Hotels or other tourist premises may neither request nor keep copies of customers’ identification papers – such as ID cards or passports – the Data Protection Commissioner said on Monday.

In a statement, Irini Loizidou-Nicolaidou said her office had received a number of queries and complaints regarding the practice of hotels asking customers for copies of such identification documents.

She added, however, that whereas some tourist premises do engage in these practices, others do not.

After looking into the issue, the commissioner said that – in addition to logging customer information on check-in, which is required – some hotels also ask for copies of IDs or passports. And they keep such copies on hand until checkout or until customers have settled their bill.

But keeping such copies is not provided for by law. Hotels and tourist premises are therefore advised to cease this practice.

Loizidou-Nicolaidou went on to cite EU Regulation 2016/679 – “On the protection of natural persons with regard to the processing of personal data and on the free movement of such data.”

In particular, she drew attention to article 5, which states that personal data shall be “processed lawfully, fairly and in a transparent manner in relation to the data subject; collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)”.

According to the commissioner, collecting and keeping copies of identification documents in this context not only is unlawful but also violates the principle of ‘data minimisation’.

“And this is because such copies contain data (e.g. photograph, father’s full name) which are necessary neither for the proper functioning of hotels and tourist premises, nor for the services being provided.”

At the same time, the official recalled that hotels and tourist premises are mandated by law to keep records of their customers, and to refuse accommodation to any customer who does not provide basic identification data on check-in.