Data breaches in hotels: obligations, risks, and safeguards

by Paola Ritondò

During the summer of 2025, several Italian hotels experienced significant data breaches, leading to the theft of thousands of high-resolution scans of passports, ID cards, and other identity documents collected from guests at check-in. In response, the Italian Data Protection Authority (Garante Privacy) reported that while some hotels promptly notified the incident, others were urged to do so without delay, in order to safeguard personal data and, as required by law, to inform the affected individuals.

In August 2025, CERT-AGID – Italy’s national cybersecurity incident response unit, operating under the Agency for Digital Italy (AGID)—also detected the illegal sale of tens of thousands of identity document scans stolen from hotels across the country between June and July of that year.

Is a copy of the identity document really necessary?

Under Italian law, hotels are required to verify their guests’ identities and report their personal details to the local police headquarters (Questura) within 24 hours of arrival (see Article 109 of the Italian Consolidated Law on Public Security - Testo Unico delle Leggi di Pubblica Sicurezza). This reporting obligation is fulfilled through the “Alloggiati Web” portal (accessible at www.alloggiatiweb.poliziadistato.it), which can only be accessed using personal credentials and two-factor authentication (Ministerial Decree of 7 January 2013, as referenced in the Garante Privacy’s opinion of 8 July 2021). If the portal is temporarily unavailable, the data may be transmitted via fax or certified e-mail (PEC), though these are considered exceptional measures.

However, no legal provision requires hotels to collect, store, or transmit copies of guests’ identity documents. Once the required information has been submitted through the online system, any digital or paper copies should be deleted, and only proof of successful transmission should be retained. The widespread practice of keeping or archiving ID copies therefore lacks any clear legal basis. As early as 2005, the Garante Privacy clarified that storing copies of identification documents is lawful only when explicitly required by a specific legal provision and for a limited period of time (Decision of 27 October 2005).

Nonetheless, it remains common for hotels to request and copy a guest’s ID at check-in. In doing so, the hotel acts as an independent data controller and is therefore directly responsible for compliance with data protection law.

What should be done in the event of a data breach?

A data breach is a security incident that results – whether accidentally or unlawfully – in the loss, alteration, unauthorized disclosure of, or access to personal data that are transmitted, stored, or otherwise processed.

Typical examples include malware or ransomware infections, hacking, unauthorized access to digital or paper archives, theft or loss of devices (such as laptops, smartphones, tablets, or USB drives), loss of paper documents containing personal data, or e-mails sent to unintended recipients.

In the hospitality sector, such incidents may involve, for example, a reception computer infected with malware, a misdirected e-mail containing guest data, a lost USB drive, or paper records accessible to unauthorized personnel.

In such circumstances, the hotel should promptly identify and assess the incident. Acting as a data controller, it may be required to:

  • notify the Garante Privacy of the breach without undue delay and, where feasible, within 72 hours of becoming aware of it – unless it is unlikely to present a risk to the rights and freedoms of natural persons;
  • inform the affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

What are the risks for guests?

Identity documents stolen from hotel systems represent a highly valuable resource for cybercriminals, who may exploit them for various malicious purposes, including:

  • creating forged documents based on real identities;
  • fraudulently opening bank accounts or credit lines;
  • conducting social engineering attacks targeting victims or their professional and personal networks;
  • committing identity theft, with potentially serious legal and financial repercussions.

Given the growing frequency of such crimes, it is essential that hotels handling identity documents adopt rigorous security measures, ensuring not only the lawful processing of personal data but also the protection of their digital systems and portals against unauthorized access.

Hotels should also keep in mind that the practice – still common in some establishments – of retaining or archiving copies of guests’ IDs, although often intended to streamline check-in procedures, has no legal justification.
It is therefore advisable to adopt compliant practices, using the Alloggiati Web portal and retaining only the information strictly necessary for transmission, immediately deleting it thereafter.

At the same time, guests themselves play a pivotal role in protecting their personal information. Individuals should regularly monitor any unauthorized use of their data, avoid sharing copies of identification documents through insecure or unnecessary channels, and promptly report any suspected misuse or identity theft to the competent authorities.