A hospitality company in Spain was fined €1,200 for violating the data minimization principle of the European Union's General Data Protection Regulation (GDPR). The violation occurred when the company asked guests, including children, to send photos of their identity documents via WhatsApp.
The Spanish Data Protection Agency (AEPD) investigated the case after receiving a complaint from a guest in August 2023. The guest alleged that the company, identified as Residential Quality Enjoy, requested copies of identity documents from the entire family without providing any information about how or why the data would be processed.
During the investigation, the company argued that it was complying with a Spanish law (RD 933/2021) requiring guest identity verification. However, the AEPD found that while the law requires identity verification, it does not mandate the retention of document copies. The agency determined that collecting personal data contained in identity documents — such as name, gender, date of birth, and address — exceeded what was necessary for the stated purpose.
Initially, the AEPD imposed a €2,000 fine on the company. However, under Law 39/2015 governing administrative procedures in Spain, the company had the option to acknowledge its responsibility and pay the fine early, resulting in a 40% reduction. In addition to the reduced fine, the AEPD ordered the company to modify its registration system to no longer require copies of identity documents and to confirm the deletion of copies already stored in its systems.
Source: AEPD
This post was translated and summarized from its original version using ChatGPT version 4o, with human review.