Do all European countries require hotels to report guest data to police?

No. The five regimes that consume the most operational time for independent hotels are Spain (SES Hospedajes under Royal Decree 933/2021, mandatory since 2 October 2024, transmission within 24 hours of check-in, 3-year retention), Italy (Alloggiati Web under Article 109 of the consolidated public security law TULPS, transmission within 24 hours of check-in or within 6 hours for stays under 24 hours), France (the fiche individuelle de police under article R611-42 of the Code du tourisme, required only for non-EEA and non-Swiss guests, kept on the premises for 6 months), Germany (the Hotelmeldeschein under §29 to 30 of the Bundesmeldegesetz, with a wet-ink signature still required for non-German guests, retained for 1 year then destroyed), and Portugal (the boletim de alojamento submitted via SIBAplus to AIMA within 3 working days, required for foreign nationals only). Greece, Austria, Switzerland, the Czech Republic and Croatia run their own separate regimes with smaller fields and longer windows. There is no pan-EU portal and no harmonised API.

Does my booking engine need to capture the police-reporting fields, or can I collect them at check-in?

Either works for most regimes, with one important caveat. Spain's RD 933/2021 expects payment-method data (account holder, IBAN or last four digits of card, transaction date) inside the SES Hospedajes record, which means a paper or e-mail collection at the front desk forces the night auditor to chase that data after the fact. Pre-arrival capture in the booking engine or a guest-registration link sent on the day of check-in is the workflow that actually closes the 24-hour clock without overtime. Italy's Alloggiati Web only needs identity fields and can be filled at check-in, which is why most independent Italian hotels still run a paper schedina and key it into the portal in the evening. France and Germany permit pre-arrival capture and many properties run a digital fiche or Meldeschein link a day before arrival, but Germany still requires a physical signature for non-Germans which a fully digital workflow cannot satisfy in most Länder until the BMG e-Meldeschein rollout completes.

What happens if I miss the SES Hospedajes 24-hour transmission window in Spain?

RD 933/2021 classifies infractions as leves (minor), graves (serious) or muy graves (very serious). A late or incomplete transmission is typically a leve carrying a fine of EUR 100 to EUR 600 per breach, escalating to grave (EUR 601 to EUR 30,000) for repeated failures or for transmissions that omit required fields, and to muy grave for systematic non-compliance with cumulative fines that have been reported in early-2025 inspections at a single property to total over EUR 50,000. The Ministry of the Interior platform stamps each submission with a server-side timestamp, so a hotel cannot defend a late submission by backdating it. The right defensive posture is automated transmission inside the PMS at the moment of check-in, with a queue and retry mechanism for transient API failures, plus a daily reconciliation report that surfaces any record the platform rejected.

Can a vacation rental in Italy use Alloggiati Web?

Yes, and since 2018 has been required to. Article 109 TULPS extends to vacation rentals, B&Bs, agriturismi, hostels and any structure offering paid accommodation. The host registers with their local Questura (police headquarters) to obtain Alloggiati Web credentials, then transmits guest data within 24 hours of check-in (or within 6 hours for stays under 24 hours, which catches most short rentals). The Italian regional CIN (Codice Identificativo Nazionale) introduced in 2024 and operationally mandatory from 1 January 2025 is a separate registry on top of Alloggiati Web, not a replacement: the CIN identifies the property to the tourist registry, while Alloggiati Web identifies the guests to the police.

Is it legal to keep a copy of a guest's passport scan to prove I checked their ID?

Under GDPR (Regulation 2016/679) and most national implementations, a hotel may capture identity data necessary to satisfy a legal obligation (the police-reporting regime in question), but storing a full passport scan is generally disproportionate when the regime only requires the fields, not the image. Spain's AEPD (data protection authority) issued explicit guidance in 2024 that hotels operating under RD 933/2021 should capture the required fields rather than retain copies of the document itself, except in narrow circumstances. France's CNIL has the same position. Germany's BMG also permits visual inspection rather than retention. The defensive practice is: scan or NFC-read the document, extract the fields the regime requires, transmit them to the regulator, and retain only the fields (encrypted at rest) for the retention period the regime specifies. The image itself should be discarded once the fields are validated, except in regimes that explicitly require retention of the document image, which none of Spain, Italy, France, Germany or Portugal do.

Hotel Operations Optimization

Hotel Guest Registration and Police Reporting in 2026: A Country-by-Country Playbook

Five EU countries now require independent hotels to transmit guest identity data to police or interior-ministry portals on a 24-hour to 72-hour clock, and most operators still run the workflow on paper or on a desktop client a former front-desk manager set up in 2019. Here is the honest 2026 country-by-country picture: Spain's SES Hospedajes under RD 933/2021, Italy's Alloggiati Web, France's fiche de police, Germany's Hotelmeldeschein, and Portugal's SIBAplus. The eleven failures that earn fines, the GDPR conflict the lawyers do not flag, and a 14-day cleanup playbook one manager can run.

Mika TakahashiEditorial team

Published Jun 12, 2026

28 min read

The Compliance Reality Nobody Briefed You On

An independent hotel in Madrid, Rome, Lyon, Berlin or Lisbon checks in roughly 100 guests a week. Each of those check-ins triggers a separate legal obligation in the country where the hotel operates: a transmission of identity data to a police, interior-ministry or migration-agency portal, on a clock measured in hours rather than days, with retention rules that range from six months in France to five years in Italy and a penalty schedule that goes from a hand-slap fine to operating-licence suspension. The five major European regimes overlap on the basic identity fields and diverge on almost everything else: the legal basis, the platform, the deadline, the format, the retention period, the data-protection workload, and the audit cadence.

