Complaint Case Notes

編號: 0124/2014/IP

標題: ID copy required for hotel reservation

立案原因: Report


    A citizen reported to the Office for Personal Data Protection (GPDP) that when making a room reservation with Hotel B, a subsidiary of Company A, he was asked by the hotel staff to sign an authorization form, in addition to providing the cardholder’s credit card and ID or passport copy.  He believed that providing the ID copy for room reservation was a violation of the Personal Data Protection Act (PDPA or Law 8/2005), and therefore requested the GPDP to follow up.


    Being the license holder of Hotel B, Company A decides for the former’s activities (including the processing of hotel customer data), and therefore it is the data controller. 
  For reservations customers provide their personal data (including signing an authorization form and providing their credit card, and ID or passport copy) to the hotel, signifying that Company A processes the data of the data subjects with their explicit consent.  In other words, it achieved the legitimacy for data processing which Article 6 of the PDPA requires.  The fact that Company A for the performance of the accommodation contract concluded with its customers processed their personal data also achieved the legitimacy which Article 6(1) of the same Law governs.  
  The information that provided by Company A revealed that an authorization, along with a credit card copy and an ID or passport copy, is only necessary when a credit card holder promised to pay through credit card or to guarantee a payment for another third party (hotel guest in this case).  The authorization aims to assure that the cardholder will settle the bill for a third party and acts as an indication of wishes that he has authorized the hotel to charge the payment. 
  The GPDP is in the opinion that if the cardholder is not the hotel guest and reserved a room in advance of the accommodation, the hotel, in most cases, for instance making online reservation, could not ask the cardholder to produce his ID.  The current case involved a proof of contract performance –– proofing the identity of the beneficiary, or confirming the identity of the individual who made the hotel reservation (the party that concluded the contract), for example –– and a copy of the identity card of the individual who made the reservation (the concluding party) was requested to accompany the authorization form to be submitted.  A request as such is excessive and perhaps it is infeasible in practice, in particular when a person is reserving a hotel room online and has to justify the reservation was made for him.  This showed that such practice still has room for improvement.
  With respect to the credit card copy asked by Company A, it pointed out that the copy was used to verify the signature on the authorization form.  According to the Payment Card Industry Data Security Standard, laid down by the Payment Card Industry Security Standards Council, merchants, having received the authorization from the cardholder, can store his information including his name, account number and credit card data like expiry date during the operational or legally defined periods.  The security code, a proof that the credit card was used by its real cardholder, aims to prevent credit card fraud during card-not-present transaction where the card is not physically presented, such as transactions made over the telephone, internet or email.  Moreover, Company A also pointed out that Hotel B acts in compliance with the guidelines of the Payment Card Industry Security Standards Council, making sure that credit card data is secured, for instance, credit card copy is destroyed immediately after a room reservation has been confirmed by the billing department. This showed that Company A’s practices are proper in terms of securing credit card transactions and asking for credit card copies.
  To sum up, the purpose of asking for credit card and ID copy by Company A is lawful, specific, relevant and legitimate, in addition that its data processing is not excessive in terms of its purpose, whereby the processing principles as laid down in Article 5(1)(2) and 5(1)(3) were not violated. 


    The GPDP has informed the investigation results to Company A and the person who made the report; this case has been closed.    

Please refer to Article 5 and 6 of the Personal Data Protection Act.