Greek Privacy Regulator Orders Hotels to Stop Copying Guest IDs & Payment Cards

Key Takeaways

• Hotels Told to End Common Data Collection Practices: Greece's Data Protection Authority said hotels should not photograph or photocopy guests' identity documents or payment cards unless a clear legal requirement exists.
• GDPR Principles at the Center of the Guidance: The regulator found the practices conflict with core GDPR requirements, including lawfulness, transparency, data minimization, and, where applicable, data protection by design and by default.
• Industry Associations Asked to Drive Compliance: Rather than limiting its response to individual complaints, the authority directed Greece's major hotel associations to educate members on proper GDPR compliance.
• Privacy and Fraud Risks Highlighted: Retaining copies of identity documents and payment cards unnecessarily increases the risk of unauthorized access, fraud, and financial loss for customers.
• Hotels Urged to Review Internal Procedures: Accommodation providers have been advised to reassess check-in, reservation, and payment processes, train staff, and ensure all personal data processing is necessary, proportionate, and supported by an appropriate legal basis.

Deep Dive

Hotels have always occupied an awkward place in the privacy conversation. They are, by necessity, temporary custodians of strangers. Every day, people hand over names, identification, payment details, travel plans, and, for a night or a week, a remarkable amount of trust. The transaction has always depended on a simple understanding that you collect what you need, protect it while you have it, and let it go when you no longer do. Somewhere along the way, some establishments decided that making copies of passports, identity cards, and even both sides of customers' credit cards was simply part of doing business.

Greece's Data Protection Authority has now made clear that it is not. Following complaints about the way certain tourist accommodations handled guest information, the authority issued compliance recommendations to the businesses involved while also turning to the country's largest hotel associations with a broader message. This was not presented as a problem confined to a handful of properties. The regulator wants the industry itself to correct course, asking the Panhellenic Federation of Hoteliers, the Hellenic Chamber of Hotels, and the Confederation of Tourist Accommodation Entrepreneurs of Greece to ensure their members understand what the General Data Protection Regulation actually requires.

The complaints themselves describe habits that have become familiar enough to escape much scrutiny. Some hotels photographed or photocopied guests' identity cards to record identification details or prepare tax documents. Others copied both sides of customers' credit cards and kept those images on file in case a disputed transaction surfaced later. One can imagine how these practices became normalized. A copy feels reassuring. It promises evidence if something goes wrong. Yet reassurance is not the same thing as legal justification.

That distinction sits at the heart of the authority's recommendations. The regulator concluded that these practices run against some of the GDPR's most basic principles, including lawfulness, fairness and transparency in processing, along with the requirement to collect no more personal data than is genuinely necessary. Depending on the circumstances, they may also fail to meet the regulation's expectations for data protection by design and by default. None of those principles are particularly novel. What matters is their application to routines that many organizations have come to treat as ordinary.

There is another problem with unnecessary copies of identity documents and payment cards, one that has little to do with legal theory and everything to do with simple arithmetic. Every additional copy creates another object that can be lost, stolen, improperly accessed or forgotten in a filing cabinet long after anyone remembers why it was collected in the first place. Sensitive information does not become less sensitive because it sits behind a reception desk instead of inside a bank. The authority warned that retaining such copies unnecessarily increases the risk of unauthorized access, fraud, and financial loss for the individuals whose information they contain.

The recommendations leave little room for ambiguity. Hotels should not receive or retain photographs or photocopies of identity cards, passports, or other identification documents unless a specific and clear legal provision requires them to do so. They should not photograph, photocopy, or store copies of customers' credit or debit cards. Any processing of personal data should rest on an appropriate legal basis, supported by an assessment that the measure is both necessary and proportionate rather than merely convenient.

The authority also urged accommodation providers to make privacy information easier for customers to find and easier to understand, whether through their websites or other means, and to examine the mechanics of their own operations. Check-in procedures, reservation systems, payment processes, and staff training all deserve another look if they have drifted into collecting information simply because they always have.

The recommendations do not introduce new obligations so much as strip away comfortable assumptions. Convenience has a way of disguising itself as necessity until someone asks why are you keeping this at all? The GDPR has always demanded an answer. Greece's regulator is reminding hotels that they are expected to have on

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.