Skip to content

Fine for late reporting of data breach

Reason has been fined € 475,000 by the Dutch Data Protection Authority (DDPA) for reporting a data breach too late. reported the data breach 22 days late. This concerned data of more than 4,000 persons, including credit card details of nearly 300 persons. reported the data breach on February 7, 2019. Because indicated in the notification form that the breach was discovered on January 10, 2019, the AP started an investigation into’s compliance with Article 33, first paragraph, of the GDPR.

What happened?

An unknown third party had gained access to a reservation system by posing as a employee at multiple properties in the United Arab Emirates. The personal data of several data subjects who had made hotel reservations via the platform were compromised. notified affected customers of the data breach on February 4, 2019. In addition, the company took other measures to limit the damage, such as the offer to compensate for any damage.

In its view, has primarily taken the position that there is no violation. On February 4, 2019, after the completion of the internal investigation, there was knowledge of the infringement, after which it was reported to the regulator in a timely manner and without unreasonable delay within 72 hours of becoming aware, according to The DDPAthinks differently about this. Much earlier, immediate action could have been expected from A employee was informed several times from the beginning of January about suspicious emails to hotel guests. Instead of taking immediate action, has been idle, resulting in a (very) unreasonably delayed report to the DDPA.

In addition, the DDPA regrets that has consciously chosen to first conduct a thorough investigation instead of reporting the incident to the regulator in stages. This is not in line with the regulation as laid down in the GDPR, according to e DDPA. has not objected to the fine decision of December 10, 2020.

Current affairs data protection and privacy

We deal with this decision of the regulator and data breach in the module ‘current affairs data protection and privacy’. After registration you will have direct access to the module in our learning environment. Here you can register for a workshop of your choice.

More information and registration, click here.