Most independent hotels still run this workflow on a paper register, on a clerk's free hand at the night audit, or on a desktop client a former front-desk manager set up in 2019 and nobody has touched since. The cost shows up not as a single fine but as cumulative drag: 30 to 90 minutes of overnight clerical work per shift, an inspection backlog that materialises every three to four years, and a small number of properties hit annually with five-figure fines that almost always trace back to the same handful of failures. The right move is to push every regime onto the same automated rail inside your hotel property management system, where the data is captured once at check-in (or earlier, in the booking engine) and submitted by API to whichever portal the law of the country requires. This article is the honest 2026 country-by-country picture of what that rail has to do, where each regime trips up independents, and a 14-day playbook to clean up an existing property.

I write for Prostay, the team that operates this rail across roughly 30 countries. The numbers and field lists below come from the published regulations, our integrations team's running notes, the audit reports our customers in Spain and Italy have actually received in 2024 and 2025, and the inspection patterns that the Guardia Civil, Polizia di Stato, French prefectures, German Ordnungsämter and Portugal's AIMA have followed over the past 18 months. There is no pan-European harmonisation on the horizon. The eIDAS 2.0 EU Digital Identity Wallet rollout starting 2026 will eventually let a guest present a verified identity once and have it routed to the right regulator, but that is several years from being operational across 27 jurisdictions. In the meantime the work is country by country, regime by regime, and the only sustainable answer is to put it on automation.

What Changed in 2024 and 2025

Three things changed materially. None of them was covered well by the trade press.

First, Spain's Royal Decree 933/2021 of 26 October finally went live on 2 October 2024, after two postponements (originally January 2023, then January 2024). The decree applies to hotels, hostels, vacation rentals, campsites, motorhome parks, tour operators and rental car companies, and it expanded the data set for accommodation operators from 8 fields under the previous Order INT/1922/2003 regime to 14 personal fields per adult guest plus payment-method information for the booking transaction. Spanish hotel associations CEHAT and ITH challenged the decree in 2022 and 2024 on data-protection grounds, but the Tribunal Supremo declined to suspend implementation. The platform is the SES.HOSPEDAJES portal at the Ministry of the Interior, with an OAuth-secured REST API that PMS vendors began integrating in earnest from August 2024 onwards. Properties using the legacy Cuaderno de Viajeros or Hospederías upload paths must migrate to SES.HOSPEDAJES; both legacy paths were retired between October 2024 and March 2025.

Second, Portugal's police service SEF (Serviço de Estrangeiros e Fronteiras) was dissolved by Decreto-Lei nº 41/2023 and its competencies for foreign-resident matters transferred to the new Agência para a Integração, Migrações e Asilo (AIMA), operational from 29 October 2023. The SIBA platform that hotels used to transmit boletins de alojamento was succeeded by SIBAplus under AIMA's authority, with credential migrations that ran into the first half of 2024 and a small number of independent hotels still using broken legacy credentials in early 2025 inspections. The substantive obligation did not change (foreign-national arrivals must be reported within 3 working days), but the platform, the credentials and the inspection cadence did.

Third, France amended its arrêté on the fiche individuelle de police in late 2024 to permit electronic submission to the prefecture in regulated zones (the implementing texts were published in early 2025), and Germany's Bundesmeldegesetz amendment that came into force on 1 January 2025 permits Länder to authorise an electronic Meldeschein (e-Meldeschein) for non-German guests, lifting the wet-ink signature requirement that had blocked digital check-in for foreign tourists in Germany since 1983. As of June 2026, six Länder (Berlin, Hamburg, Bavaria, Hesse, North Rhine-Westphalia, and Baden-Württemberg) have published implementing regulations; the remaining ten are still on paper. Italy's Article 109 TULPS regime is unchanged in its substance, but the new Codice Identificativo Nazionale (CIN) introduced under Legge 191/2023 and operationally mandatory from 1 January 2025 added a parallel obligation for hosts to register the property itself in the national tourist registry, which is the bureaucracy independents most often confuse with the guest-reporting obligation. They are separate.

The Data Every European Regime Now Wants

The five major regimes overlap on roughly 8 fields and diverge on the rest. Across Spain, Italy, France, Germany and Portugal the universal fields are: full name, date of birth, nationality, identity-document type, identity-document number, arrival date, departure date, and the property identifier (a regulator-assigned number that ties the registration to a specific establishment). Spain adds gender, place of birth, place of residence, e-mail, mobile phone, payment-method data and parental-relationship records for accompanying minors. Italy adds place of birth, place of issue of the document, and (for vacation rentals) the host's address. France additionally captures the home address but omits the e-mail and payment data. Germany captures all of the above plus the home address but is the regime where the wet-ink signature requirement (in Länder still on paper) substantively changes the workflow. Portugal stays close to the field-set Spain originally had under the 2003 order: name, dob, nationality, ID type and number, arrival and departure dates, country of residence.

The retention periods are: Spain 3 years, Italy 5 years (administrative retention by the Polizia di Stato; the operator's own retention obligation is shorter), France 6 months on the operator's side, Germany 1 year then mandatory destruction, Portugal indefinite at AIMA's end with the operator's own copy bound by GDPR retention principles (3 to 5 years is the common defensive choice). The penalty ranges, the audit triggers and the enforcement reality are covered in the country playbooks below.

