Can a hotel copy my passport?

In most EU countries, no. Hotels may note the information required by local law (name, date of birth, nationality), but making a full copy or scan of the passport goes beyond what is necessary under GDPR.

What data can a hotel record at check-in?

Hotels may record the data prescribed by local law. Typically: full name, date of birth, nationality, document number, and check-in and check-out dates. Biometric data such as passport photos are not necessary.

What if a hotel scans my passport anyway?

You can file a complaint with the national data protection authority (e.g., the ICO in the UK). Hotels that systematically scan passports without a legal basis risk a fine.

How long can a hotel keep my data?

Only as long as local law requires. In most EU countries, this is 1 to 3 years. After that, the data must be deleted.

Hotel Guest Passports and ID Cards: Do's and Don'ts - GDPRWise

Scanning and copying hotel guest passports and ID cards is a sensitive topic under GDPR. This article explains what hoteliers can and cannot do, with real enforcement examples and fines.

The problem: hotels collecting too much data

You arrive at a hotel. At the front desk, you are asked to hand over your passport or ID card. The receptionist scans the document, makes a copy, or enters all the data, including your photo and national ID number.

This is a scenario millions of travellers know. But is it allowed under GDPR?

The short answer: no, usually not. Hotels have a legal obligation to register certain guest data, but copying or scanning the entire identity document almost always goes beyond what the law requires.

What does the law say?

Most EU member states require hotels to register guest data; this is known as the police registration requirement (Meldepflicht in Germany, fiche de police in France, ficha de policia in Spain). The exact requirements vary by country, but typically include:

Full name of the guest
Date of birth
Nationality
Type and number of the identity document
Check-in and check-out dates

That’s it. No passport photo. No national ID number. No full scan of your passport.

Enforcement: fines for hotels

The Spanish Data Protection Authority (AEPD) has fined several hotels for violations related to guest identity data:

Hotel in Barcelona - EUR 30,000 fine The hotel routinely made copies of passports at check-in and stored them digitally. The AEPD ruled this violated the principle of data minimisation (Article 5(1)(c) GDPR): the hotel collected more data than necessary for the purpose.

Hotel chain in Madrid - EUR 45,000 fine The chain kept scanned passports for up to 5 years after the stay, while Spanish law prescribes a retention period of 3 years. Furthermore, the scans were not adequately secured; employees had unrestricted access.

Hotel in Mallorca - warning The hotel only copied the number and name, but also stored the nationality in an unsecured Excel file accessible to all employees via a shared folder. The AEPD issued a warning requiring the hotel to fix the security within 3 months.

Do’s and don’ts for hoteliers

What you SHOULD do

Record the legally required data: name, date of birth, nationality, document number, stay dates
Visually check the identity document: you may view the document to verify the information
Inform guests why you need the data (legal obligation) and how long you will keep it
Secure the data: access control, encryption, limited access for staff
Delete data after the legal retention period expires
Train your staff: front desk employees must know which data they can and cannot record

What you should NOT do

Make copies or scans of passports or ID cards without a legal basis
Store passport photos or biometric data
Record national ID numbers (or equivalents) unless local law explicitly requires it
Keep data longer than the law prescribes
Store guest data in unsecured systems (Excel files on shared folders, unencrypted USB drives)
Use data for marketing without explicit consent

By country: what is required?

Country	Legal basis	Required data	Retention period
Belgium	Royal Decree 23/10/2020	Name, date of birth, nationality, document nr, stay dates	1 year
Netherlands	Municipal Act art. 438	Name, address, date of birth, nationality, document nr	1 year
Germany	Bundesmeldegesetz par.29	Name, date of birth, nationality, document nr, arrival date	1 year
Spain	Ley de Seguridad Ciudadana	Name, date of birth, nationality, document nr, stay dates	3 years
France	Code de la securite interieure	Name, date of birth, nationality, document nr	6 months
United Kingdom	Immigration Act 2016	Name, nationality, document nr, check-in/check-out	1 year

What should you do as a hotelier?

Review your current procedure: are you making copies or scans? Stop, unless you have a specific legal basis
Update your check-in form: only collect the legally required fields
Delete old scans and copies: if you have stored digital copies of passports, delete them
Secure your guest register: use a secure system with access control, not a shared Excel file
Inform your guests: a short privacy notice at reception or in the confirmation email is sufficient
Set retention periods: configure your system to automatically delete data after the legal retention period

auto_awesome Know what data your hotel website collects?

GDPRWise scans your website and automatically detects what personal data you collect through booking forms, cookies and third parties. Including a tailor-made processing register.

Start free scan

Hotel Guest Passports and ID Cards: Do's and Don'ts Under GDPR