Newsroom
Hotels and tourist accommodations are not legally permitted to collect and retain copies of guests’ identity cards or passports, according to Cyprus’s Commissioner for Personal Data Protection, Irini Loizidou-Nicolaidou. In a recent directive, she clarified that such practices violate data protection laws, specifically the principles of lawfulness and data minimization outlined in the General Data Protection Regulation (GDPR).
The Commissioner’s office received multiple complaints about inconsistent policies across hotels, with some establishments keeping copies of identity documents for extended periods. However, Loizidou emphasized that the law only allows hotels to record necessary guest details in official arrival forms, not to store copies of identification.
While hotels may seek to safeguard financial and security interests, they must comply with GDPR regulations, which require personal data to be processed lawfully, fairly, and only to the extent necessary. Instead of retaining copies, hotels should verify identity documents without keeping records beyond what is legally mandated.
Failure to adhere to these regulations could result in penalties, as retaining excess personal data without legal justification is considered a breach of data protection laws.