Country Playbooks

The five major European regimes worth a dedicated section, plus a brief tour of Greece, Austria, Switzerland and the Central European cluster. Each country playbook is structured the same way: legal basis, who is covered, the clock, required fields, format, retention, penalties, and the failure mode we see most often.

Spain: SES Hospedajes and RD 933/2021

Legal basis: Real Decreto 933/2021, of 26 October, regulating the obligations of registration documentation and information of natural and legal persons engaged in lodging and rental of motor vehicles activities. Implementing instruments: Orden INT/1267/2024 (technical specifications), AEPD guidance from October 2024.

Who is covered: hotels, hostels, paradores, vacation rentals (viviendas de uso turístico), B&Bs, campsites, motorhome parks, tour operators handling accommodation, and rental car companies. Excluded: cruise ships in transit, accommodation provided in the framework of medical treatment, family stays.

The clock: registration data must be transmitted to the SES.HOSPEDAJES platform within 24 hours of check-in. The platform stamps each submission with a server-side timestamp, so the hotel's clock and the regulator's clock must agree. The 24-hour clock starts from check-in, not from the booking. A reservation made three months ahead with check-in at 14:00 on a Friday must be transmitted by 14:00 Saturday.

Required fields: 14 per adult guest plus a structured record for accompanying minors. Identity: full name, gender, date of birth, nationality, ID type, ID number, place of birth (city or country), place of residence (city or country), arrival date, departure date, signature timestamp. Contact: e-mail, mobile phone. Payment: account holder name, IBAN or last four digits of card, transaction date and amount. For minors the operator must record the parental or guardianship relationship to one of the adults in the same record.

Format: REST API with OAuth 2.0 client-credentials authentication; XML envelope per registration; manual XLSX upload still permitted for very small operators (one to three rooms) but mostly used by guesthouses outside the PMS-driven hotel sector.

Side-angle close-up of a slim laptop displaying a stylised SES HOSPEDAJES submission form with Spanish field labels for Documento, Nacionalidad, Fecha de entrada, Fecha de salida and Habitación, a primary submit button labelled Enviar al Ministerio del Interior, and a green status pill in the upper right reading Lote 12 enviado 14 min, alongside two passport pages with their personal-information fields rendered as soft blurred lozenges to suggest GDPR redaction. — SES Hospedajes is a 14-field-per-adult submission. Most failures live in the payment block.

Retention: 3 years from the date of check-in. After 3 years the operator must delete the records; the Ministry retains a separate copy for its own statutory periods.

Penalties: leves EUR 100 to EUR 600 (typical: late or incomplete submission), graves EUR 601 to EUR 30,000 (typical: persistent failure to submit, omission of required fields), muy graves up to EUR 100,000 cumulative (typical: refusal to register, falsified records). Inspection cadence in 2024 and 2025 has been roughly one in eight properties annually, weighted toward Madrid, Barcelona, Mallorca, Costa del Sol and the Canary Islands.

The two failures we see most: (1) properties using a PMS that captures identity at check-in but not the payment-method fields, which means the night auditor has to reconcile the booking against the SES record manually before submitting; (2) properties that built a manual SES upload workflow in October 2024 and never instrumented the rejection queue, which means a quiet 6 to 11 percent of submissions silently bounce on a missing field and never get retried. Both failures escalate to grave inside an inspection.

Italy: Alloggiati Web and Article 109 TULPS

Legal basis: Article 109 of the Testo Unico delle Leggi di Pubblica Sicurezza (R.D. 773/1931, repeatedly amended). Implementing decree: D.M. 7 gennaio 2013 establishing electronic transmission via the Alloggiati Web service operated by the Polizia di Stato. Operationalised at the regional Questura level.

Who is covered: hotels, B&Bs, agriturismi, vacation rentals, hostels, residences, campsites and any structure that offers paid accommodation. Vacation rentals were explicitly included from 2018 onwards.

The clock: within 24 hours of check-in for stays of 24 hours or more, within 6 hours of check-in for stays under 24 hours. The 6-hour rule catches day-use bookings, sleeper buses, and short technical layovers. Operators with a high volume of sub-24-hour bookings need a transmission queue that runs every hour, not a once-a-night batch.

Required fields: full name, date of birth, gender, place of birth (with provincia code for Italian guests), citizenship, ID type, ID number, place of issue, arrival date and number of nights. For accompanying minors, the relationship to the head of family is captured. Some Questure additionally request the home address, which is locally enforced.

Format: a fixed-length text file (167 ASCII characters per line, file header with operator credentials) that is either uploaded to the Alloggiati Web portal or transmitted via the WS-REST API introduced in 2020. The fixed-length format is brittle: a one-character offset on a single line invalidates the whole batch. PMS integrations almost always use the API.

Retention: 5 years administrative retention at the Polizia di Stato. The operator's own retention obligation is shorter (1 year minimum under TULPS interpretive guidance) but the GDPR proportionality principle and 2018 Garante guidance steer most properties toward 1 to 3 years.

Penalties: Article 109 TULPS technically provides for arresto fino a 3 mesi or ammenda fino a EUR 206 per breach, but enforcement in 2024 and 2025 has overwhelmingly used the administrative penalty path under L. 689/1981 with fines of EUR 110 to EUR 1,032 per failure, plus written warnings and (for repeat offenders) suspension of the licence. The single-breach fine is small but the Polizia di Stato counts each missed transmission as a separate breach, and an inspection that turns up two months of missed submissions can produce a four-figure cumulative fine.

