Spain: Data Protection Authority fined World 2 Meet EUR 70’000 for unnecessary collection of personal data

On 22 August 2025, the Spanish Data Protection Authority (AEPD) fined World 2 Meet EUR 70’000 for the unnecessary collection of personal data. The amount was reduced by 20 per cent to EUR 56’000 for acknowledgement of liability, and by a further 20 per cent to EUR 42’000 for voluntary payment. World 2 Meet, the travel division of the Iberostar Group, required a complainant to submit a copy of his identity document to complete traveller registration. The complainant argued this was unnecessary, as he had already provided the required data for himself and his travel party. The company maintained that copies of the full documents were needed to communicate with the Civil Guard. The AEPD noted that World 2 Meet was notified of the claim on 5 December 2024. On 5 August 2024, the company responded that the information was required to verify customer identities in line with Article 4.3 of Royal Decree 933/2021. However, the AEPD found that compliance with Article 4.3 could be achieved by having customers complete a form limited to the data required under sections A.3 and B.3 of Annexe I of the Royal Decree. Verification of authenticity, the AEPD explained, could be carried out either in person by visually checking the information against the identity document or virtually using mechanisms such as digital certificates.