Operational walk-through

How Spain's guest registry works in practice

This page walks through the five operational stages of guest-registry compliance in Spain, from registering the property in the police-authority platform to retaining the file for three years after the guest has left. It is written for the owner who is not in Spain on any given day and who needs the process to keep running while they are not paying attention. Most of the text focuses on SES.Hospedajes, because the majority of the country reports there; where Catalonia (Mossos d'Esquadra) or the Basque Country (Ertzaintza) differ, the differences are flagged inline.

Stage 1 — Get an access credential or appoint a representative

Before you can do anything on SES.Hospedajes, you need strong electronic identification. Spanish administration recognises two routes for individuals: an FNMT Digital Certificate (issued by the Royal Mint and Stamp Factory) or activated Cl@ve credentials. Both routes presuppose a Spanish identity number — a NIE for foreigners or a DNI for Spanish nationals — and an identity-verification step done either in person at a Spanish public office (a tax-agency branch, a social-security office, certain consulates) or via a remote video procedure.

If you have a NIE and you can spare an afternoon at a Spanish public office during a trip, the FNMT certificate is a one-off acquisition that lasts several years. If you do not have a NIE, or you do not want to deal with the credential and its periodic renewal, the standard route is to appoint an apoderado: an authorised representative resident in Spain who already holds a usable credential. The representation is recorded in the central public registry (Registro Electrónico de Apoderamientos) and can be limited to the specific procedure of guest registration. The representative does the technical work; you remain the obligated party.

For the Catalan portal the credentials accepted include idCAT, FNMT and a few others recognised by the Generalitat. For the Ertzaintza, the credentials are those accepted by the Basque Government. In all three cases the mechanism is similar: someone with Spanish electronic identification submits on someone's behalf, and that someone is the owner of the obligation.

Stage 2 — Register the property as a provider

Once you (or your representative) can log in, the next step is to register the property. The platform calls this alta de prestador — registration of the lodging provider. SES asks for:

• The host's identifying details: full name or company name, NIF or NIE.
• The property's identifying details: full address, tourism-licence number (where the autonomous community has issued one), the type of accommodation (holiday-use dwelling, tourist apartment, rural house and so on), the number of accommodation units (rooms, beds), and the date the activity started.
• The classification of the host as professional or non-professional.

Once accepted, SES issues a unique establishment code beginning with the letter H and followed by digits. This code is the property's permanent identifier and travels in every subsequent submission. Owners with more than one property register each one separately and receive a separate code for each. The Mossos and Ertzaintza systems have an equivalent registration step using their own identifiers.

Registration in the police platform is not the same as registration in the autonomous community's tourism register, which is a separate prerequisite to advertising the property. Many owners have one but not the other and find out only when an inspection cross-checks the two databases.

Stage 3 — Collect the data for each stay

For every stay, the platform expects the data set defined in Annex I of Royal Decree 933/2021. The annex separates establishment data (already on file from registration), contract data (booking-level details) and traveller data (per person).

Contract-level fields

• Contract reference — your internal booking reference.
• Contract formalisation date — the date the booking was confirmed, in YYYY-MM-DD.
• Check-in date and time — in YYYY-MM-DDThh:mm:ss format.
• Check-out date and time — same format.
• Number of people accommodated and number of rooms used.
• Payment type — one of cash, card, transfer, platform, other. Only the type is reportable; card numbers and IBANs are not required and should not be transmitted.
• Total amount of the stay, in euros.

Traveller-level fields — 17 base fields per person

Each traveller — including infants and minors — is reported separately. The base set is 17 fields; in some configurations it expands to 21 or, in exceptional setups, up to 42, but for a typical holiday-rental stay the 17 are what you should expect to capture.

The trickiest field for foreign owners is the document support number (número de soporte). This is a separate identifier printed on Spanish DNI and TIE cards, distinct from the main document number; the platform uses it to validate authenticity, and submissions without it are rejected for Spanish documents. For passports the field does not apply. Foreign owners often miss it because their international guests have it, but they themselves do not, and the data-collection form does not always make the distinction obvious. Your pre-check-in flow has to capture it explicitly.

Rules for minors

Stage 4 — Capture an electronic signature

Every traveller aged 14 or older must sign the parte. The signature is held by you (or your representative) as proof of identification; it is not uploaded to SES. There are three acceptable forms:

• Simple electronic signature — captured on a tablet at check-in with a finger or stylus, bound to the traveller's identity by the data already collected.
• Reinforced electronic signature — collected through a pre-arrival check-in flow that sends a link to the guest's phone or email, captures a signature, and includes an OTP confirmation and a timestamp. This is the standard mode for remote-managed properties.
• Handwritten signature on paper — accepted as part of the local archive, but only as a complement to the electronic submission. Paper alone is no longer valid since December 2024: the data must be transmitted electronically.

