The Netherlands The Netherlands

Booking.com B.V.

475,000 €

GDPR enforcement action by Dutch Supervisory Authority for Data Protection (AP) on 2020-12-10.

Rank · Sector
#3
of 100 in Accomodation and Hospitality
Rank · The Netherlands
#18
of 43
Rank · All fines
#253
of 3,051

Case details

Authority
Dutch Supervisory Authority for Data Protection (AP)
Date
2020-12-10
Controller / Processor
Booking.com B.V.
Sector
Accomodation and Hospitality
Quoted Articles
Art. 33 GDPR
Type of violation
Insufficient fulfilment of data breach notification obligations

Summary

The Dutch DPA (Autoriteit Persoonsgegevens) has fined Booking.com EUR 475,000 for not reporting a data breach to the DPA in a timely manner. In December 2018, criminals gained access to the data of 4,109 people who had booked a hotel room through the booking site. That included their names, addresses and phone numbers, as well as details about their booking. The criminals also accessed the credit card data of 283 people and managed to access the credit card's security code in 97 cases. Furthermore, they tried to get other victims' credit card details by pretending to be Booking.com employees via email or phone. Booking.com was notified of the data breach on January 13, 2019, but did not report it to the DPA until February 7, 2019. The controller was thus 22 days late in reporting the data breach, as it is required to report a data breach to the DPA within 72 hours.

Open original source Links to the regulator's original publication or another source.

Related fines