Закрыть
Категории
Business Real estate Investments Tourism & hospitality Analytics Research Ratings Investment objects Interview Reviews Migration Experts
Страны
Australia Austria Albania Argentina Armenia Belarus Belgium Bulgaria Bosnia Hungary United Kingdom Germany Greece Georgia Denmark Egypt Indonesia India Israel Spain Italy Ireland Iceland Kazakhstan Canada Cyprus China Latvia Litva
Norway Netherlands United Arab Emirates Paraguay Poland Portugal Russia Romania Serbia Singapur Slovakia Slovenia USA Thailand Turkey Uzbekistan Ukraine Philippines Finland France Croatia Montenegro Czech Republic Switzerland Sweden Estonia Japan
недвижимость Германия инвестиции Грузиятуризм Испанияаналитика недвижимость
English   Русский  
   Русский Русский (ru)
Вход
read also
Stara Zagora Cools After EuroStara Zagora Cools After Euro Northern Ireland Gains From BrexitNorthern Ireland Gains From Brexit Croatia Hits Housing Affordability LimitCroatia Hits Housing Affordability Limit Portugal Raises Tax on Non-ResidentsPortugal Raises Tax on Non-Residents Russia Warns Citizens on Thailand TravelRussia Warns Citizens on Thailand Travel Turkey Holds Rates as Inflation BitesTurkey Holds Rates as Inflation Bites
Spain / Tourism Spain / News / Tourism & hospitality 14.06.2026

EU Challenges Spain’s Traveller Register

EU Challenges Spain’s Traveller Register

European tourism associations have welcomed European Commission action against Spain over new traveller data-collection rules. The dispute over Royal Decree 933/2021 has become a test of where the line lies between security, digital control, personal-data protection and the competitiveness of the tourism industry.

Spain’s traveller register became a European issue

Spain has become the centre of a new conflict between security and tourism business. European tourism groups welcomed the European Commission’s decision to launch infringement proceedings against Madrid over traveller registration rules. These rules require hotels, tourist apartments, agencies, tour operators and car-rental companies to collect expanded customer data and send it to Spain’s Interior Ministry.

Travel Daily News reports that European tourism organisations see Brussels’ action as an important step after months of industry warnings. The sector’s main objection is not to guest registration itself. Hotels already check customer documents, and governments have legitimate security interests. The dispute concerns the scale of the data, retention periods, business responsibility and the risk of breaching European personal-data rules.

Royal Decree 933/2021 was adopted in 2021, but its practical application was delayed several times and became especially controversial after the expanded regime began. The tourism sector has called the system “Big Brother” because of the amount of information required for accommodation bookings or car rentals. For Spain, where tourism is one of the core economic sectors, the dispute quickly moved beyond legal technicalities.

What Spain requires from businesses

Spain’s rules require a wide range of tourism operators to register and transmit customer information. Depending on the service, this can include not only passport details, name, date of birth, nationality and address, but also contact details, booking information, payment data and means of payment.

Requirements linked to financial and digital traces have attracted particularly strong criticism. Spain’s hotel confederation CEHAT says the system may involve means of payment, email addresses, bank information, geolocation data and other sensitive elements. The industry argues that such information goes beyond what is necessary for ordinary guest registration.

For businesses, the problem is not only the number of fields. Hotels, agencies and rental companies must store and transmit information, meaning they bear responsibility for data security. A small family hotel or local car-rental company does not have the infrastructure of a large bank or technology platform. Yet these firms are required to collect, verify, protect and transmit large volumes of personal data.

The Commission questions proportionality

The European Commission launched an infringement procedure because it believes the Spanish rules may be incompatible with EU law. This procedure is used when the Commission considers that a Member State is incorrectly applying or breaching Union legislation. The first stage usually involves a letter of formal notice, after which the country must present its position and possible corrective measures.

The key word in this dispute is proportionality. EU law does not prevent states from collecting data for security, crime prevention or border-control purposes. But data collection must be necessary, purpose-limited and proportionate to the risk. If a state demands too much information, stores it for too long or grants overly broad access to authorities, it conflicts with GDPR and fundamental rights.