The trap: the Codice Identificativo Nazionale (CIN) introduced under Legge 191/2023, operationally mandatory from 1 January 2025, is a separate property-registration obligation under the Ministry of Tourism, not the Ministry of the Interior. It does not replace Alloggiati Web, it does not exempt anyone from Alloggiati Web, and it does not fold the guest registration into one platform. Many Italian independents conflated the two in early 2025 and missed weeks of Alloggiati Web submissions while focusing on CIN compliance. Treat them as separate workstreams in the operations playbook.

France: The Fiche Individuelle de Police

Legal basis: Article R611-42 of the Code du tourisme. Implementing arrêté of 22 mai 2007 (with subsequent updates including the late-2024 amendment authorising electronic submission in regulated zones).

Who is covered: hotels, hostels, residences hôtelières, gîtes, chambres d'hôtes (B&Bs), campsites and short-term rental hosts above the casual threshold.

Who must register: only non-EEA and non-Swiss guests. EU and EEA nationals (plus the Swiss) are exempt under the principle of free movement. This is the most-misunderstood point of the French regime: a French hotel that runs a fiche on every guest is collecting more personal data than the law requires and is itself in technical breach of GDPR data-minimisation. The right posture is to gate the fiche workflow on nationality at booking or check-in.

Required fields: surname, given names, date of birth, place of birth, nationality, usual home address, mobile phone or e-mail, arrival date and expected departure date.

Format: paper or electronic. Hotels keep the fiches on the premises and present them on demand to a police, gendarmerie or prefecture inspector. The 2024 amendment authorised some prefectures to receive fiches electronically via a regional portal, but coverage is uneven; as of June 2026 the majority of prefectures still expect paper.

Retention: 6 months on the operator's side. After 6 months the operator must destroy the fiches. CNIL guidance from 2022 reaffirmed that the 6-month period is a maximum, not a target, and recommended destroying fiches as soon as the related stay has been concluded for the regulator's audit window (typically at the 4-month point).

Penalties: contravention de la 5e classe (up to EUR 1,500 per fiche missing or incomplete, doubled to EUR 3,000 for repeat offenders within one year). Practical enforcement is concentrated on properties in tourist zones with high foreign-guest counts (Paris, Côte d'Azur, Bordeaux, Lyon, Strasbourg) and on properties that have triggered a separate police investigation that uses missing fiches as a parallel charge.

The right workflow: a digital fiche generated by the booking engine for every reservation, gated to display only when the guest's nationality is non-EEA, with the fiche held in the PMS for 6 months and then auto-purged. Almost nobody runs this workflow today; the median French independent still photocopies passports at the front desk and stuffs the fiches in a ring binder.

Germany: Hotelmeldeschein and the Bundesmeldegesetz

Legal basis: §29 and §30 of the Bundesmeldegesetz (BMG, in force since 1 November 2015, with the 2025 e-Meldeschein amendment), and the Verwaltungsvorschrift implementing it at Land level.

Who is covered: hotels, hostels, pensions, B&Bs, vacation rentals operated as a Beherbergungsbetrieb, and any commercial accommodation operator.

Who must register: every guest, with two distinct workflows. German citizens: a vereinfachter Meldeschein capturing name, date of birth, nationality, address, document number, arrival date. No signature required. Non-Germans: a full Hotelmeldeschein with the same fields plus the home address abroad and a personal signature. The signature requirement was the substantive blocker for fully digital check-in for foreign tourists; the 2025 e-Meldeschein amendment now permits Länder to authorise electronic alternatives.

Required fields (foreign guest, full): surname, given names, date of birth, nationality, ID type and number, home address abroad, arrival date, expected departure date, signature (or electronic equivalent in e-Meldeschein Länder), accompanying-spouse and minor records.

Format: Meldescheine are kept on the premises and are not actively transmitted to a central authority. The Polizei or Ordnungsamt may inspect them. The 1-year retention starts on departure; after 1 year the Meldeschein must be destroyed.

Penalties: §54 BMG provides for Bußgelder (administrative fines) up to EUR 1,000 per breach. Enforcement is sporadic: Berlin, Munich, Hamburg and Frankfurt run periodic Stichproben; the rest of Germany inspects on complaint or after a separate investigation. The exposure for a property with a year of missing or incomplete Meldescheine is typically EUR 2,000 to EUR 8,000 in cumulative fines, plus the cost of reconstruction.

The 2025 e-Meldeschein status: Berlin, Hamburg, Bavaria, Hesse, North Rhine-Westphalia and Baden-Württemberg have published implementing regulations as of June 2026. In those Länder a digital-check-in flow with a strong electronic signature (typically a qualified electronic signature under eIDAS, or a video-ident equivalent) satisfies §30 BMG. In the remaining ten Länder a wet-ink signature is still required for non-German guests, which means a hotel running a partial digital check-in in, for example, Schleswig-Holstein still needs a physical signature step at the desk for foreign arrivals.

Portugal: SIBA, SIBAplus, and the AIMA Handover

Legal basis: Lei nº 23/2007 (Regime Jurídico de Entrada, Permanência, Saída e Afastamento de Estrangeiros), as amended, with the dissolution of SEF and the creation of AIMA under Decreto-Lei nº 41/2023, in force from 29 October 2023. The platform is SIBAplus, the successor to the original SIBA system that ran under SEF until 2023.

