EU opens procedure: What Mallorca's hotels object to about the traveller database

EU criticises Spain's traveller register — a Mallorca perspective

Key question: To what extent does the Spanish traveller database harm privacy protection without adequately serving security or tourism interests?

Critical analysis

The European Commission has opened an infringement procedure against Spain because, in Brussels' assessment, the state registry collects too much information and apparently retains it for up to three years. In particular, payment and location data are at issue. For Mallorca's hoteliers this means: a greater obligation to collect and transmit sensitive information — and therefore increased liability and risk of misuse.

From a data protection perspective under the General Data Protection Regulation (GDPR), several principles are at stake — the data protection principles: data minimisation (collect only what is necessary), purpose limitation (no reuse for other aims) and storage limitation (do not keep data longer than needed). If payment data are transferred across the board, this touches highly sensitive bank and card information. Location data also open scenarios in which movement profiles could be created — an intrusion that must be particularly carefully justified under European law.

What is missing from the public debate

The discussion often revolves around buzzwords like "security" or "bureaucracy." More essential questions remain unanswered: Who exactly gets access to the data? What technical protective measures exist (encryption, pseudonymisation)? Are there independent controls or audit reports? And: On what legal basis is the data collected — a general security mandate, or individually assessed suspected cases?

If this transparency is lacking, mistrust grows — among guests and among those who type the data in every day: reception staff, car rental companies, and providers of small apartments; recent enforcement actions are already affecting platforms — Madrid requires booking platforms to delete unregistered holiday apartments. In many conversations with colleagues from hotel receptions I hear the same concern: the flood of data does not make the work safer, it makes it more complicated.

A scene from everyday life on Mallorca

Imagine a reception at Playa de Palma on a hot morning: suitcases rolling over the tiled floor, the smell of sand and croissants, a temp behind the desk switching between the check-in form, the booking confirmation and the new form to pass on to the authority. An older couple asks whether the account number is really necessary. The temp shrugs — the rule is there, but no one explained why this particular detail should be kept for three years.

Concrete solutions

There are practical alternatives that respect both legitimate security interests and data protection:

1. Data minimisation: Record only identity and contact data centrally (name, ID number, address, length of stay); keep payment data and detailed location traces only when there is a concrete suspicion.

2. Shortened retention periods: Three years is long. A retention period of six to twelve months would be more proportionate and corresponds to the usual timeframe for investigative needs in many EU member states.

3. Technical protective measures: End-to-end encryption, role-based access controls, regular external audits and mandatory pseudonymisation where possible.

4. Transparent rules and oversight: Publish who has access, what the data may be used for and which control bodies exist. Affected persons should have simple rights to information and deletion.

5. Support for hoteliers: Training, standardized interfaces and possibly state subsidies for IT security so that small businesses do not bear the burden alone.

Concise conclusion

The current EU step is less an attack on Mallorca's economy than a warning: indiscriminate collection of sensitive information brings neither more security nor satisfied guests. Instead it creates new risks — for privacy and for trust in our island as a destination. Madrid has two months to respond. Until then it should become clearer locally which data are truly necessary and how to handle them securely. For Mallorca a pragmatic path would be best: less data, clearer rules, better technology — and a frank word to guests and staff. That way the island remains not only full but also credible.