15.04.2021 | KPMG Law Insights

Data protection – fine of 475,000 euros for late notification of a data protection incident

Fine of 475,000 euros for late notification of a data protection incident

The Dutch data protection authority (Autoriteit Persoonsgegevens – AP) has imposed a fine of 475,000 euros on the accommodation and travel agency platform for failing to report a data protection incident in good time.

Already in 2019, hackers had managed to access the data of 4109 customers of The data included names, addresses, telephone numbers and details of hotel bookings, as well as credit card information for 283 data subjects, including security numbers in 97 cases. The hackers gained access to the data through employee accounts at several hotels in the United Arab Emirates, presumably through “socialengineering” techniques or phishing. In addition, the hackers attempted to gain access to additional credit card data by contacting guests of the hotels via email or phone. This posed a high security risk even for those customers whose credit card data was not affected. did not consider itself responsible for the data protection incident, as the data had not been accessed via its own IT infrastructure. The AP, on the other hand, saw evidence of shared responsibility on the part of the operator. However, the fine was issued regardless of this issue solely based on the fact that had reported the data protection incident to the affected customers only after 22 days and to the supervisory authority only after 25 days. A data breach of this magnitude should have been reported to the data protection authority pursuant to Art.33 Para.1 GDPR must be reported to at the latest within 72 hours of becoming aware of it.

The fine can still be appealed. However, has already had it stated that it will accept the fine. The database had not been compromised at any point, but the company said it was working to improve its internal processes.

What is remarkable about this fine decision is that the actual incident was not sanctioned. Rather, only the late reporting was penalized. This proves that the supervisory authorities do not only examine and sanction measures to prevent data protection incidents. Delayed reporting of incidents to the supervisory authorities and/or the data subjects also constitutes a violation in its own right and one that is subject to sanctions.

Responsible parties are therefore well advised to review their internal processes for reporting data protection incidents and ensure that any required notification can be made in a timely manner. In particular, it must be taken into account that the 72-hour period is a maximum period and – at least according to the German supervisory authorities – also runs on weekends or public holidays. Against the background of the fact-finding usually required in the company, appropriate organizational precautions must be taken for this purpose.

Explore #more

17.05.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: When the family business is to be sold

Around 38,000 family businesses are currently handed over each year. In most cases, the change of ownership takes place within the family. But more and…

03.05.2024 | KPMG Law Insights

Doubts about inability to work? What employers can do

The certificate of incapacity for work (AU certificate) serves as proof of incapacity for work due to illness. However, only if the certificate meets certain…

29.04.2024 | KPMG Law Insights

Agreement on ecodesign regulation: products to become more sustainable

After lengthy negotiations, the Council and Parliament of the European Union reached a provisional agreement on the Ecodesign Regulation on the night of December 5,…

27.03.2024 | KPMG Law Insights

EU Buildings Directive: life cycle greenhouse potential becomes relevant

On March 12, 2024, the EU Parliament approved the amendment to the EU Buildings Directive. The directive obliges member states and, indirectly, building owners and…

19.03.2024 | Business Performance & Resilience, KPMG Law Insights

CSDDD: Provisional agreement on the EU Supply Chain Directive

The EU member states agreed on the CSDDD, the EU Supply Chain Directive, on March 15, 2024. Germany abstained from the vote. Negotiators from the…

19.03.2024 | KPMG Law Insights

The AI Act is coming: EU wants to get a grip on AI risks

For many people, artificial intelligence (AI) is the great hope for business, healthcare and science. But there are also plenty of critics who fear the…

21.02.2024 | KPMG Law Insights, KPMG Law Insights

The Digital Services Act – what does it mean for companies?

The Digital Services Act (DSA) is a key component of the EU’s digital strategy and came into force on November 16, 2022. As a regulation,…

15.02.2024 | KPMG Law Insights

Data compliance management: How to implement it in practice

Part 3 of the article series “Professional tips for data compliance management”   The third part of this series of articles deals with data compliance

14.02.2024 | Business Performance & Resilience, PR Publications

Guest article in ZURe: Monitoring the implementation of the LkSG

The current issue of ZURe (p. 20 ff.) contains a guest article by KPMG Law Partner Thomas Uhlig (Head of General Business and Commercial Law),…

09.02.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: The employment law function

In almost all German companies, the employment law function is located in the HR department and not in the legal department. One of the reasons…


Sebastian Hoegl, LL.M. (Wellington)

Senior Manager
Specialist lawyer for IT law
LL.M. (Wellington)

Heinrich-von-Stephan-Straße 23
79100 Freiburg im Breisgau

tel: +49 761 769999-20

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.