for “lack of communication and transparency” when it comes to the sector’s worries and tourists’ rights under Royal Decree 933/2021.
On the one hand, the workers’ union has said that the government has not replied to their “repeated” calls for discussion or the letters they have sent along with European tourist groups. Additionally, they say that the text of the Royal Decree needs to be looked over in a “thorough” way.
Cehat also said that they were sorry that the registration system was put in place before the public feedback process for the ministerial order was finished. This would make things even more confusing for tourists and hotel owners. They said that putting it into action would add a “unreasonable” amount of paperwork, since 95% of the sector is made up of small and medium-sized businesses.
“This Royal Decree infringes upon fundamental privacy rights and is contrary to several EU directives, which is why Cehat asserts that compliance is impossible due to the risk it poses to establishments being subject to lawsuits from travellers,” say the hoteliers, who are ready to take court steps.
Travel companies are making the same complaints and taking the same steps
Last week, the first Forum on Tourism Law took place in Barcelona and Madrid. Catiana Tur, Manager of the Corporate Association of Specialised Travel Agencies (ACAVE), spoke out against what she called the “legal uncertainty” caused by Royal Decree 933/2021 and the fact that “the sector has not been consulted” on the ministerial order about the new system for registering travellers.
She thinks “the regulation is impossible to apply, as it demands data that European data protection agencies prohibit collecting, such as credit card details.” Additionally, she complained about the “silence” from the Spanish Data Protection Agency, saying that they have been waiting months for an answer.
President of the Business Federation of Territorial Associations of Spanish Travel Agencies (FETAVE), César Gutiérrez, said, “We didn’t think the Royal Decree would actually go through because all reports—those from the Data Protection Agency, the European Commission, and the State Council—pointed to many ways in which it would be in conflict with existing laws.”
Maria Dolores Serrano, a legal adviser for the Union of Travel Agencies (UNAV), said that the Ministry is asking for the data because it is necessary for public safety. She also said that as travel agencies, “we do not question the purpose, but the form and scope of it.”
Three business groups said they might take legal action against the new traveler registration because they think it “violates European data protection regulations due to the amount of sensitive and personal data it requires companies to collect.”
In a joint statement, FERAVE, UNAV, and ACAVE say “it is important to raise awareness among the public and travellers about the seriousness of this regulation, as they will be the main victims once the measure is implemented, as they will have to provide over 40 pieces of data for accommodation bookings and more than 60 for vehicle rental.”
They also informed the Ministry that the European Commission and the Spanish Data Protection Agency had already sent reports during the processing of the Royal Decree, saying that many parts did not follow the rules and asking the Ministry to make changes.
Rosario Sánchez, the Secretary of State for Tourism, has said, “there is no need to make a mountain out of the process of adapting the regulation. It is similar to many others we have experienced in our country” and “has always had brilliant results.”
