Travellers booking accommodation in Spain or renting a car in the country could be in for a shock in 2023 as new legislation comes into force that requires the submission of an extensive set of personal details and sensitive payment information.
Due to be implemented in January, Real Decreto 933/2021 will require accommodation and car rental providers to submit customers’ data to the police within 24 hours of the booking or check-in and also to keep that information secure for three years. The police will be able to retain the information indefinitely.
Not surprisingly, there has been considerable pushback from the travel industry around a number of points, but principally data privacy and the necessity of collecting and storing such data, and the potential workload it creates.
For travel management companies – and other booking intermediaries – it is understood it will mean the additional burden of collating, securely storing and submitting additional and highly sensitive information.
In Spain, various organisations are lobbying against the legislation, including the CEOE which represents Spanish businesses, and several travel associations including GEBTA – which represents travel management companies operating in Spain – who first brought the legislation to BTN Europe’s attention.
“It has enormous implications for the travel industry, as well as on international travellers visiting Spain for leisure or corporate reasons,” GEBTA’s director general Marcel Forns told BTN Europe.
The Spanish government approved the Real Decreto even after the European Commission reported that the regulation was disproportionate, unnecessary and contrary to EU law and jurisprudence, said Forns.
“The regulation is in violation of EU law and will entail the creation of a mega-database of sensitive person-related information, available for unlimited time by the Spanish police," he added.
“My concern is that few people seem to be reacting to it. It is not legal, it is not proportionate, and it is going to have a big impact on the travel industry.”
Forns adds that the standard was prepared without consulting travel sector organisations and has the potential to “torpedo” Spain’s business and leisure travel market.
What is Real Decreto 933/2021?
Real Decreto 933/2021 was published in Spain in October 2021 with the rationale of the 'protection of citizen security'.
In many countries it is already common for hotels and car rental providers to collect basic customer information at check-in, including in the likes of France (where the system is known as the ‘fiche individuelle de police’), Germany (where it is called the ‘Meldeschein’), the UK and in Spain.
“In general, the data collected by hotel or accommodation suppliers includes no more than eight person-related items, and those are normally included in the passport or ID card,” said Forns. “But the [new] Spanish regulation includes in the list of data to be collected more than 30 additional items.”
For accommodation guests, that additional information will include the means of payment, type of credit card, credit card number and IBAN/bank account number, among other payment information.
Car rental customers, meanwhile, will also need to provide payment details, as well as driving licence information, time, location of vehicle pick-up and return, rental mileage, and post-rental GPS data (where available) detailing the customer’s movements.
“The additional personal data not only provides extensive and intrusive information about the means of payment and transactions of corporate travellers, but moreover it implies the tracking of itineraries,” said Forns.
While customers’ basic information must be held by suppliers for six months in France and for one year in Germany and be made available to police if necessary, in Spain, the Real Decreto will require accommodation and car rental providers to store the data for three years.
The legislation goes further, requiring suppliers to submit the expanded information to the police within 24 hours of the booking or of the service commencing, with no exceptions, and subject to fines and penalties in case of failure to do so. Police will be able to retain the data indefinitely.
What’s happening right now?
Introduction of the legislation had already been postponed from its original launch date in April this year in the face of pressure from Spain’s travel industry, with a new launch date set of 2 January 2023.
“The system is not yet 100 per cent ready,” Forns told BTN Europe. “In fact only a few suppliers have tried to use the platform that the administration has created. The administration has been informed that the industry won’t be able to operate on the system in January.”
Travel agency associations had recently asked for a moratorium of four to five months in order to adopt to the platform, Forns added, but the request was refused.
In the meantime, GEBTA and other travel agency associations continue to lobby for intermediaries to be excluded from the legislation and for a definitive repeal of the Real Decreto.
The industry reaction
Feedback from other industry stakeholders was not particularly forthcoming, perhaps reflecting Forns’ concerns about a lack of awareness of the development and its implications.
Two leading Spanish hotel groups that BTN Europe contacted declined to comment while one TMC said they do not believe the legislation complies with current data regulation in Spain but preferred not to comment on the record.
However, CWT’s global market manager for Spain, Italy and Greece, Antonio Roig, said that, like GEBTA, the TMC believes the legislation to be “both prohibitive, disproportionate and most concerningly, a data protection and privacy minefield.”
Roig said that whoever manages the booking is responsible for collecting the necessary details and sharing it with the authorities, be it a TMC, online travel agency or suppliers themselves.
He continued: “Safely sharing, managing and conserving such granular and sensitive information to providers or intermediaries and the Spanish security and protection services, as well as the data processors themselves, comes with exceedingly high risk. We are therefore working closely with several TMC associations in Spain to oppose this legislation.”
UK-based legal adviser, Matt Gatenby, senior partner at Travlaw, said he has had a number of queries about the legislation.
“The general thrust of the thinking from Spanish tourism professionals is clearly that this rule adds burden where it need not,” said Gatenby. “The information being collected on check-in is above and beyond what travellers of any description would expect to give in just about any jurisdiction.”
He added: “The practical upshot of the Decreto looks to be one of time and efficiency. It is hard to envisage a future where checking in at a hotel or collecting a rental car will be anything other than longer and more involved.”
Gatenby did not confirm whether TMCs will be responsible for collecting the new data sets but indicated it could be a moot point for non-Spain-based TMCs. “There is the question of enforcement… for the sake of argument, if a UK TMC blatantly refuses to comply, what can the Spanish authorities really do?”
For now, Real Decreto remains on course to come into effect in January when its impact is expected to be felt, which is likely to include longer check-in protocols for travellers – and, perhaps, growing backlash against the collection of such extensive and sensitive information.
In the meantime, while requests to exclude intermediaries have so far fallen on deaf ears, Forns says GEBTA will continue to lobby against the legislation.
The organisation is “committed to continue fighting for the repeal of the regulation, because even if intermediaries had been excluded, the legislation is still in violation of the law and personal data protection, and this is absolutely unacceptable.”