By Richard van Staden ten Brink
Dutch DPA: Hotels Are Not Allowed to Copy Identification Documents
In response to questions by the U.S. embassy in The Hague, the Dutch Data Protection Authority (DDPA) has informed the Dutch association of hotelkeepers that its members are not allowed to make copies of their guests' identification documents.
The Dutch Criminal Code (DCrC) provides that hotels should ask their guests to provide identification and should record the type of identification, the guest's name, profession, place of residence, and the date of the guest's arrival and departure. Dutch authorities often use such records to track meetings of organized crime groups.
To comply with this legal requirement, many Dutch hotels make copies of their guests' identification documents. According to the DDPA, this common practice violates Dutch data protection law. Hotels should only record the legally required information and not the full contents of the provided identification document. An identification document contains (i) a Social Security number and (ii) a photo, which contains racial information. The processing of such "sensitive" data is only allowed on the basis of legal exceptions, which do not apply to the registration of hotel guests.
Currently, hotels throughout the EU make copies of their guests' identification documents to comply with legal obligations similar to the above DCrC requirement. It will therefore be interesting to see if other EU data protection authorities will agree with the opinion of the DDPA.
Richard van Staden ten Brink is advocaat at De Brauw Blackstone Westbroek in Amsterdam. He may be reached at email@example.com.