Greece Warns Hotels Against Illegal Data Collection During Check-in
Translated from Greek, summarized and contextualized by DistantNews.
At a glance
- Greece's data protection authority warns hotels and accommodations about potential violations of GDPR during check-in.
- Authorities found instances of hotels photographing or photocopying IDs, passports, and even credit cards, which is illegal.
- The authority urges tourism businesses to comply with GDPR, emphasizing data minimization and lawful processing to protect customers.
Greece's Personal Data Protection Authority has issued a stern warning to hotels and tourist accommodations regarding illegal practices during the check-in process. The authority flagged concerns that some businesses are violating the General Data Protection Regulation (GDPR) by photographing or photocopying guests' identification documents and passports. In some cases, hotels have even been found to photograph both sides of credit cards, retaining copies for future use.
Such practices contravene the core principles of GDPR, including lawfulness, transparency, and data minimization.
These practices are not only illegal but also increase the risk of unauthorized access, fraud, and financial loss for customers. The authority stressed that such actions contravene the core principles of GDPR, including lawfulness, transparency, and data minimization. It also highlighted that some businesses may be failing to implement data protection by design and by default.
In response, the authority has sent recommendations to the Panhellenic Federation of Hoteliers, the Hellenic Chamber of Hotels, and the Confederation of Tourist Accommodation Enterprises of Greece. They are urged to inform their members about their GDPR compliance obligations. The directive is clear: accommodations are not permitted to copy or store identification documents like IDs and passports, as there is no legal provision mandating it. Similarly, photographing or storing copies of credit and debit cards is prohibited.
Accommodations are not permitted to copy or store identification documents like IDs and passports, as there is no legal provision mandating it.
Hotels must ensure that all personal data processing is based on a lawful basis, with a thorough assessment of necessity and proportionality. Guests must also receive clear and accessible information about how their data is processed. The authority calls for a review of check-in and payment procedures, along with staff training, to prevent violations that could lead to sanctions and a loss of customer trust. For travelers, handing over identification at check-in does not grant hotels the right to copy or store it; simple data recording is sufficient and legal.
For travelers, handing over identification at check-in does not grant hotels the right to copy or store it; simple data recording is sufficient and legal.
Originally published by Ta Nea in Greek. Translated, summarized, and contextualized by our editorial team with added local perspective. Read our editorial standards.