Hoteliers cannot keep copies of guests' documents forever

Hoteliers, B&B and room-rental owners cannot keep copies of the identity documents provided by guests beyond the time required for the communication of data to the public security authorities. Turning the spotlight on the ban is the Garante per la protezione dei dati personali (Data Protection Authority), which, in a note, directly addressed the sector's trade associations in light of the increasing number of reports and personal data violations detected in recent months.

The law requires managers of accommodation facilities to identify customers and transmit their data to the authorities through the portal 'Alloggiati web': this is an obligation that, however, does not legitimise the storage of photocopies, screenshots or images of identity cards, passports or driving licences. Yet, despite the fact that the rules spell out in black and white what to do and what to avoid, in recent years - especially among bed and breakfasts and rooms to let, thus mainly in the short term renting sector - the practice of photographing documents with a smartphone or asking for a copy to be sent via Whatsapp and other instant messaging apps has become widespread. All practices that evidently expose customers to significant risks, such as identity theft and illicit access to personal data.

Reiterating the provisions of the law, the Garante reiterated that, once the necessary paperwork has been completed, copies of the documents provided by guests must be immediately deleted or destroyed. The only thing the hotelier may keep is the receipt of the communication, automatically produced by the portal and to be kept for five years to prove compliance.

Data controllers - as the Garante points out - have a duty to ensure the maximum security of personal data. And, within this perimeter, facilities must adopt ad hoc measures to protect data, properly training the staff that collects and manages them on the rules to be followed. An invitation addressed above all to the sector's associations, which will have to spread the Authority's diktats among their members.

In the event of a data breach specific obligations are triggered, including notification to the Garante within 72 hours. And, in the most serious situations, also the direct communication of the breach to the persons concerned.