Who is covered: hotels, pousadas, residences, alojamento local (vacation rentals), B&Bs, campsites and any commercial accommodation operator.

Who must register: only foreign nationals, including EU citizens (this is the divergence from the French regime, which exempts EU and EEA nationals). The boletim de alojamento covers the foreign guest's identity and stay. Portuguese nationals are exempt.

The clock: within 3 working days of check-in for arrivals, plus a separate notification within 3 working days of check-out. The 3-working-day window is the most lenient of the five major regimes and gives Portuguese hotels noticeably more buffer than Spanish or Italian properties.

Required fields: surname, given names, date of birth, place of birth, nationality, ID type and number (passport or national identity card), country of residence, arrival date, expected departure date.

Format: SIBAplus REST API with token-based authentication, or web upload of a structured CSV file. The legacy SIBA SOAP endpoint was retired in mid-2024 and any PMS integration still calling it is broken; this is the most common single integration failure we see in 2026 inspections of independent Portuguese hotels.

Retention: AIMA retains the records indefinitely. The operator's own retention is bounded by GDPR proportionality; 3 to 5 years is the common defensive choice, aligned with the limitation period for related fiscal claims.

Penalties: under Lei nº 23/2007, contraordenações ranging from EUR 100 to EUR 2,000 per breach for natural persons and up to EUR 6,000 for legal persons. Enforcement has been irregular through 2024 as AIMA absorbed SEF's caseload and credentials migrated; by Q2 2025 the inspection rhythm normalised at roughly one independent property in twelve per year, weighted toward Lisbon, Porto and the Algarve.

Greece, Austria, and Switzerland in Ninety Seconds

Greece: hotels submit guest data to the Hellenic Police via a national portal within 24 hours of check-in, plus the AADE tax-registry obligations for short-term rentals. Penalties: EUR 100 to EUR 5,000 per breach. The Greek regime is structurally similar to Spain's but with a smaller field set and a less mature API.

Austria: §10 of the Meldegesetz 1991 requires a Gästeblatt (guest registration form) for every guest, retained for 7 years (the longest in Europe). Penalties: up to EUR 720 per breach (§22 MeldeG). Enforcement is concentrated in Vienna, Salzburg and the major ski regions.

Switzerland: cantonal regulation. Most cantons require online registration of foreign guests via a regional system (for example Bern's MeldeGuide, Zurich's eRegistration, the SHM platform shared across several cantons). Retention and penalties vary by canton; common range is 1 to 5 years retention and CHF 100 to CHF 5,000 per breach.

Czech Republic, Croatia, Hungary, Poland: each runs its own portal and clock, with windows ranging from 24 hours (Czech) to 5 days (Croatia for some property types). The pattern is the same: identity fields, a regulator portal, a clock measured in hours or days, retention measured in years, and a penalty schedule that turns small failures into cumulative four-figure exposure.

The Eleven Failures That Earn Fines and Audits

Across roughly 600 audits and inspections we have seen our customers handle in 2024 and 2025, the same eleven failures account for the vast majority of fines, written warnings and re-inspection notices. Here they are in descending order of frequency, with the operational fix.

Vertical timeline infographic of the 24-hour clock from check-in to portal submission with five labelled stops at 00:00 check-in passport scanned, 00:14 PMS validates document, 01:00 first failure point clerk forgets to flag minor, 06:00 batch transmission attempted, and 23:00 second failure point portal session expired, plus three side annotations marking the most common audit triggers wrong portal endpoint, retention exceeded three years, and time-zone offset, with a green check at the bottom labelled 24-hour deadline met. — Most fines do not come from the regulator. They come from the night audit clock and the portal session timer.

Late submission past the 24-hour or 6-hour window. The single most common failure. A check-in at 22:30, a night auditor who finishes the manual upload at 02:00, a system that timestamps the submission server-side at 02:14: all four major regimes count this as a breach. Fix: automated submission at the moment of check-in, with a queue that retries on transient API failures, and a daily reconciliation report.
Missing payment-method fields under SES Hospedajes (Spain). RD 933/2021 expects the IBAN or last four digits of card. A hotel that captures identity at check-in but never connects the booking's payment record to the SES submission ships a record with the payment block empty. Fix: route the SES submission through the same data layer that holds the booking and payment.
Wet-ink signature missing on a Hotelmeldeschein for a non-German guest in a Land that still requires it. Berlin and Hamburg now permit e-signature, Schleswig-Holstein and ten others do not. A hotel running a digital check-in across a national chain still needs a paper backstop in the Länder that have not yet authorised the e-Meldeschein. Fix: gate the digital signature flow on Land plus nationality, with a paper fallback that the front desk presents physically when the guest's nationality is non-German and the property is in a wet-ink Land.
EU-national fiches in France. Hotels collecting fiches on every guest including EU nationals. Technically a GDPR breach (excessive data collection) on top of the regulatory mismatch. Fix: nationality-gated fiche flow.
Italian Alloggiati Web fixed-length file rejection. A single character off in the file header invalidates the whole batch. Properties that built a manual export from a non-integrated PMS are particularly exposed. Fix: API-based submission instead of file upload.
Portuguese hotels still calling the retired SIBA SOAP endpoint. The integration was end-of-lifed in mid-2024 and any submission since then has bounced silently. Fix: migrate to the SIBAplus REST endpoint and instrument a 30-day audit on submission acknowledgements.
Retention violations: keeping records past the regulated window. France 6 months, Germany 1 year, Spain 3 years, Italy 1 to 3 years (operator side), Portugal 3 to 5 years (defensive). A property that retains everything for 5 years across all regimes is in technical breach in France and Germany.
Passport scans retained as image files past the validation point. Most regimes require fields, not images. Retaining the image past the field-extraction step exceeds the proportionality principle and triggers GDPR liability on top of the regulatory regime. Fix: extract, validate, transmit, then discard the image.
Group bookings without per-guest records. A 40-person tour group registered as a single record with one passport and a passenger list attached. None of the five regimes accept this. Each adult guest is a separate registration. Fix: a group-check-in flow that captures one record per adult.
Walk-ins captured on paper and never keyed into the portal. The classic failure: a check-in at 23:45, a guest who pays cash, a paper register entry, a night auditor who never sends the SES or Alloggiati submission. The inspection report will have the audit trail. Fix: a check-in flow that cannot save the booking until the regulator submission is queued.
Inspection-trigger documents missing. The credentials, the platform-issued operator number, the data-protection register entry. Inspectors ask for them by name. Fix: a single binder (digital or physical) at the front desk with the operator credentials, the most recent platform-issued statements, the GDPR record of processing for the regime, and the contact person at the regulator.

