For anyone who has checked into a Spanish hotel, collected a rental car, or booked a holiday villa over the last couple of years, the check-in process has felt decidedly more intrusive. The traditional handover of a passport has been replaced by a barrage of questions ranging from your home address and phone number to how you plan to pay for your stay.
This shift was driven by Royal Decree 933/2021, a sweeping piece of domestic legislation that forced tourism businesses to collect up to 17 distinct points of personal data per guest and upload them directly to a centralised Ministry of Interior database.
While the Spanish government championed the framework as a crucial weapon against organised crime and terrorism, it has triggered a massive backlash from the hospitality sector. Now, the row has taken on a significant European dimension. The European Commission has officially stepped into the arena, launching formal infringement proceedings against Spain over concerns that the system breaches EU data protection laws.
Why Brussels is Challenging Spain
The European Commission’s intervention follows years of intense lobbying from a coalition of European travel associations, including the hospitality group HOTREC and the Spanish Confederation of Hotels and Tourist Accommodations (CEHAT).
On June 4, 2026, Brussels sent a "letter of formal notice" to Madrid, marking the first official stage of a legal challenge. The Commission’s primary objections focus on four key areas:
-
Excessive Data Scope: The system demands highly sensitive personal information that goes far beyond standard identification, including guest phone numbers, contact emails, relationship details of accompanying family members, and precise transaction records.
-
Financial Tracking: The requirement to log specific payment methods and financial data has raised major red flags regarding consumer privacy.
-
Unchecked Surveillance Access: Brussels is questioning the broad, sweeping level of access granted to state law enforcement agencies without stricter judicial guardrails.
-
The Three-Year Retention Period: Forcing businesses to store and maintain this vast digital footprint for up to three years is seen as disproportionate and a direct risk to citizens' fundamental privacy rights.
The Hospitality Industry's "Complete Mess"
For hoteliers, travel agents, and short-term rental operators across hotspots like Mallorca, the Costa Blanca, and the Costa del Sol, the EU's intervention has been met with a massive sigh of relief.
From an operational standpoint, industry leaders have long branded the system—often dubbed the "Big Brother" registry—as a logistical nightmare. When the platform first became fully mandatory at the end of December 2024, it was plagued by persistent network crashes, leaving reception staff struggling to upload data within the strict 24-hour legal deadline.
Furthermore, the administrative burden has driven up costs for businesses, who are effectively being forced to act as data-collection agents for the state. Hoteliers argue that turning check-in counters into high-stakes data hubs not only alienates tourists who resent handing over financial details, but it also transforms small businesses into high-value targets for cyberattacks and data breaches. Some regional travel chiefs have gone as far as to label it an "anti-tourism measure" that risks scaring away visitors to more privacy-friendly Mediterranean competitors.
Security vs. Proportionality
The tourism sector has emphasised its full commitment to cooperating with law enforcement to maintain public safety. However, the core of the legal argument is that public security should not require the blanket, automated mass surveillance of millions of innocent holidaymakers.
Under EU law, any state data-harvesting program must adhere strictly to the principles of necessity and proportionality. Brussels’ decision to investigate suggests Spain may have overstepped those boundaries, legislating behind the back of the industry.
What Happens Next?
The issuance of the formal notice puts the ball firmly back in Madrid's court. The Spanish government is now legally required to respond to the European Commission, defending the system and justifying its compatibility with European data privacy standards.
If the Ministry of Interior fails to satisfy the Commission’s concerns, Spain could face heavy financial penalties or be forced to radically strip back the regulation. In the meantime, major hotel federations are already calling for an immediate suspension or total repeal of the decree, urging a return to the drawing board to build a system that balances security with the basic realities of running a hospitality business.
For travellers and property owners, the case will be a landmark precedent. It will ultimately decide where the line is drawn between keeping borders secure and protecting the fundamental right to enjoy a holiday without handing over your digital life.
Have you noticed the extra paperwork during your recent check-ins in Spain? Do you think the government's data laws went too far, or are they a necessary price for security? Share your experiences below.