Full Report (PDF, 134KB)
The Convention Implementing the Schengen Agreement and the national implementing legislation in the European Union Member States requires business accommodations to see to it that foreign guests complete and sign registration forms and confirm their identity by producing a valid identity document. These registration forms must be made available to law enforcement agencies upon request if necessary for the fulfillment of their duties. Business accommodations must ensure that registration forms are safely and securely stored and cannot be accessed by unauthorized persons. They must be destroyed after a certain time.
In 1985, Germany, France, Belgium, Luxembourg, and the Netherlands signed the Schengen Agreement, an international agreement that gradually abolished checks at their common borders. In 1990, the Convention Implementing the Schengen Agreement was signed, creating the Schengen area with the complete abolition of border controls. To offset the abolition of border controls, the Convention provided for a series of measures with regard to the Schengen visa, asylum, police and security cooperation, the Schengen Information System (SIS), and the protection of personal data. The Treaty of Amsterdam of 1997 incorporated the Schengen Agreement into European Union (EU) law.
II. Convention Implementing the Schengen Agreement
The chapter on police cooperation in the Convention Implementing the Schengen Agreement contains a provision stating that Member States must adopt the necessary measures to ensure that the managers of establishments providing accommodation see to it that foreign guests complete and sign registration forms and confirm their identity by producing a valid identity document. Completed registration forms must be kept for, or forwarded to, the competent authorities if necessary for the prevention of threats or criminal investigations. Article 129 provides that when such personal data is communicated, Member States must ensure a certain level of data protection in line with the principles of Recommendation No. R (87) 15 of 17 September 1987 of the Committee of Ministers of the Council of Europe Regulating the Use of Personal Data in the Police Sector. The Recommendation contains provisions on the collection, storage, use, communication, length of storage and updating, and security of data, as well as on the rights of publicity, access, rectification, and appeal of the data subjects.
III. Implementing National Provisions
The Convention Implementing the Schengen Agreement only provides a general framework for the collection of personal data of hotel guests. The EU Member States therefore implemented the requirements in differing ways. In Germany for example, the requirement to collect certain personal data from hotel guests and store or forward it to law enforcement authorities is implemented in the Federal Act on Registration. The Federal Act on Registration provides that persons staying in commercial accommodations must sign a special registration form on the day of their arrival. Foreigners must verify their identity by presenting a passport or other valid ID upon registration. The registration form must contain the following data:
- Date of arrival and planned departure
- Last names
- First names
- Date of birth
- Number of persons in the party and their nationalities
- Serial number of passport or other recognized ID in the case of foreigners
For foreigners, the hotel employee must compare the information provided on the registration form with the passport information. If there is a discrepancy or if no valid identity document was presented, it must be noted on the registration form. No other action is necessary.
The commercial accommodation must retain the registration forms for a period of one year and must destroy them no later than three months after that one-year period has ended. It must present them upon request to certain law enforcement agencies and other agencies designated by the law of a German state, if these agencies require them to fulfill their duties. They must ensure that no unauthorized persons may access the registration forms. The requesting law enforcement agency must record the name and address of the data subject with a note indicating the reason for the data transfer. This record must be safely stored and destroyed at the end of the calendar year following the year in which it was recorded.
In November 2018, several parliamentarians addressed a written inquiry to the German government, asking whether there was any information on how many times law enforcement agencies have requested to see the registration forms and for which crimes. The government responded that no numbers were available as most authorized agencies are state-level agencies and the individual state governments would have those numbers.
IV. Data Protection
As mentioned above, the Convention Implementing the Schengen Agreement provides that Member States must ensure a certain level of data protection in line with the principles of Recommendation No. R (87) 15 when personal data is processed and communicated. In addition, on May 25, 2018, the EU’s General Data Protection Regulation (GDPR) took effect. As a regulation, it is directly applicable in all Member States without any implementing legislation needed. The GDPR covers the processing of all personal data. Persons processing personal data must ensure that the processing complies with the principles set out in the GDPR, in particular lawfulness, meaning there needs to be a proper legal basis for the processing. In the case of business accommodations, processing of personal data is necessary for the performance of the accommodation contract and for compliance with the legal obligation to collect personal data from hotel guests upon registration codified in the Convention Implementing the Schengen Agreement and the respective national implementing legislation.