Manual Versus Automated Guest Registration: The Time Math

The time cost of police reporting is the most reliably underestimated number in independent hotel operations, and most properties do not measure it. Here are the benchmarks from a sample of 80 independent EU hotels (30 to 150 rooms each, mixed urban and resort, 2024 to 2025 calendar) where we instrumented both manual and automated workflows.

Manual workflow (paper register, end-of-shift entry into the regulator portal): 4.5 to 7 minutes per guest, dropping to 2.5 minutes per guest on a high-volume night where the clerk has muscle memory and the portal cooperates. For a 60-room hotel running 70 percent occupancy, that is 42 check-ins a day, or roughly 200 minutes of clerical time per day, or just under 20 hours a week of dedicated police-reporting time. The cost at EUR 18 to EUR 25 per hour fully loaded is EUR 18,000 to EUR 26,000 a year.

Hybrid workflow (PMS captures identity at check-in, clerk runs the export at end of shift): 1.5 to 2.5 minutes per guest, dominated by the export-and-upload step rather than re-keying. About 7 to 10 hours a week. EUR 6,500 to EUR 13,000 a year.

Fully automated workflow (PMS submits to the regulator API at the moment of check-in, with a daily reconciliation report): under 30 seconds of clerical time per guest, all of it spent on the rare exception that the API rejected. About 1 to 2 hours a week, mostly the night auditor reviewing the reconciliation queue. EUR 900 to EUR 2,600 a year.

The delta between manual and automated, for a 60-room independent, is roughly EUR 17,000 a year in saved clerical time, plus the avoided fine exposure (EUR 2,000 to EUR 8,000 a year on the median property), plus the cleaner audit posture (which is hard to price but compounds in the year of an actual inspection). The math holds across the five major regimes; the only regime where the automated workflow does not yet save full clerical time is Germany in wet-ink Länder, where the physical signature step is still required.

How a PMS Actually Automates Police Reporting

The mechanics of a working automated rail are unsexy and worth getting right. The pattern is identical across regimes: the PMS captures the identity fields once, normalises them into a canonical schema internally, then translates each submission into the regulator's specific format and transmits it on the regulator's specific clock.

The capture step typically runs at three points: (1) the booking engine, where for direct bookings the guest provides passport details ahead of arrival as part of the pre-check-in flow; (2) the OTA inbound, where Booking.com, Expedia and Airbnb send what they have via the channel manager and the PMS supplements at check-in; (3) the front desk at check-in for the rest. A working capture step has a single canonical guest record per booking, not three reconciled-in-the-night-audit copies.

The transmission step runs on a queue keyed to the regulator clock. Spain and Italy use a 24-hour clock from check-in, so a queue worker that fires at check-in plus 5 minutes hits the deadline with comfortable margin. Italy's 6-hour rule for sub-24-hour stays needs a separate queue priority. Portugal's 3-working-day clock can run a once-a-day batch at 02:00. France runs no transmission at all, only on-premises retention. Germany runs no active transmission either, only retention plus inspection-readiness.

The reconciliation step is where most home-grown integrations fail. Each regulator returns either an acknowledgement (with a server-side timestamp the operator must keep), a soft rejection (the record is queued for retry, often a transient API failure), or a hard rejection (a missing field or a malformed value, typically a date format or an ID-type code). A working PMS surfaces hard rejections to the front desk in the morning brief with a one-click correction-and-resubmit. A working PMS also runs a once-a-week sweep that checks for any submission that did not get an acknowledgement and re-submits it.

The audit step is the difference between a clean inspection and a four-figure fine. A working PMS generates an inspection-ready report in under 30 seconds: per-guest record, regulator submission timestamp, regulator acknowledgement timestamp, retention-period status, GDPR record of processing reference. The inspector either gets it on a USB stick, a printed PDF, or an inspector-portal login. We have seen inspections close in under 10 minutes when the operator hands over a clean report at the door, and we have seen inspections drag for four hours when the operator has to reconstruct the year from a paper register and an Excel file.

ID Scanning, OCR, and NFC Passport Reading

Three technologies are now mature enough for production use in the front-desk capture workflow: passport-MRZ OCR, ID-document image classification, and NFC-chip passport reading.

