Have you heard of Royal Decree 933/2021? If your business entails accommodation or car rental, this article is especially for you. On the 2nd of December 2024 this new legislation came into force, which changes the rules of the game regarding the registration of travellers and clients. Are you ready to comply with the new obligations? Let's break down the key points so that you don't get caught by surprise.
Written by Abigail Sked
Paralegal
WHAT IS this TRAVELLER REGISTRATION ALL ABOUT?
Royal Decree 933/2021 (Real Decreto 933/2021 por el que se establecen las obligaciones de registro documental e información de las personas físicas o jurídicas que ejercen actividades de hospedaje y alquiler de vehículos a motor) establishes new record-keeping and reporting obligations for companies and individuals engaged in accommodation and car rental. Of course, these entities are used to collecting personal data about their customers, but the controversy of this legislation comes from the fact that it obliges them to collect much more personal data than before, something that customers may not feel comfortable with and which subjects companies to more data protection responsibilities.
On the other hand, the aim of these new requirements is to improve public security "in the face of terrorist threats and other very serious crimes committed by criminal organisations".
WHO IS AFFECTED BY ROYAL DECREE 933/2021?
The list is long, but basically if you offer accommodation or rent cars without a driver, then these provisions apply to you. For example:
Hotels, hostels, guesthouses, lodgings
- Apartaments and holiday homes
- Campsites and motorhome parking areas
- Car rental companies (without a driver)
- Platforms and operators which provide intermediary services related to these activities.
WHAT DO i HAVE TO DO NOW?
1. ELECTRONIC RECORD
You have to create and maintain a record of your customers' data.
2. MORE DATA TO BE COLLECTED
:Get ready to ask your clients for more information. Now, in the case those whose professional business is providing accomodation, the data that will have to be collected includes, but is not limited to:
- Travellers' details:
- First name.
- First surname.
- Second surname.
- Sex.
- Identity document number.
- Document support number.
- Type of document (ID card, passport, Foreigner's ID card).
- Nationality.
- Date of birth.
- Habitual place of residence.
- Full address.
- Town or city.
- Country.
- Telephone number.
- Mobile phone number.
- Email address.
- Number of travellers.
- Relationship between the travellers ( should any of them be minors).
- Transaction data:
- Date and time of check-in
- Date of check-out
- Identification of the means of payment: card type and number, IBAN, mobile payment solution, etc.
- Name of the holder of the means of payment
- Expiry date of the bank card
- Date of payment
- Signature of traveller(s)
We recommend that you take a look at Annexes I and II of the Royal Decree to find out exactly what data you must register and report to the authorities, depending on the activity you carry out and whether or not you do so professionally.
The accommodation or car rental company shall ensure that the data are correct and match the documents or systems which confirm the identity of the users, who shall display or provide that information.
3. DATA STORAGE
You'll have to store all of this information for 3 years from the end of the service contracted.
4. COMMUNICATION TO THE AUTHORITIES
You must send this information to the Police or Civil Guard within the 24 hours following:
- The making of the reservation or the formalisation of the contract or, where applicable, its cancellation.
- The start of the contracted services.
These communications shall be made electronically. You are exempt if you carry out accommodation activities in a non-professional manner, in which case you may make these communications by non-electronic means, via the procedure to be determined.
Note: If you carry out accommodation activities on a non-professional basis, you are also exempt from the obligations of documentary registration and data storage, and are only subject to the obligation of communication to the authorities.
LEGAL AND FINANCIAL OBLIGATIONS OF COMPANIES IN SPAIN
HOW DO I COMPLETE THE TRAVELLERS' REGISTRATION?
The Ministry of the Interior has created an online platform to facilitate this process. It's called SES.HOSPEDAJES and it's where you will have to submit all the information.
WATCH OUT FOR FINES
Failure to take these regulations seriously could be costly. Penalties for non-compliance are governed by the provisions of Organic Law 4/2015 (Ley Orgánica 4/2015):
Serious infringements, with a fine of 601 to 30,000 euros:
- Failure to keep the documentary records provided for in this Royal Decree.
- Failure to carry out the compulsory communications.
Minor infringements, with a fine of 100 to 600 euros:
- Irregularities or deficiencies in the completion of the registers provided for.
- Carrying out the compulsory notifications outside the established deadline.
Liability for the infringements committed shall be borne directly by you, as the natural or legal person who carries out or intermediates in the performance of the activities.
DATA PROTECTION: THE ELEPHANT IN THE ROOM
With so much personal data at stake, data protection becomes crucial. This is where the General Data Protection Regulation (GDPR) comes in. You'll need to:
- Update your privacy policies
- Properly inform your customers about the use of their data
- Implement adequate security measures, such as encrypting traveller records, limiting the number of people who can access traveller records, and controlling access to those records through strong passwords and multi-factor authentication.
FEELING OVERWHELMED? YOU'RE NOT ALONE
We understand that all of this information can be a headache. Complying with Royal Decree 933/2021 and at the same time making sure you respect the GDPR isn't an easy task. This is where our law firm can lend you a hand. At CONESA LEGAL we specialise in data protection, as well as commercial, labour and tax regulations and obligations. We can help you analyse your current situation and ensure that your handling of personal data complies with the GDPR, providing you with, among other things, the necessary policies and clauses adapted to your needs.