Prepared by Jenny Gesley
Foreign Law Specialist
 Agreement Between the Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the Gradual Abolition of Checks at Their Common Borders (Schengen Agreement), 2000 O.J. (L 239) 13, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX: 42000A0922(01)&from=EN, archived at http://perma.cc/GNJ9-72V9.
 Convention Implementing the Schengen Agreement of 14 June 1985 Between the Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the Gradual Abolition of Checks at Their Common Borders (Convention Implementing the Schengen Agreement), 2000 O.J. (L 239) 19, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:42000A0922(02)&from=EN, archived at http://perma.cc/T5DH-5FBZ.
 Treaty of Amsterdam Amending the Treaty on European Union, the Treaties Establishing the European Communities and Certain Related Acts (Treaty of Amsterdam), Protocol Integrating the Schengen Acquis into the Framework of the European Union, 1997 O.J. (C 340) 1 (93), https://eur-lex.europa.eu/legal-content/EN/ TXT/PDF/?uri=CELEX:11997D/TXT&from=EN, archived at http://perma.cc/S77L-Y8P9.
 Convention Implementing the Schengen Agreement, art. 45, para. 1(a).
 Id. art. 45, para. 1(b).
 Id. art. 19; Recommendation No. R (87) 15 of 17 September 1987 of the Committee of Ministers of the Council of Europe Regulating the Use of Personal Data in the Police Sector, https://polis.osce.org/file/8556/ download?token=u9_EfhVZ, archived at http://perma.cc/PM77-BZRU.
 Bundesmeldegesetz [BMG] [Federal Act on Registration], May 3, 2013, Bundesgesetzblatt [BGBl.] [Federal Law Gazette] I at 1084), as amended, §§ 29, 30, http://www.gesetze-im-internet.de/bmg/BMG.pdf, archived at http://perma.cc/A9BE-68HL, unofficial English translation available at http://www.gesetze-im-internet. de/englisch_bmg/englisch_bmg.pdf, archived at http://perma.cc/8X43-QNZP.
 Id. § 29, para. 2.
 Id. § 29, para. 3.
 Id. § 30, para. 2.
 Id. § 30, para. 2, sentence 2.
 Id. § 30, para. 2, sentences 3, 4.
 Id. § 30, para. 4.
 These agencies are federal and state police authorities; public prosecutor’s offices; public prosecutors at local courts; courts, as far as they carry out tasks of law enforcement, prosecution, or execution of sentences; correctional authorities; the Customs Investigation Service; main customs offices; and tax authorities, where they perform law enforcement tasks. See id. § 34, para. 4, sentence 1, nos. 1-5 & nos. 9-11.
 Id. § 30, para. 4, sentence 2, in conjunction with § 34, para. 4, sentence 1, nos. 1-5 & nos. 9-11.
 Id. § 30, para. 4, sentence 3.
 Id. § 34, para. 4, sentences 2, 3.
 Deutscher Bundestag: Drucksachen und Protokolle [BT-Drs.] 19/6036, http://dipbt.bundestag.de/ dip21/btd/19/060/1906036.pdf, archived at http://perma.cc/MV2P-AXLU.
 Id. at 2.
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR), 2016 O.J. (L 119) 1, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02016R0679-20160504&from=EN, archived at http://perma.cc/56U6-5385.
 Consolidated Version of the Treaty on the Functioning of the European Union (TFEU), art. 288, para. 2, 2016 O.J. (C 202) 1, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12016E/TXT&from=EN, archived at http://perma.cc/77ZN-R4Z3.
 GDPR, art. 6.
 Id. art. 6, paras. 1b, 1c.
Last Updated: 07/24/2020