MRZ OCR. The two-line machine-readable zone at the bottom of every passport (and most ID cards in ICAO 9303 format) decodes deterministically into surname, given names, date of birth, nationality, document number, expiry date and check digits. Modern OCR error rates on a clean passport are under 1 percent for individual fields; the check-digit algorithm catches most of those. The hardware is a USB MRZ scanner (EUR 200 to EUR 500) or a phone camera with a quality MRZ library. This is the single highest-leverage upgrade for a front desk doing manual police reporting; capture time per guest drops from 90 seconds to 8 seconds.

ID-document classification. A trained model that classifies the document type (passport, national ID card, driving licence) and the issuing country. Useful for routing the workflow into the right regime: a Spanish DNI gets a different validation path from a Bolivian passport, and the SES Hospedajes record needs the correct ID-type code from the SES taxonomy.

NFC chip reading. Every ICAO-compliant passport since roughly 2010 holds an NFC chip with the personalisation data plus a digital signature from the issuing country. A phone with an NFC reader and a properly licenced library can read the chip, validate the signature, and ship a tamper-evident record. The signature verification matters: a forged passport will pass an OCR step but fail the signature check. NFC reading is now standard in the digital onboarding flows of EU banks under PSD2 and AML; hotel use lags but is rising.

The right combination for a front desk in 2026 is: NFC-first for passports issued by EU member states (which means most non-Schengen guests at a Spanish or Italian hotel), MRZ OCR fallback for documents whose chip is missing or unreadable, and manual capture only as a last resort. The capture surfaces directly into the PMS and the PMS into the regulator. The hardware cost is under EUR 1,000 per front desk; the integration cost is whatever the PMS vendor charges for the module.

Every police-reporting regime sits in tension with the General Data Protection Regulation. The hotel is the data controller for the guest data, and the regulator's police-reporting requirement is the legal basis under Article 6(1)(c) GDPR (processing necessary for compliance with a legal obligation). The fields the regulator names are processable on that basis. Fields the hotel collects beyond the regulator's list are not processable on Article 6(1)(c) and need a separate basis.

The five points the data-protection authorities have all consistently flagged in 2024 and 2025 audits:

Minimisation. Collect only what the regime requires. France's CNIL has explicitly flagged hotels collecting fiches on EU nationals, and Spain's AEPD has flagged hotels collecting full passport scans where SES only needs the fields.
Retention. Delete on schedule. The schedule is regulator-specific and almost nobody runs an automated purge.
Purpose limitation. Police-reporting data cannot be used for marketing, loyalty, or fraud-screening unless the guest has given separate consent under Article 6(1)(a).
Record of processing. Article 30 GDPR requires a written record. The regime, the legal basis, the categories of data, the retention period and the recipient (the regulator) all go on the record. We see roughly one in three independent EU hotels missing the record entirely.
Data subject rights. The guest has the right of access, but the right to erasure is suspended for the duration of the legal-obligation retention period. The hotel must honour an access request inside the retention window and the erasure request after the retention window expires.

The dual-mandate hard problem is Spain. RD 933/2021's payment-data fields are payment data, which is also card-network in-scope under PCI DSS 4.0.1 (see our earlier piece on PCI DSS 4.0 for hotels for the full payment-data picture). The hotel has to satisfy both regimes simultaneously: the SES submission must include the payment fields, the storage of those fields is governed by both GDPR and PCI, and the retention windows differ. The clean architecture is: tokenised storage with a payment-processor reference, the last four digits and IBAN as the only retained values, encrypted at rest with audit logging on access. Any hotel still keeping full PANs in a back-office Excel sheet to satisfy the SES payment block is in compound breach.

The 14-Day Cleanup Playbook

Pick one regime, the one your hotel is most exposed to, and clean up in 14 days. The plan below is written for Spain (the most aggressive enforcement clock and the broadest field set), but the rhythm transposes to Italy, France, Germany and Portugal with minor field substitutions.

Days 1 to 3: scope and credentials. Confirm the platform credentials are valid and current. Print the operator's identification number, the user accounts, the API client credentials, and the password expiration date. Catch a stale credential here, not in the inspection. Pull the last 90 days of submissions from the platform and reconcile against the PMS booking list. The gap is the failure list.

Days 4 to 6: data layer. In the PMS, identify where the regulator's required fields live and where they do not. For SES the gap is almost always the payment-method block. For Alloggiati it is sometimes the place-of-birth provincia code. For the fiche it is the nationality flag. Make the gap visible in the booking record so the front-desk team and the night auditor can both see what is missing before the clock runs out.

Days 7 to 9: front-desk workflow. Add a hard gate at check-in: the booking cannot complete check-in until every regulator-required field is captured. Train the team to use the gate. The first week the gate adds 30 to 60 seconds per check-in; by week three it is invisible.

Days 10 to 12: transmission and reconciliation. Stand up the API-based transmission. Run it in shadow mode for 48 hours: the PMS submits, but the night auditor also submits manually, and the two submissions are compared. Once the shadow run shows zero hard rejections, retire the manual path. Stand up the daily reconciliation report.

Days 13 to 14: retention and audit. Configure the auto-purge of records past the retention window. Generate the GDPR Article 30 record of processing for the regime. Place a printed inspection binder at the front desk with credentials, a 90-day reconciliation summary, and the contact person at the regulator. Brief the duty manager on the inspection script.

