AZOP (Croatia) - Decision 14-09-2023: Difference between revisions

From GDPRhub
mNo edit summary
Tags: Reverted Visual edit
mNo edit summary
Tags: Reverted Visual edit
Line 7: Line 7:
|DPA_With_Country=AZOP (Croatia)
|DPA_With_Country=AZOP (Croatia)


|Case_Number_Name=Decision 24-01-2022
|Case_Number_Name=Decision 1-9-2023
|ECLI=
|ECLI=


|Original_Source_Name_1=AZOP
|Original_Source_Name_1=AZOP
|Original_Source_Link_1=https://azop.hr/wp-content/uploads/2023/08/24012022_Otkrivanje-osobnih-podataka-trecoj-osobi.pdf
|Original_Source_Link_1=https://azop.hr/upravna-novcana-kazna-u-iznosu-od-15-000-eura-izrecena-hotelu/
|Original_Source_Language_1=Croatian
|Original_Source_Language_1=Croatian
|Original_Source_Language__Code_1=HR
|Original_Source_Language__Code_1=HR
Line 20: Line 20:


|Type=Complaint
|Type=Complaint
|Outcome=Rejected
|Outcome=Upheld
|Date_Started=
|Date_Started=
|Date_Decided=24.01.2022
|Date_Decided=01.09.2023
|Date_Published=24.01.2022
|Date_Published=26.09.2023
|Year=2022
|Year=2023
|Fine=
|Fine=15000
|Currency=
|Currency=EUR


|GDPR_Article_1=Article 4 GDPR
|GDPR_Article_1=Article 6(1) GDPR
|GDPR_Article_Link_1=Article 4 GDPR
|GDPR_Article_Link_1=Article 6 GDPR#1
|GDPR_Article_2=Article 5 GDPR
|GDPR_Article_2=Article 13(1) GDPR
|GDPR_Article_Link_2=Article 5 GDPR
|GDPR_Article_Link_2=Article 13 GDPR#1
|GDPR_Article_3=Article 6 GDPR
|GDPR_Article_3=Article 13(2) GDPR
|GDPR_Article_Link_3=Article 6 GDPR
|GDPR_Article_Link_3=Article 13 GDPR#2
|GDPR_Article_4=
|GDPR_Article_4=Article 32(1) GDPR
|GDPR_Article_Link_4=
|GDPR_Article_Link_4=Article 32 GDPR#1
|GDPR_Article_5=
|GDPR_Article_5=Article 32(4) GDPR
|GDPR_Article_Link_5=
|GDPR_Article_Link_5=Article 32 GDPR#4
|GDPR_Article_6=Article 38(6) GDPR
|GDPR_Article_Link_6=Article 38 GDPR#6
|GDPR_Article_7=
|GDPR_Article_Link_7=
|GDPR_Article_8=
|GDPR_Article_Link_8=


|EU_Law_Name_1=
|EU_Law_Name_1=
Line 44: Line 50:
|EU_Law_Link_2=
|EU_Law_Link_2=


|National_Law_Name_1=Postal Service Act
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Name_2=
|National_Law_Link_2=
|National_Law_Link_2=
|National_Law_Name_3=
|National_Law_Link_3=


|Party_Name_1=Center for Social Welfare
|Party_Name_1=Hotel*
|Party_Link_1=
|Party_Link_1=
|Party_Name_2=
|Party_Name_2=
Line 60: Line 64:
|Appeal_To_Body=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Not appealed
|Appeal_To_Status=Unknown
|Appeal_To_Link=
|Appeal_To_Link=


Line 67: Line 71:
}}
}}


The DPA rejected complaint of the data subject who had stated that his rights were violated because data controller sent compensation via postal service.
The DPA has imposed an administrative fine in the amount of EUR 15,000.00 to the hotel due to multiple violations of the GDPR provisions.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The DPA received a request for determination of violation of the right in which data subject states that the Center for Social Welfare brought Decision by which the data subject is recognized with a guaranteed minimum of compensation. In this regard, the data subject points out how his compensation for the September was not paid through a current account, but the employee of the Croatian Post has brought him compensation. On that occasion employee asked him for his ID card. Therefore, the data subject considers that data controller disclosed his personal data about him as a user of the social benefit without his authorization.
The Agency received a report from a data subject who stated that when booking accommodation in the hotel, it had been requested CVV of the credit card (via a form) through completely unprotected channels (via e-mail). Also, he was not informed in the terms of the article 13.  
The hotel had three options for booking accommodation:
- through the service provider,
- online reservation through a web form, and
- through e-mail,
(*through the web form and e-mail only reservation can be made without payment)
 
