GOLD/FOREX
DUBAI 32°C
PRAYER TIMES
WORLD
WORLD
EXPLAINER

Visiting Spain? Get ready to reveal more about yourself

Home addresses, relationships between travel companions to be collected

Last updated:
Jay Hilotin, Senior Assistant Editor
4 MIN READ
The famous Cibeles fountain in Madrid, Spain.
The famous Cibeles fountain in Madrid, Spain.
Shutterstock

If you’re visiting Spain, you'll now need to share significantly more personal information than just your name and passport details.

New rules in Spain now require hotels, car rental companies, and other tourism providers to collect more personal data from travellers.

The rule, as promulgated by the Spanish Royal Decree 933/2021, which kicked in on December 1, 2024, requires tourists to provide over 40 pieces of information for accommodation bookings and over 60 for car rentals.

What personal data will be collected?

Accommodations are mandated to submit detailed data, including:

  • Full name
  • Gender
  • Passport details (number and issuing country)
  • Nationality
  • Date of birth
  • Complete address
  • Contact details (phone numbers, email)
  • Details of travel companions
  • Transaction records, such as contract signing dates
  • Arrival and departure information

    • The more contentious requirement is the inclusion of payment details, including:

  • Method of payment (cash, card, or digital platforms)
  • Card or account details (card number, IBAN, etc.)
  • Name on the card/account
  • Card expiration date

    • Why is this a concern?

    The new data collection mandate has ignited strong reactions, with critics labeling it a “Big Brother” initiative. Concerns include:

    60
    Number of data points to be filled by tourists for car rentals

    Privacy invasion: Many view the measures as excessive, arguing they provide authorities with extensive powers to monitor tourists and their financial data.

    Administrative burden: The Spanish Confederation of Hotels and Tourist Accommodations (Cehat) has criticized the law for the heavy workload it imposes on the tourism sector and unclear legal implications.

    Data security risks: Worries have emerged over how securely this sensitive information will be stored and used.

    Spanish officials, however, argue that the rules are critical for national security, enabling better monitoring of who is in the country and their movements

    Legal action

    The Spanish hotel association CEHAT is even considering legal action due to potential disruptions and delays. Travelers have also voiced privacy concerns.

    Given the new disclosure policy, the country’s tourism industry faces a shake-up.

    40
    Number of data points tourists must give for hotel bookings

    Impact on travellers

    • Spain's position as a global tourist hotspot may face challenges. • These regulations could discourage travelers concerned about privacy and data safety, despite Spain’s appeal with its vibrant cities, historic sites, and renowned beaches. • For now, anyone planning to visit Spain should prepare to disclose extensive personal details and monitor how this debate evolves.

    Backlash against decree

    The new requirements have sparked backlash Critics argue that the process, which demands information on payment methods and even personal connections, invades privacy and complicates the booking process.

    CEHAT said the increased data collection will burden travelers and extend check-in times by up to 10 minutes per guest.

    App crashes

    Compounding frustrations, a government-run online app intended for submitting the data crashed on the day of implementation, highlighting concerns about poor preparation.

    Despite reassurances that these updates reflect advances in technology, travellers and industry leaders remain wary, with some British tourists already reconsidering trips to Spain.

    Meanwhile, officials defend the move as a necessary response to evolving criminal tactics in booking accommodations and car rentals.

    European tourism group chimes in

    In an analysis of the Spanish Royal Decree 933/2021, the European Travel Agents’ and Tour Operators Associations (ECTAA), explained that “companies under the scope of the Royal Decree will need to have in place an electronic registry in order to comply with the new obligations.

    Before starting the activity, the company will need to communicate business data details in order to "sign-up" in the platform.”

    “In relation to customer data, it will need to complete a very detailed form and keep customer data for three years. These data will need to be communicated through an electronic platform to the relevant authorities. This will apply to all travellers irrespective of their age. Data are collected directly to all travellers over 14 and via their accompanying persons for travellers under 14.”

    'Vague, unclear, potentially far-reaching'

    Furthermore, ECTAA cited the “vague, unclear and potentially far-reaching purpose for the collection of data”.

    While the decree indicates in its preamble that the purpose for the collection of such data is to better fight against terrorism and organised crime, “article 7.1 of the Decree seems to indicate that these data will be covering a much wider purpose.”

    Article 7.1 of the Royal Decree provides that the “data generated in this royal decree will be kept in the Secretary of State for Security. Your treatment may only be carried out by the Security Forces and Bodies in the performance of their respective powers in the field of prevention, detection and investigation of the crime assigned to them.”

    “That can mean that the data generated may be used by Security forces and bodies for purposes other than fight against terrorism and organised crime,” ECTAA stated.

    Data retention

    The group also challenged the proportionality of the decree.

    It cited the mandate for data to be kept for a maximum period of 3 years, “which can be considered disproportionate, in particular with regards to minors under 14.”

    Triggering cases:

    Terrorism concerns: Past incidents of terrorism in Europe, including in Barcelona, highlighted gaps in tracking visitors. Short-term rentals: The proliferation of unregistered tourist accommodations led to loss of tax revenue and a lack of traceability of guests​

    Compliance with Schengen rules

    While the new measures do not directly contradict the Schengen Agreement, which promotes borderless travel within Europe, critics argue they impose additional hurdles on free movement by requiring extensive personal data.

    Privacy advocates view the measures as disproportionate and akin to surveillance, potentially conflicting with the EU's General Data Protection Regulation (GDPR)​.

    Spain maintains that the benefits outweigh the concerns. Only time will tell if these policies will deter travelers or successfully enhance safety and oversight.

    Related Topics:
    Free-article

    Sign up for the Daily Briefing

    Get the latest news and updates straight to your inbox

    Up Next

    Related Stories

    Navya Naveli, Armaan Malik Meet Apple CEO Tim Cook In USA

    iPhone17 launch sees Armaan Malik and Navya Naveli

    3m read
    ‘DUBAI WILL REMAIN YOUNG’ INITIATIVE: First-rate amenities for senior persons in Dubai are getting expanded. The seniors programme, under the motto "Dubai will remain young,” covers citizens over the age of 60. It strives to enhance their quality of life by ensuring their inclusion and active involvement in social events through the expansion of Thukhor Social Club model.

    Exercise is medicine: Here's the science

    5m read
    Caden Ballard lit himself on fire while filming it for a TikTok challenge called the "Fireball Challenge".

    How dangerous is the TikTok fireball challenge?

    2m read
    The full moon, also known as the ‘Blood Moon,’ is seen in Mexico City, during a lunar eclipse. Stargazers across a swathe of the world marvelled at a dramatic red ‘Blood Moon’ during a rare total lunar eclipse.

    Total lunar eclipse: Skywatchers marvel at Blood Moon

    2m read