The Spanish government calls it Royal Decree 933/2021, but the tourism industry calls it something even more sinister: Travel brother.
On December 2, 2024, a new Spanish law came into effect. Now, all hotels, vacation rental owners, campgrounds and car rental tables are legally required to collect a long list of personal details about every adult visiting the country.
The requirements list is 42 items, including each traveler’s full name, gender, nationality, passport number, date of birth, home address, phone number, email address and credit card data such as account number, expiration date and security code.
But that’s not all. Spain also requires knowledge of marital status, medical requirements, occupation, employer’s name and address, and the reasons for travel.
The travel seller must transmit personal information from his customers to the Spanish Secretariat every day, and all details must be stored by the travel supplier for 3 years. Failure to comply with the new law could result in business fines up to €30,000 ($31,589), although it is worth noting that the fines for failing to provide accurate information fall on travel providers rather than lowered to travelers.
Spanish Hotel Association Fighting back Violation of the new regulations, but so far, the Spanish Ministry of Interior has been relentless.
We probably don’t have to tell you why we should collect data in such invasive details, especially without proper secure storage to protect all information, and all in all, every traveler brings a huge security issue to Spain.
Spanish authorities insist that all personal details are necessary to “fight terrorism and organized crime.”
But aren’t criminals just lying?
In any case, the purpose of Spanish data collection is not like action and highly risky.
In a short time since the law came into effect, collecting all the details is creating paperwork for travelers and slowing down check-in processes across the country, but even that frustration is the least of the legal issues.
The European Association of Travel Agency and Tourism Operators (ECTAA), which represents about 80,000 travel professionals in Europe, has not chopped up the words, calling the new law a “serious threat to the privacy of personal data” and warns of serious returns to European tourism.
“This makes travelers the main victim of potential exposure to their sensitive data, as the regulations are unprecedented in any other EU country,” the groups wrote. Joint Statement. “In the event of a cyber attack, this also puts citizens at the potential risk of misuse of their information.”
Frankly speaking, travelers don’t even need cyberattacks to be at risk. With so much personally identifiable information being handed over, any unethical desk staff will have enough personal data points to cause significant damage. They even have your home address and the date they know you’ll be in Spain instead of back home.
The U.S. Consumer Rights Defense Team Manchester United pointed to another aspect of the legal disclosure requirements.
“The law requires adults to travel with minor children under the age of 14 to define the relationship with their children,” Warn Ned S. Levi in group posts. This means that visitors with children must “bring documents that have legal relationships with children, especially if you are a single parent, especially in a divorce. You may need to prove custody.”
The European Union, including Spain, is ready to collect similar data from each visitor, who enters part of its jurisdiction European Travel Information and Authorization Systemor ETIA, will also be used for security purposes. But this information will be collected and stored by the EU and will not be privately handed down like the data collected by Spain.
“For now, I do not recommend traveling to Spain to anyone,” Levi wrote. “I will avoid traveling to Spain for the foreseeable future rather than putting my personal identity and financial information at risk. There are many other great places in the world to see.”
Perhaps such a staunch judgment would drive tourism from Spain, which may be what some officials in the country secretly followed.
After all, this is a place where some locals are battling open travel and the destructive expansion of Airbnb Spray tourists with water pistols and plastered wall Tourism kills the community (“Travel Kills the Community”) Graffiti. If this new law scares business, some Spaniards will see it as a good thing.
The battle has just begun. ECTAA shows that the new law may directly violate the EU’s strict personal data laws, Directive 2016/6801 and General Data Protection Regulation (GDPR). European tourism industry was mobilized.
Until then, if you are heading to Spain, you will be at risk.