Spain’s New December 2, 2024 Tourism Data Collection Law

Introduction to Spain's new Data collection Law for Visitors

Spain has introduced a new law, Royal Decree 933/2021, which requires hotels, hostels, guesthouses, rural tourism accommodations, campsites, mobile home establishments, travel agencies, tourist rental platforms (such as Airbnb), and car rental companies to collect expanded personal data from customers.

The law updates registration requirements that date back to 1959, with the stated aim of combating terrorism and organised transnational crime by providing Spain’s Interior Ministry with more detailed traveller information.

This regulation came into force on 2 December 2024 and applies to mainland Spain and the islands, including the Balearics and the Canary Islands. Businesses that fail to comply may face fines ranging from €100 to €30,000.

Criticism from the Tourism industry

The law has been strongly criticised by Spanish and European travel associations, hotel federations, and members of Spain’s Congress and Senate. CEHAT, Spain’s leading hotel association, previously succeeded in postponing the law’s introduction in January 2023 to allow the industry time to adapt.

The government argues that criminals often rely on accommodation and car rental services to facilitate their activities, and that the 1959 regulations are obsolete. Data collected under the new law will be stored for three years and monitored by Spanish security forces.

However, the tourism sector has raised several concerns:

• Excessive bureaucracy: Longer queues at check‑in and slower processing.
• Privacy concerns: The volume of personal data collected is considered intrusive.
• Competitiveness: Spain may become less attractive compared to other EU destinations.
• Cybersecurity risks: Around 70% of accommodation providers are SMEs with limited IT security capacity.

What personal Data?

Before 2 December 2024, visitors typically provided an ID document (passport, DNI/NIE/TIE), email address, full name, and driving licence for car rentals. This information was already passed to the Spanish government. The new law expands the required data significantly.

Data Collected for Lodgings (from 2 December 2024)

Guest Personal Data

• Full name: First name, middle name(s), surname(s)
• Gender: Male or Female
• ID number and document type: Passport, DNI, NIE, TIE
• Nationality
• Date of birth
• Place of habitual residence: Full address and country
• Phone numbers: Landline and mobile
• Email address
• Number of travellers: Including minors
• Relationship/kinship: Required when minors are included

Guest Booking Data

• Contract: Reference number, date, and guest signature
• Arrival and departure dates
• Property details: Full address, number of rooms, internet availability

Guest Billing Data

• Payment type: Cash, card, bank transfer, platform (Airbnb, PayPal, Booking.com)
• Payment identification: Card number, expiry date, IBAN, payment date
• Holder of the payment method

Data Collected for Hire‑Car Rentals (from 2 December 2024)

Main Driver Personal Data

• Full name
• Gender
• ID number and document type
• Nationality
• Date of birth
• Place of habitual residence
• Phone numbers
• Email

Driver Licence Data

• Driving licence number
• Validity dates
• Licence type: e.g., B1
• Issuer: Not explicitly stated, but likely required
• Additional drivers: Same data as above

Driver Contract Data

• Contract reference and signature
• Vehicle pickup: Date, time, location
• Vehicle return: Date, time, location (including foreign returns)
• Vehicle details: Make, model, registration, VIN, colour, type, mileage, GPS tracker data

Driver Billing Data

• Payment type
• Payment identification: Card number, expiry, IBAN, payment date
• Holder of the payment method

Data Retention

On the surface, it may appear that Spain is now collecting a large amount of intrusive personal data about visitors and retaining it for three years. To provide context, I reviewed the data retention policies of major online booking platforms to establish a benchmark.

• Booking.com: Although not explicitly stated, indefinite retention is implied. Booking.com notes that it keeps personal data “as long as is necessary to enable you to use our services” .
• Airbnb: Also does not specify a default retention period, but indefinite storage is implied. Users in GDPR regions (including the EU) may request deletion of their data under the “right to be forgotten.” Request deletion here .
• Trivago: States that users may request deletion of their personal data under GDPR by email. Trivago GDPR rights information . However, Trivago does not specify a default retention period, stating only that data is kept “as long as needed or permitted,” which effectively implies indefinite storage.

Compared to these platforms, Spain’s three‑year retention period is relatively short.

Opinion

In practice, most of this data is already collected by hotels, booking platforms, and car rental companies. The main change is that it will now also be passed to the Spanish government and stored for three years.

Personal data: Already collected during booking or check‑in. The only new element is kinship information for minors, which may help combat child trafficking but could be inconvenient for group organisers.

Booking/contract data: Already stored indefinitely by booking platforms. Spain will now store it for three years.

Billing data: Already collected by booking platforms and payment processors. Spain will now retain it for three years.

As with any new IT system, the first week may be messy as hotels and rental companies adjust. Bringing a printed copy of your personal details may speed up check‑in during the transition period.