ARTICLE
20 February 2025

Processing Of Private Data By Hotel

VK
G. Vrikis & Associates Ltd

Contributor

G. Vrikis & Associates LLC is a rapidly expanding and prominent law firm in Cyprus. Established in 2015 by its managing partner, Mr. George Vrikis, the firm has been focused in providing high-level legal advice to its clients and expanding its international profile and clientele, while at the same time maintaining a prompt, proactive and family office-approach for its clients. The Firm has expanded to a second location in Limassol in 2019, with the addition of Mrs Christiana Kouppi as a Partner.
Recent guidance has been provided by the Commissioner of Personal Data Protection, upon receiving multiple enquiries and complaints as to the practise of hotels...
Cyprus Media, Telecoms, IT, Entertainment

Recent guidance has been provided by the Commissioner of Personal Data Protection, upon receiving multiple enquiries and complaints as to the practise of hotels and other touristic establishments in Cyprus of copying and maintaining passports and/or other identity card data of their clients during the check-in process. It was noted that the said establishments do not only obtain the data, but they actually make photocopies or scans of said documents, which they then maintain in their databases.

It was further noted by the Commissioner that, whilst on the one hand the provisions of the Hotels and other Touristic Establishments Law of 1985 (as amended), and specifically the provisions of Articles 10 and 64 therein, do provide that the hotel should maintain records as to their clients, including their names, addresses, etc, and that the client has an obligation to present their passport if asked to do so during check-in process, such matters need to be considered in the light of the limitations placed for the collection and processing of personal data under the Data Protection Regulation of the European Union (Regulation 2016/679).

Reasoned Analysis by the Commissioner

In order to assess the lawfulness of the processing carried out, through the taking and retention of copies of identity cards or passports of customers, account should be taken of the applicable legislation. Referring to the relevant legislative framework, hotels/tourist establishments accommodation establishments are required to record and retain details of their guests in the 'under

the authorities' customer arrival lists' for a period of time consistent with the provisions of the legislation

However, the legislation does not provide anything for the collection and retention of copies of vouchers identity cards or passports of customers. In the absence of an appropriate legal basis, hotel operators establishments/tourist accommodation may not undertake such collection and retention.

The taking and keeping of copies of identity cards/passports not only does not meet the principle of legality (Article 5(1)(a) of the Regulation), but also exceeds the limits of the principle of data minimisation (Article 5(1)(c) of the Regulation). Copies contain data (e.g. photograph, full name of father) which are not necessary for the proper functioning of hotels and tourist and tourist accommodation, nor for the services provided.

As per the Commissioner's conclusion, the lawfulness of the processing is satisfied by the mere presentation of the identification and validation of personal data. The collection and retention of the copy of the identity card/passport would violate the principles of legality and data minimisation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More