Tourism associations argue that Spain’s register creates precisely that problem. It shifts mass data collection to private businesses and makes companies potentially responsible for mistakes, leaks and compliance failures. As a result, state security is supported through higher legal, operational and cyber risk in the private sector.

Why the industry warns about cyberattacks

One of the hotel sector’s main arguments is cybersecurity. The more sensitive data businesses collect, the more attractive they become to criminals. A database containing passports, payment information, contacts, routes and accommodation data may be more valuable to fraudsters than an ordinary hotel CRM system.

CEHAT and regional hotel associations warn that storing such information increases the risk of leaks, phishing, identity theft and financial fraud. For travellers, this means a holiday may involve not only another form at reception, but also the risk that personal data could fall into the wrong hands.

For hotels, this is also a financial risk. A GDPR breach can bring fines, legal claims, reputational damage and system-recovery costs. Small and medium-sized enterprises are especially vulnerable because they often lack in-house cybersecurity teams. In a country with many family hotels, apartments and small rental companies, this becomes a systemic issue.

Spain’s Interior Ministry defends the system on security grounds

Spain’s Interior Ministry justifies the register on public-security grounds. Authorities say traveller data help law-enforcement agencies fight crime, find wanted people, identify illegal operations and track suspicious movements. In public statements, the ministry has referred to the system’s usefulness for investigations and search orders.

This argument cannot simply be dismissed. Tourism creates large mobile flows, and hotels, short-term rentals and rental cars can be used by people other than ordinary travellers. The state has a legitimate interest in knowing who is in the country and where they are staying, especially in a high-volume international tourism market.

The question is where the limits lie. The tourism sector does not dispute that law enforcement needs tools. It disputes whether such a broad dataset must be collected from all travellers without sufficient limitation, minimisation and clear responsibility. In the European approach, security must be combined with the principle of the minimum necessary interference.

Tourism competitiveness became part of the dispute

Spain is one of the world’s largest tourism economies. Any additional rules for hotels and travellers therefore have not only legal but commercial significance. If booking accommodation or renting a car in Spain becomes more complicated than in neighbouring countries, some travellers may choose another destination.

For mass-market tourists, an additional form can be an irritant. For luxury clients, it may violate expectations of privacy. For business travellers, it wastes time. For group tours, it creates operational complexity. For online agencies, it adds another technical and legal process. A rule created for security can therefore reduce travel convenience.

The Balearic Islands, Canary Islands, Andalusia, Catalonia, Valencia and Madrid are especially sensitive. In these regions, tourism is not a secondary sector, but a major source of jobs, tax receipts, small-business turnover and local economic activity. That is why regional associations have strongly supported the Commission’s action.

Hotels are caught between the Interior Ministry and GDPR

For hoteliers, the situation is particularly difficult. On one hand, national law requires data transmission. On the other, European data-protection law requires minimisation, security and lawful processing. If a business does not comply with Spanish requirements, it risks national sanctions. If it complies incorrectly or suffers a data breach, it risks data-protection penalties.

This creates legal uncertainty. A small hotel should not be forced to choose between breaching a national administrative rule and risking a GDPR violation. That is why the industry is asking for the rules to be revised, not merely for technical instructions on how to implement them.

Large chains can manage the problem more easily because they have legal departments, IT systems and privacy-compliance specialists. But even for them, large-scale sensitive data collection increases operational costs. For independent hotels, apartments and agencies, the burden may be disproportionate.

Agencies and car-rental companies are also under pressure

The dispute is not limited to hotels. Travel agencies, tour operators and car-rental companies are also covered by the expanded obligations. For car rentals, the dataset may be even broader because it involves the driver, contract, route, payment, dates and vehicle use.

Agencies are especially concerned that they may have to collect information that was not previously part of standard travel booking. This changes the relationship with the customer. Travellers may not understand why an agency needs extra data, who will store them, where they will be sent and how long the state will retain them.

For online sales, this creates abandonment risk at the booking stage. The more fields and explanations required, the higher the chance that customers abandon the cart or choose another country. In digital tourism, even small process friction can affect conversion.

GDPR is now an economic factor

The European dispute over Spain shows that GDPR is no longer only a legal topic. Data protection has become part of the tourism economy. If data-processing rules are unclear, excessive or poorly integrated into business processes, they affect company costs, customer trust, destination competitiveness and investment risk.

