Spain's New December 2 2024 Tourism Data Collection Law

Introduction to Spain's new Data collection Law for Visitors

Spain has introduced a new law, Royal Decree 933/2021, that applies to hotels, hostels, guesthouses, rural tourism accommodations, campsites, mobile home establishments, travel agencies, tourist rental platforms (Airbnb), and car rental companies that are now required to collect additional personal data from customers.

The new law is to update the existing laws for registrations of lodging that date back to 1959 with the aim of combating terrorist activity and organised crime of a transnational nature by providing Spain's interior ministry with traveller data.

This law comes into force on the 2nd of December 2024 and applies to mainland Spain and its islands, including the Balearics and the Canary Islands. Tourism businesses that do not comply with the law could face fines from 100 to 30,000 euros for non-compliance.

Criticism from the Tourism industry

Within Spain, the new law has been fiercely criticised by travel agency associations including the European association, Spain's hoteliers, as well as Spain's Congress and Senate. CEHAT, Spain's leading hotel association, succeeded in postponing its introduction in January 2023 to allow hoteliers and other tourism industries to adjust systems to the new law.

The aim of the law is to provide Spain's interior ministry with traveller data that will be uploaded onto a platform which will be monitored by Spanish security forces. Data will be kept for three years. The government argues that criminals often rely on accommodation and car rental services to facilitate their activities, and that the old regulations from 1959 are obsolete and useless.

However, the tourism industry has raised concerns:
• Excessively bureaucratic: longer queues at check-in
• Invasion of Privacy: by collection of so much personal data
• Competitiveness: The law makes Spain less competitive as a tourist destination within Europe
• Cyber security risk: 70% of accommodation providers are small or medium-sized businesses that lack adequate systems security to ensure data protection.

What personal Data?

Until the 2nd of December 2024, victors had to provide an ID document such as DNI/NIE/TIE (Spanish identity card) or passport, email address and full name as well as driving license for hire car rental. This data was passed on to the government of Spain. Now the below additional information will be collected and passed to the Government of Spain

From 2nd December 2024, Below Data will be collected for lodgings

Guest personal data:
• Full name: first name, middle name(s), surname (name, maternal surname, paternal surname)
• Gender: Male or Female
• ID number: i.e passport or DNI/NIE/TIE and type of document
• Nationality:
• Date of birth:
• Place of habitual residence: (full address and country)
• Phone numbers: Landline telephone & Mobile phone
• Email:
• Number of travellers: i.e. the number of additional guests under the booking
• Relationship: kinship where travellers under the booking are minors
Guest Booking data:
• Contract: Reference number, Date and guest signature
• Arrival and departure dates: Date of entry, date of departure
• Property details: Full address, number of rooms and if there is an internet connection (yes/No)
Guest Billing data:
• Payment Type: (cash, credit card, bank transfer, payment platform (Airbnb, PayPal, Booking.com etc)
• Identification of payment Type: credit/debit card number, card expiry date, date of payment, Bank account IBAN, mobile payments etc
• Holder of the payment method:

From 2nd December 2024, Below Data will be collected for Hire-Car Rental

Main Driver Data:
• Full name: first name, middle name(s), surname (name, maternal surname, paternal surname)
• Gender: Male or Female
• ID number: i.e passport or DNI/NIE/TIE and type of document
• Nationality:
• Date of birth:
• Place of habitual residence: (full address and country)
• Phone numbers: Landline telephone & Mobile phone
• Email:
Driver's Data:
• Driving license: Number
• Validity: Valid from date and valid to date
• Type: i.e. B1,
• Issuer: Although not mentioned, I suspect that the issuer of the driving license will also be recorded, i.e. DVLA for the UK or the country that issued the driving license.
• Second driver: Same data as above for additional drivers
Driver contract data:
• Contract: Reference number, Date and guest signature
• Vehicle Pickup: Date, time and location
• Vehicle Return: Date, time and location (and country if not Spain)
• Vehicle Data: Make, Model, Registration, VIN number, colour, Type (truck, van, passenger car), Km at start of rental, Kms at end of rental, GPS tracker data (if applicable)
Driver Billing data:
• Payment Type: (cash, credit card, bank transfer, payment platform (Airbnb, PayPal, Booking.com etc)
• Identification of payment Type: credit/debit card number, card expiry date, date of payment, Bank account IBAN, mobile payments etc
• Holder of the payment method:

Data Retention

On the surface it would seem that Spain is now collecting a lot of intrusive personal data about visitors and retaining that data for three years. However, I reviewed the data retention for online booking platforms to compare and get a benchmark.

Data Retention:
• Booking.com: Although not specifically stated, forever is implied. "as long as is necessary to enable you to use our services"
• Airbnb.com Although not specifically stated, forever is implied. However, if you are from a region such as the EU that has a right to be Forgotten law then you can request that your data be removed.
• Trivago.com is a bit more specific stating that you can send an email to request that they remove personal data about you under GPDR law. However it does not specify how long, by default, historical data is stored so we can assume that it is forever. "We keep your personal data only for as long as needed or permitted in light of the purposes for which it was collected and consistent with applicable law".

Opinion

My opinion is that the above data is already collected when you book a hotel or hire car.

Personal Data: When you book a hotel, you usually fill in a form with this data or if you use an online booking platform then this data is already on their system. I am sure most travellers have all of the above personal data on bookings.com and Airbnb platforms as well as many more. the big change is that now this information is being passed to the Spanish government as well as being retained by the private multinational companies (Booking.com, Airbnb etc) that already store lots of personal data about us. The only additional data that is being collected is kinship for minors which may be used to crack down on child trafficking but could be tiresome for someone organising a school trip.

Booking/contract data: Again, the historical booking data is already stored on online booking platforms but now accommodation providers are now obliged by law to pass it on to the Spanish government. How long does a booking platform retain our booking data, forever? Spain says that it will retain this data for three years only.

Billing data: This is already stored by the booking platform as well as payment details so not any new data being collected here. Accommodation providers are now obliged by law to pass it on to the Spanish government where it will be retained for three years, not forever.

Ultimately, this process of collecting personal data will be as transparent as an online booking platform or any other large multinational such as Google, but in the first week it may be a bit messy as hotels adjust to the new law and processes for entering this data into the new platform.

Tips: if the booking platform does not automatically pass this data on to the hotel then you may get asked to fill in a form at check-in. It may be worth taking a printout with your personal data to save time spelling out at the check in desk, at least while accommodation providers adjust their processes.