Search
Contact
15.04.2021 | KPMG Law Insights

Data protection – fine of 475,000 euros for late notification of a data protection incident

Fine of 475,000 euros for late notification of a data protection incident

The Dutch data protection authority (Autoriteit Persoonsgegevens – AP) has imposed a fine of 475,000 euros on the accommodation and travel agency platform booking.com for failing to report a data protection incident in good time.

Already in 2019, hackers had managed to access the data of 4109 customers of booking.com(https://edpb.europa.eu/news/national-news/2021/dutch-dpa-fines-bookingcom-delay-reporting-data-breach_en). The data included names, addresses, telephone numbers and details of hotel bookings, as well as credit card information for 283 data subjects, including security numbers in 97 cases. The hackers gained access to the data through employee accounts at several hotels in the United Arab Emirates, presumably through “socialengineering” techniques or phishing. In addition, the hackers attempted to gain access to additional credit card data by contacting guests of the hotels via email or phone. This posed a high security risk even for those booking.com customers whose credit card data was not affected.

booking.com did not consider itself responsible for the data protection incident, as the data had not been accessed via its own IT infrastructure. The AP, on the other hand, saw evidence of shared responsibility on the part of the operator. However, the fine was issued regardless of this issue solely based on the fact that booking.com had reported the data protection incident to the affected customers only after 22 days and to the supervisory authority only after 25 days. A data breach of this magnitude should have been reported to the data protection authority pursuant to Art.33 Para.1 GDPR must be reported to booking.com at the latest within 72 hours of becoming aware of it.

The fine can still be appealed. However, booking.com has already had it stated that it will accept the fine. The booking.com database had not been compromised at any point, but the company said it was working to improve its internal processes.

What is remarkable about this fine decision is that the actual incident was not sanctioned. Rather, only the late reporting was penalized. This proves that the supervisory authorities do not only examine and sanction measures to prevent data protection incidents. Delayed reporting of incidents to the supervisory authorities and/or the data subjects also constitutes a violation in its own right and one that is subject to sanctions.

Responsible parties are therefore well advised to review their internal processes for reporting data protection incidents and ensure that any required notification can be made in a timely manner. In particular, it must be taken into account that the 72-hour period is a maximum period and – at least according to the German supervisory authorities – also runs on weekends or public holidays. Against the background of the fact-finding usually required in the company, appropriate organizational precautions must be taken for this purpose.

Explore #more

09.01.2025 | In the media

KPMG Law strengthens Legal Transformation Managed Services and Legal Corporate Services with two new senior managers

On January 1, KPMG Law strengthened its Transformation Managed Services practice with Jana Sichelschmidt and its Corporate Services practice with Dr. Michaela Lenk. Both are…

06.01.2025 | Deal Notifications

KPMG Law advises on the sale of Käppler & Pausch GmbH

Gabriel Pausch, the co-founder and main shareholder of Käppler & Pausch GmbH, a system supplier for metal assemblies as well as metal and sheet metal…

03.01.2025 | In the media

Interview in Betrieb on the EU money laundering package and its impact

The EU anti-money laundering package harmonizes anti-money laundering and counter-terrorism rules in Europe and introduces new measures such as cash limits of €10,000, identification requirements…

02.01.2025 | In the media

KPMG Law Statement in eMagazin Immobilienanwälte: Creativity meets law in trademark protection

Four Frankfurt, Elbtower, Vonovia: real estate projects and companies are backed by constructs worth millions or even billions. In order to stand out from the…

20.12.2024 | KPMG Law Insights

The EU packaging regulation sets strict requirements for packaging

The EU has adopted the Packaging Regulation. After the European Parliament adopted the Commission’s draft on April 24, 2024, the EU member states also approved…

20.12.2024 | Deal Notifications

KPMG and KPMG Law supported the sale of circular Informationssysteme to the teccle group

Together with the corporate finance/M&A advisors of KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG), KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) advised the shareholders of circular Informationssysteme GmbH (circular)…

19.12.2024 | Press releases

KPMG Law defends Federal Motor Transport Authority against claim for damages in connection with the emissions scandal

The state is not liable to vehicle purchasers for damages. KPMG Law has defended the Federal Motor Transport Authority (KBA) against a civil plaintiff’s state…

18.12.2024 | KPMG Law Insights, KPMG Law Insights

MiCAR – What the new EU regulation means for crypto service providers and issuers

An EU regulation will soon come into force that will regulate crypto assets uniformly throughout Europe. It contains significant new obligations for issuers and crypto…

16.12.2024 | Deal Notifications

KPMG Law advises CERTANIA Holding GmbH on the acquisition of RASG Holdco Ltd.

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) has provided legal advice to CERTANIA Holding GmbH, a platform of the Munich-based PE firm Greenpeak Partners, on the…

04.12.2024 | Deal Notifications

KPMG Law and KPMG advises Brain Biotech AG on license agreements and monetization of license rights

KPMG Law Rechtsanwaltsgesellschaft mbH and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised Brain Biotech AG on the monetization of licensing rights with Royalty Pharma and the conclusion…

Contact

Sebastian Hoegl, LL.M. (Wellington)

Senior Manager
Lawyer
Specialist lawyer for IT law
LL.M. (Wellington)

Heinrich-von-Stephan-Straße 23
79100 Freiburg im Breisgau

Tel.: +49 761 769999-20
shoegl@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll