Registering travellers is mandatory, but the GDPR sets clear limits. Here is what you can collect, what you must not store, and for how long.
The legal basis: legal obligation, not consent
Many people think registering a guest depends on the guest giving consent. It does not. The processing of this data rests on compliance with a legal obligation — the one imposed by the traveller-registration rules.
That means the guest cannot refuse to provide the required data if they want to stay — but it also means you may only use it for that purpose.
What data you can and must collect
You may collect exactly the data the traveller-registration rules require: identification, contact, residence, and stay data. No more, no less.
The GDPR’s data-minimisation principle is clear: asking for extra data just in case is not justified and exposes you.
What NOT to do: store copies of the document
This is the most widespread mistake. The Spanish Data Protection Agency has warned that accommodations should not request or keep photocopies or images of the DNI or passport.
The right approach is to read the document to extract the mandatory data and not store the image. Keeping copies is excessive collection that can lead to problems.
How long to keep the data
Royal Decree 933/2021 sets a retention period of three years from the end of the service. After that, the data must be deleted: holding it indefinitely is not GDPR-compliant.
It helps to have a clear retention and deletion policy and to apply it consistently.
Security: how BookCheckin protects the data
The GDPR also requires appropriate security measures. BookCheckin transmits information encrypted, stores it on European servers, and limits access to authorised staff.
And by not storing document images and sending only the required data, the system’s design supports compliance rather than complicating it.