3

When applying for a Schengen visa, an applicant is typically required to provide a proof of accommodation. Often it's a screenshot from a hotel aggregator, or an email from a hotel (if booked directly), or a letter from a friend warranting an accommodation. It may contain some numbers which may be validated on the aggregator's website. In other cases, a call to the hotel or the friend may be required to confirm that the reservation is not fake.

What is the legal basis (if any) that permits the embassy (frequently located outside of the EU) to request information about a person's reservation from a hotel, and receive a response?

I suspect there would be some data protection laws which make it illegal for the hotel to disclose information about their guests' reservations to random third parties, like a curious bystander. I also suspect that embassies are legally able to make any requests to verify the information provided in the visa application. Hence, some kind of permission or exemption is probably granted to the embassy processing the visa application.

This question is generic, about any Schengen country or EU-wide regulations. For example, the Austrian visa application in London links to a GDPR statement(?) and the application form. Both cover what happens with the information provided by the applicant (stored here, accessed by these parties and officials), but I don't see how any of them legally allow the hotel to disclose information to the embassy.

Improve this question
6
  • 1
    I did a cursory check of the German laws and regulations on visa application processes. I did not find an explicit legal basis for contacting accommodation providers, and did not find a duty for accommodation providers to cooperate with such requests. However, such contact information is checked against police and intelligence agency databases. And hotels do have a duty to register all guests with the state upon arrival.
    – amon
    Commented Jan 15, 2023 at 19:02
  • "frequently located outside of the EU": whether an embassy or consulate is located outside the EU is not relevant. "In other cases, a call to the hotel or the friend may be required to confirm that the reservation is not fake": do you have any evidence suggesting that such calls are made?
    – phoog
    Commented Jan 15, 2023 at 23:59
  • @phoog Mostly speculation. Only some distant anecdotal evidence from Internet forums; e.g. a landlord claiming to receive a call from an embassy's consular section to verify whether the reservation for such-and-such people for such-and-such dates exists and is prepaid.
    – yeputons
    Commented Jan 16, 2023 at 7:17
  • @yeputonsm the accepted answer does not in fact explain what authorizes or compels the hotel to respond to the consulate's request for information ("I don't see how any of them legally allow the hotel to disclose information to the embassy").
    – phoog
    Commented Jan 16, 2023 at 9:56
  • Have you checked the terms and conditions of a visa application to see if you sign away any rights? All applications give authorities broad rights to process your information. (And if they suspect you have lied they are entitled to request information as part of a criminal investigation according to the usual procedures, regardless of any other agreement.)
    – Stuart F
    Commented Jan 16, 2023 at 14:54

1 Answer 1

Reset to default
2

GDPR article 6(1) makes it legal if

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

An embassy is exercising official authority, and the fact that it is located outside the EU does not really matter; it is an agency of a member state. It could be more problematic if the embassy or consulate contracts a visa processing service, but there the details of the data processing agreements would matter. (I haven't taken the time to look if they are public.)

Improve this answer
3
  • A contracted visa processing firm never have a say in visa, they only deal with human-facing tasks like couriering, biometrics, and verifying that all documents are present..., all decisions and document verifications, are done by the government employees, and most of the time they don't even have access to the visa decision as it is usually carried in sealed envelopes to be opened by the visa requester, so DPA wouldn't apply to the visa processing firm.
    – Nicolas Formichella
    Commented Jan 16, 2023 at 9:07
  • This answer does not address the last sentence of the question ("I don't see how any of them legally allow the hotel to disclose information to the embassy").
    – phoog
    Commented Jan 16, 2023 at 9:58
  • Art 6(1)(e) is not blanket permission for the state to do anything, but merely says that the GDPR doesn't stand in the way of specific Union or Member State laws that authorize data processing. 6(1)(e) must be read together with 6(3). A 6(1)(e) legal basis is also generally inapplicable for private sector actors, their equivalent would be a 6(1)(c) legal obligation or 6(1)(f) legitimate interest instead.
    – amon
    Commented Jan 16, 2023 at 12:27

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .