Recent guidance has been provided by the Commissioner of Personal Data Protection, upon receiving multiple enquiries and complaints as to the practise of hotels and other touristic establishments in Cyprus of copying and maintaining passports and/or other identity card data of their clients during the check-in process. It was noted that the said establishments do not only obtain the data, but they actually make photocopies or scans of said documents, which they then maintain in their databases.
It was further noted by the Commissioner that, whilst on the one hand the provisions of the Hotels and other Touristic Establishments Law of 1985 (as amended), and specifically the provisions of Articles 10 and 64 therein, do provide that the hotel should maintain records as to their clients, including their names, addresses, etc, and that the client has an obligation to present their passport if asked to do so during check-in process, such matters need to be considered in the light of the limitations placed for the collection and processing of personal data under the Data Protection Regulation of the European Union (Regulation 2016/679).
Reasoned Analysis by the Commissioner
In order to assess the lawfulness of the processing carried out, through the taking and retention of copies of identity cards or passports of customers, account should be taken of the applicable legislation. Referring to the relevant legislative framework, hotels/tourist establishments accommodation establishments are required to record and retain details of their guests in the 'under
the authorities' customer arrival lists' for a period of time consistent with the provisions of the legislation
However, the legislation does not provide anything for the collection and retention of copies of vouchers identity cards or passports of customers. In the absence of an appropriate legal basis, hotel operators establishments/tourist accommodation may not undertake such collection and retention.
The taking and keeping of copies of identity cards/passports not only does not meet the principle of legality (Article 5(1)(a) of the Regulation), but also exceeds the limits of the principle of data minimisation (Article 5(1)(c) of the Regulation). Copies contain data (e.g. photograph, full name of father) which are not necessary for the proper functioning of hotels and tourist and tourist accommodation, nor for the services provided.
As per the Commissioner's conclusion, the lawfulness of the processing is satisfied by the mere presentation of the identification and validation of personal data. The collection and retention of the copy of the identity card/passport would violate the principles of legality and data minimisation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.