When making a reservation via the web form, it was necessary to enter: name, surname, e-mail address, address and financial data (card number, date and year until which the card is valid, CVV number and name of the card holder), while for the reservation via e-mail, it was necessary to submit the specified information and a copy of a valid identification document with a photo, all for the reason that there would be no misuse of the bank card by third parties, as claimed by the hotel.


=== Holding ===
=== Holding ===
The DPA rejected the complaint.  
In the case in question, and taking into account the established violations, the Agency decided to impose an administrative fine due to the existence of a high risk for the rights and freedoms of the respondents, which the data controller was obliged to take into account before processing the personal data in question. So, we are talking about a data controller whose business consists of processing personal data, and through the aforementioned procedure, personal data was collected without the existence of an appropriate legal basis, and personal data were collected that are not necessary for the purpose for which they were collected from the respondents during the reservation of hotel accommodation.  


It emphasized that the right to protection of personal data is not absolute right, and it should be considered in relation to its function in society and harmonized with other fundamental rights in accordance with the principle of proportionality. Also, DPA noted that Postal Service Act prescribe the conditions for performance of its services. In connection, GTC of Croatian Post prescribe in article 47 that the sender, receiver or other authorized person proves his identity, between among other things, with an identity card, and the type and number of the identification document that established the identity it is entered in the corresponding place of the postal document.
The existence of a legal basis has not been proven for the processing of the CVV number of the bank card and a copy of the personal document, which violates Article 6, paragraph 1 of the GDPR. .
The controller did not inform the data subject in a clear/transparent way about the processing of personal data. In the specific case, the hotel did not adequately provide information on the processing of personal data to guests who booked accommodation at the hotel.  


Namely, in the specific case there was a legitimate purpose and legal basis from Articles 5 and 6 of the GDPR for forwarding certain personal data to Croatian Post.
At the same time, the form "Consent to the use of personal data", which the controller submits for the purpose of providing information to the data subjects about the processing of their personal data when booking accommodation via e-mail, does not contain accurate or complete information.


DPA pointed out that the method of delivery/payment of the user's minimum fee is not in jurisdiction of this Agency, but it is the decision of the data controller himself in accordance with the special regulation.
By not taking appropriate organizational and technical protection measures in the processing of the personal data  there was a violation of Article 32. The controller did not take appropriate technical and organizational measures, all to ensure an adequate level of security with regard to the risk, including, among other things, encryption of personal data and the implementation of processes for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures.
 
By appointing the hotel manager as a DPO, the data controller acted contrary to the provisions of Article 38, paragraph 6. Namely, the data protection officer can fulfill other tasks and duties, however, the data controller ensures that such tasks and duties do not lead to a conflict of interest.


== Comment ==
== Comment ==
Line 93: Line 107:


<pre>
<pre>
1
The Personal Data Protection Agency imposed an administrative fine in the amount of EUR 15,000.00 (113,017.50 kuna) to the hotel's processing manager (that is, the legal entity within which the hotel in question operates), due to the following violations of the General Data Protection Regulation:
REPUBLIC OF CROATIA
 