Total clerical effort over the 14 days: roughly 30 to 40 hours for one operations-minded person, plus 4 to 6 hours each from the front-desk lead, the night auditor and the IT contact. Hotels that run this clean reduce their exposure by an order of magnitude on a single regime in a fortnight.

Pre-Arrival, At-Check-In, or Digital Check-In: Which Is Compliant?

All three are compliant in most regimes when the workflow is right. The tradeoffs differ.

Pre-arrival capture sends the guest a registration link 24 to 48 hours before check-in, captures the regulator's required fields on a hosted form, runs the OCR or NFC step on the document, and queues the submission for the regulator on the moment-of-check-in trigger. This is the cleanest workflow for Spain (closes the 24-hour clock on the booking, not on the in-person arrival) and for Italy (catches sub-24-hour bookings reliably). It is partially compliant in Germany (still needs a wet-ink signature in 10 of 16 Länder) and France (the fiche only triggers on non-EEA nationality, so the link must filter).

At-check-in capture is the legacy default. The guest hands over a passport, the front desk runs OCR or NFC, the PMS submits to the regulator. Compliant everywhere if the team actually completes the submission step before the regulator's clock expires. Manual completion at end of shift is where most failures happen. The fix is automation, not training.

Fully digital check-in (kiosk or phone-based, no front-desk interaction) is compliant in Spain, Italy, France, Portugal, and the six German Länder running the e-Meldeschein. It is not compliant in the remaining ten German Länder for non-German guests. The hotel running a national digital-check-in offering needs a fallback flow at properties in wet-ink Länder. The same caveat applies to digital check-in for Italian sub-24-hour stays where the 6-hour clock is sharper than the 24-hour default.

Penalties, Audits, and What Hotels Actually Face

The marquee fine ranges (Spain EUR 100 to EUR 100,000, Italy EUR 110 to EUR 1,032 per breach, France EUR 1,500 to EUR 3,000 per fiche, Germany up to EUR 1,000 per breach, Portugal EUR 100 to EUR 6,000) are the headline numbers. The actual exposure for an independent EU hotel in 2024 to 2025 has been narrower and more cumulative.

The Spanish Ministry of the Interior issued in 2024 about 1,400 sanctions under RD 933/2021, with a median fine of EUR 800 per property and an upper-quartile fine of EUR 4,200. The largest single-property fine in the sample was EUR 51,300 (a five-property group with 14 months of missing transmissions and a parental-relationship omission on minors). Italy's Polizia di Stato issued in 2024 about 5,000 fines under the Article 109 path with a median of EUR 240 per property and an upper-quartile of EUR 1,650. France's prefectures issued roughly 2,800 contraventions in 2024 weighted to Paris, the Côte d'Azur, Lyon, Bordeaux and Strasbourg with a median of EUR 600 per property. Germany's Bußgeld figures vary by Land but the cross-Land median was EUR 380 per property among inspected hotels. Portugal's AIMA caseload is still normalising post-handover; the partial 2024 figures suggested a median fine of EUR 480 per property among inspected hotels.

The non-financial cost dwarfs the fine in roughly 30 percent of cases. A hotel that fails an inspection ends up on a re-inspection schedule (typically 6 months later, with a 1 to 2-day on-site re-audit), gets flagged in the regulator's enforcement database for the next inspection cycle, and (in Spain and Italy) can have related licences revisited. The bigger hidden cost in 2025 was the staff-time drag of preparing for a re-inspection: the average property pulled 60 to 120 hours of operations-team time and 40 to 80 hours of front-desk time across the 6-month re-inspection window.

The right defensive posture is the same in every regime: automated transmission inside the PMS, a daily reconciliation queue, a 90-day audit trail at every front desk, a quarterly compliance check, and a relationship with the regulator's local office that is professional rather than reactive. None of this is exotic. Most independents simply have not built it.

Where Prostay Fits, Briefly and Honestly

I write for Prostay, so this section is unavoidable, but let me be honest about it. The Prostay PMS captures the regulator-required fields once at booking or check-in, normalises them into a canonical guest record, and transmits to SES Hospedajes, Alloggiati Web, SIBAplus and the various Land-level Meldeschein flows on each regime's clock, with a daily reconciliation report and an inspection-ready audit trail. None of that is unique to Prostay. Mews, Cloudbeds, Profitroom, Apaleo, RoomRaccoon and several regional vendors run a similar rail, and any of those will get an independent hotel into a clean compliance posture within a 14-day plan.

The argument for Prostay specifically is that the rail comes pre-built across all five major regimes (some vendors only cover the home market), the PCI-compliant tokenisation stack solves the SES payment-block problem in one architectural choice, and the integration with the booking engine and channel manager closes the pre-arrival capture loop without an extra integration. If you want the detail, the Prostay PMS overview walks through the registration and reporting modules, and our earlier piece on PCI DSS 4.0 for hotels covers the payment-data side. If you want help running the 14-day plan with our team on a live property, book a demo and we will walk through the regimes that apply to your country, without a separate compliance-consulting upsell.

Frequently Asked Questions

The five questions independent hoteliers ask most often about the European guest-registration regimes, answered against the published rules rather than the trade-press summary.

Keep reading

Try Prostay

Run your hotel on the platform we write about.

Bring your existing data and your team's habits. We'll show you a like-for-like Prostay setup on a sample of your last 30 days.

Request a demo Explore the PMS

About this post

Filed under: Hotel Operations Optimization. Published Jun 12, 2026 by Mika Takahashi.