Hungary
Robinson Tours Ltd. (Robinson Tours Idegenforgalmi és Szolgáltató Kft.)
GDPR enforcement action by Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) on 2020-12-16.
Case details
- Authority
- Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
- Date
- 2020-12-16
- Controller / Processor
- Robinson Tours Ltd. (Robinson Tours Idegenforgalmi és Szolgáltató Kft.)
- Sector
- Industry and Commerce
- Quoted Articles
- Art. 25 (1), (2) GDPR, Art. 32 (1) b) GDPR, Art. 34 (1) GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The Hungarian DPA (NAIH) imposed a fine of HUF 20,500,000 (EUR 55,400) on Robinson Tours Idegenforgalmi és Szolgáltató Kft. (Robinson Tours Ltd.) The travel agent's reservation system contained unprotected data of customers, which could be viewed by anyone and found via Google. The data contained, among others, names, contact and address data, copies of personal IDs and passport numbers. During the DPA's investigation, it turned out that the data in question was from a test database created by Next Time Media Agency Ltd, the web agency contracted to develop and operate the database, which was supplemented not only with test data but also with real data of Robinson Tours' customers. In total, the data of 781 individuals was affected, which was accessible by anyone in the period from November 13, 2019 to February 4, 2020.
The NAIH also notes that Robinson Tours did not conduct regular security risk screenings. Robinson Tours also failed to notify the data subjects about the data breach.
Related fines