For travellers, personal data have become part of the price of a trip. They pay not only with money, but also with information about themselves. The more data a country demands, the higher the expectation that collection is protected, transparent and necessary. If travellers see a request as excessive, trust in the destination declines.

For investors in the hotel sector, this also matters. A country with unpredictable digital requirements increases the operating risk of accommodation assets. A hotel may be well located and profitable, but new data obligations can raise costs, reduce booking conversion and create penalty risk.

Spain will need to find a compromise

The Commission procedure does not mean Spain’s register will be immediately abolished. It begins a legal and political process in which Madrid must explain the rules, justify their necessity and, where required, amend the contested provisions. If the response does not satisfy the Commission, the case may move to the next stage and eventually reach the Court of Justice of the EU.

The most likely scenario is not a complete end to traveller registration, but a reduction in the scope of data, clearer processing purposes, changes to retention periods, restricted access, stronger security guarantees and clearer responsibility between the state and businesses. Such a compromise could preserve security tools while reducing the burden on the sector.

Spain also needs to avoid prolonging the process. The tourism season does not wait for legal procedure. The longer uncertainty continues, the harder it is for companies to plan IT systems, staff training, supplier contracts and guest communication.

Europe faces a wider digital-control problem

The Spanish dispute is part of a broader European trend. Tourism is becoming more digital: EES, ETIAS, passenger data, hotel registers, biometrics, tourist taxes, online platforms, short-term rentals and city regulation are creating more points of data collection.

Each measure may have a legitimate purpose on its own. But for travellers, they add up to a single experience: more forms, more checks, more digital traces and more uncertainty. For businesses, they mean more IT integrations, more compliance, more responsibility and more costs.

The question for Europe is whether it can preserve tourism competitiveness as digital control expands. Security and transparency matter, but if rules become excessive, they may undermine what makes Europe attractive: ease of movement, trust, privacy and predictability.

What this means for travellers

For travellers, the dispute means that trips to Spain may involve more detailed data collection when booking and checking in. Guests should be prepared for additional questions, especially when renting accommodation, booking through an agency or arranging a car. But they also have the right to understand why data are collected, who processes them, how long they are stored and how they are protected.

If the rules are revised after Commission action, the process may become simpler and clearer. Until then, practices may vary between providers. Large chains may adapt forms quickly, while smaller properties may struggle or ask for information in less structured ways.

Travellers should provide data only through secure channels, check that bookings are made through official websites or trusted intermediaries, and be careful with additional requests by email or messaging apps. As data requirements grow, the risk of fraudulent imitations also increases.

What this means for businesses

For hotels, agencies and car-rental companies, the key task is not to wait for the end of the dispute, but to build data-protection procedures now. Companies need to know what data they collect, on what legal basis, where they are stored, who has access, how they are sent to authorities and how long they are retained. Without that, any rule change will be painful.

Clear customer notices, data minimisation where possible, secure transmission channels, staff training and IT supplier checks are essential. If data are transmitted through third-party systems, responsibility does not disappear. Tourism businesses can no longer treat privacy as a secondary topic.

For industry associations, the task is to secure rules that work not only for large chains but also for small businesses. If compliance becomes too expensive, the market will concentrate and independent players will be placed at a disadvantage.

Spanish tourism awaits a security-and-trust decision

The dispute over Royal Decree 933/2021 has become a symbol of a new phase in European tourism. Previously, the key themes were prices, demand, air connectivity and seasonality. Now they also include data, cyber risk, digital borders and the traveller’s right to privacy.

Spain remains one of the world’s strongest tourism markets. Its competitive advantages are enormous: climate, culture, beaches, cities, gastronomy, infrastructure and a wide range of accommodation. But even strong destinations cannot ignore convenience and trust. If tourists feel that too much data are being demanded without a clear explanation, that becomes part of a negative travel experience.

As experts at International Investment report, the Commission’s action against Spain’s traveller-registration rules shows that European tourism is entering an era in which data protection is a competitiveness factor. The critical risk for Spain is not data collection itself, but the perception of excessive and insecure control. For investors and hotel businesses, the main conclusion is that privacy compliance now affects not only legal risk, but also booking conversion, guest trust and destination resilience.