Italy’s Privacy Watchdog Tells Hotels to Stop Holding Guest ID Copies

Key Takeaways

• No Retention of ID Copies: Hotels, B&Bs, and guesthouses may not retain copies or images of guest identity documents beyond what is strictly necessary to report data to authorities.
• Clear Limit on Legal Obligation: While operators must identify guests and submit data via the “Alloggiati Web” portal, this does not authorize storing ID copies.
• Risky Practices Called Out: Photographing documents or collecting them عبر apps like WhatsApp exposes individuals to risks such as identity theft and unauthorized access.
• Strict Deletion Requirement: Once data is transmitted, any document copies must be immediately deleted or destroyed, with only the official receipt retained for five years.

Deep Dive

In a notice circulated to trade associations, the Italian Data Protection Authority has said that hotels, bed and breakfasts, and guesthouses must not retain photocopies or digital images of guests’ identity documents beyond the time needed to transmit required information to public security authorities. The notice comes as the regulator reports a rise in complaints and personal data breaches in recent months.

Under Italian law, accommodation providers are required to identify guests and submit their details to law enforcement through the “Alloggiati Web” portal. But the authority stressed that this obligation does not extend to keeping copies of passports, ID cards, or other identity documents once the data has been reported.

The guidance appears to respond to a shift in how some operators handle guest data. Practices such as photographing documents on smartphones or asking guests to send images via messaging platforms like WhatsApp have become increasingly common, particularly among smaller accommodations. The regulator warned that these approaches expose individuals to concrete risks, including identity theft and unauthorized access to personal data.

The rules on retention are straightforward. Once the required data has been transmitted to public security authorities, any copies of identity documents collected for that purpose must be immediately deleted or destroyed. The only record that can be kept is the automated receipt generated by the Alloggiati Web system, which must be retained for five years as proof that the reporting obligation was fulfilled.

Beyond document handling, the authority reiterated that accommodation providers act as data controllers and must ensure appropriate safeguards are in place. That includes adopting adequate security measures and properly training staff responsible for collecting and managing personal data.

The notice also shows the obligations in the event of a breach. Organizations must notify the authority within 72 hours and, in more serious cases, inform affected individuals.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.