Greek DPA Flags Hotel Guest Data Practices

The Hellenic Data Protection Authority (HDPA) has recently issued compliance recommendations to hotels and other tourist accommodation providers following complaints about the collection and retention of guests’ personal data during check-in and payment procedures.

The Authority made it clear that photographing or copying identity documents (such as passports or national ID cards) and storing copies of guests’ credit or debit cards, in the absence of a specific legal obligation, is generally incompatible with the GDPR. According to the HDPA, these practices may breach the principles of lawfulness, transparency and data minimisation, while unnecessarily increasing the risk of fraud, identity theft and unauthorised access to personal data.

The HDPA has also called upon Greece’s hotel associations to ensure that their members review their check-in and payment procedures, avoid retaining copies of identity documents or payment cards, provide clear privacy notices to guests, and ensure that any processing of personal data is supported by an appropriate legal basis.

For hospitality businesses operating in Greece, the recommendations serve as a timely reminder that long-standing operational practices must be reassessed through the lens of the GDPR. For international travellers, the guidance reinforces that hotels should not routinely request or retain copies of passports, ID cards or payment cards unless expressly required by law.

Although the recommendations do not introduce new legal obligations, they signal the HDPA’s enforcement priorities and are likely to shape compliance expectations across Greece’s hospitality sector.