For a non-resident owner who is not on site for check-in, the reinforced electronic signature in a pre-arrival check-in flow is effectively the only practical option. Asking a remote check-in agent to capture a wet signature on the day adds a layer that is fragile and prone to delay.

Stage 5 — Submit the data within 24 hours

The submission deadline is 24 hours from the moment the guest arrives at the property. The clock does not start at booking, at the booking confirmation, or at the pre-check-in; it starts at physical arrival. SES.Hospedajes accepts three submission modes:

1. REST API — for automated integrations. Requires development or a provider that has done the integration. This is the channel a specialist compliance service will use behind the scenes.
2. XML file upload — the data is packaged in a format defined by the Ministerio del Interior and submitted as a file. Useful for batching, but still manual at the submission step.
3. Manual web form — for low-volume operators with a usable credential. The slowest and most error-prone option.

For a successful submission, SES returns a communication receipt with a unique reference number. The receipt is the evidence of timely compliance and is the document you would produce in any subsequent inspection. Mossos and Ertzaintza systems work analogously: there is a receipt, it has a reference, you keep it.

Because the 24-hour clock is unforgiving and because guests often arrive at odd hours, the practical compliance strategy is to shift the data collection earlier — typically two to seven days before arrival — through a pre-check-in flow that captures all 17 fields and the signature in advance. Submission to SES is then triggered at or shortly after the check-in time, comfortably inside the window.

Stage 6 — Retain the records for three years

If you are a professional host, you must keep the documentary file for three years from the end of each stay. The file includes the data submitted, the signed parte, and the receipt returned by the platform. The retention should be electronic, structured per stay, and searchable on demand by date, guest or property — an inspection that asks for a specific stay's records and is met with an unsorted pile of PDFs has not been satisfied.

Non-professional hosts have no formal retention duty but, again, voluntary retention is sensible: it is the only way to defend yourself if someone alleges a missed submission years after the fact, when the platform's own record may be hard to pull.

Three rules that save trouble

1. Do not photocopy passports or ID cards

Capturing the 17 fields is what the law requires. Storing an image of a passport or DNI is what it does not require — and the Spanish data-protection authority (AEPD) treats blanket storage of identity documents as a breach of the GDPR's data-minimisation principle. The pre-check-in flow should let you read the document at the time of capture, validate the fields, and discard the image. Holding photocopies opens a separate front of compliance risk for no benefit.

2. Do not assume the platform is doing your job

Airbnb, Booking, Vrbo and other intermediaries have their own duty to report bookings and cancellations within 24 hours of those events. That duty runs parallel to yours, not in substitution. You still report the actual arrival; they report the booking event. The host who relies on the platform's automatic reporting will find, when the Ministry cross-checks, that the police register shows bookings but no arrivals — an obvious red flag.

3. You can refuse a guest who refuses to identify

If a guest declines to provide the identification data the law requires, you are entitled to refuse accommodation. The obligation sits on you, not on the guest, so cooperation from the guest is structural to the obligation working. Telling guests at booking — through your platform listing, the welcome email, or the rental agreement — that identification will be required avoids friction at the door.

Catalonia and the Basque Country — what differs

For properties in Catalonia, the substantive data set is the same and the 24-hour window is the same, but the submission goes to the Mossos d'Esquadra portal, the credential infrastructure is the Generalitat's rather than the Ministerio's, and the standard channel is file upload rather than API. Owners with one property in Catalonia and one elsewhere must run two parallel registrations and two parallel submission streams.

For properties in the Basque Country, the analogue applies: the Ertzaintza receives submissions through its own platform, with its own credential acceptance list, and the data set tracks the national framework.

What goes wrong, and how it goes wrong

Patterns that recur in early enforcement files since December 2024:

• The host registered the property on a platform such as Airbnb but never registered it in SES.Hospedajes (or Mossos / Ertzaintza). The most efficient route to a serious-infraction file.
• Data is submitted late, on weekends or after holidays, because the host is travelling or relies on a single person to manually upload. The 24-hour clock does not pause for Christmas.
• The document support number is omitted on Spanish DNI submissions; the system rejects, the host treats the rejection as an error rather than a hard-stop, and the file accumulates uncommunicated stays.
• Minors are not reported as separate travellers, only the booking adult is. A clean way to fail the audit on family stays.
• Payment data is over-reported: hosts include card numbers or IBANs, exceeding what the regulation requires and creating GDPR exposure.