PROTECTION AGENCY
The processing manager processed the personal data of the respondent (hotel guest) to an excessive extent, namely data on the security number of the bank card (CVC number), as well as copies of personal documents when booking hotel accommodation via the hotel's online form and by e-mail. The existence of a legal basis has not been proven for the processing of the CVC number of the bank card and a copy of the personal document, which violates Article 6, paragraph 1 of the General Data Protection Regulation. The hotel had no obligation to collect the CVC number from the bank card of the persons who made the reservation of the accommodation unit, considering that the reservation of the accommodation was possible even without submitting the data in question.
PERSONAL DATA
The controller did not inform the respondents in a clear/transparent way about the processing of their personal data through the General Terms and Conditions document, which is available on the hotel's website, and regarding the collection of personal data when booking hotel accommodation via an online form and via e-mail, and what contrary to the provisions of Article 13, paragraphs 1 and 2 of the General Data Protection Regulation. In the specific case, the hotel did not adequately provide information on the processing of personal data to guests who booked accommodation at the hotel, including information on the collection of data on the CVC number and a copy of the identification document. Bearing in mind the provisions of the regulations governing the protection of personal data, the hotel was obliged to inform the guest what types of personal data it collects for what purpose, the legal basis for personal data processing, how personal data is used, that is, who uses personal data and what measures protection of personal data undertaken. The hotel was obliged to provide all information about the processing of personal data in a concise, comprehensible and easily accessible form, using clear and simple language, and was obliged to inform the respondent of all his rights according to the General Data Protection Regulation.
CLASS:
At the same time, the form "Consent to the use of personal data", which the controller submits for the purpose of providing information to respondents about the processing of their personal data when booking accommodation via e-mail, does not contain accurate or complete information, thus the controller acted contrary to the provisions of Article 13. paragraph 1 and 2 of the General Data Protection Regulation.
NUMBER:
By not taking appropriate organizational and technical protection measures in the processing of the personal data of the respondents by the processing manager, there was a violation of Article 32, paragraph 1. a) and d) and paragraph 4 of the General Regulation on Data Protection. The controller did not take appropriate technical and organizational measures, all to ensure an adequate level of security with regard to the risk, including, among other things, encryption of personal data and the implementation of processes for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of processing.
Zagreb, January 24, 2022.
By appointing the hotel manager as a data protection officer, the data controller acted contrary to the provisions of Article 38, paragraph 6 of the General Data Protection Regulation. Namely, the data protection officer can fulfill other tasks and duties, however, the data controller ensures that such tasks and duties do not lead to a conflict of interest. When appointing a data protection officer, the controller had to be aware that there is a conflict of interest in relation to the tasks and duties he performs. From the job description of the hotel manager, it is evident that he is largely responsible for making management decisions at the level of personal data processing, while on the other hand, as a data protection officer, he is obliged to monitor the compliance of the business in the processing of personal data with the regulations governing the protection of personal data.
Personal Data Protection Agency, OIB: 28454963989 based on Article 57 paragraph
The Agency for the Protection of Personal Data received a report from a citizen who stated that when booking accommodation in the hotel in question, confirmation of the reservation is requested by sending a CVC credit card (via a form) through completely unprotected channels (via e-mail). Likewise, in the received application, it was stated that the potential guest was not informed who has access to his personal data, i.e. the personal document that he is obliged to send when requesting a hotel in order to be able to charge his credit card.
1 and Article 58 paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27
 
2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data
Namely, the hotel in question had three options for booking accommodation - through the service provider, online reservation through a web form on the hotel's website and through e-mail, with a note that only the reservation was made through the web form and e-mail, and not the payment.
data and repealing Directive 95/46/EC (hereinafter referred to as the General Protection Regulation
 
data) SL EU 119, Article 34 of the Law on the Implementation of the General Regulation on Data Protection ("People's
When making a reservation via the web form, it was necessary to enter the guest's personal data: name, surname, e-mail address, address and financial data (card number, date and year until which the card is valid, CVC number and name of the card holder), while for the reservation via e-mail, it was necessary to submit the specified information and a copy of a valid identification document with a photo, all for the reason that there would be no misuse of the bank card by third parties, as claimed by the hotel.
novine" no. 42/18) and Article 96 of the Act on General Administrative Procedure ("Narodne novine" no.
 
47/09 and 110/21), and regarding the request to determine the violation of the right to the protection of personal data
In the case in question, and taking into account the established violations, the Agency decided to impose an administrative fine due to the existence of a high risk for the rights and freedoms of the respondents, which the data controller was obliged to take into account before processing the personal data in question. So, we are talking about a data controller whose business consists of processing personal data, and through the aforementioned procedure, personal data was collected without the existence of an appropriate legal basis, and personal data were collected that are not necessary for the purpose for which they were collected from the respondents during the reservation. hotel accommodation. Also, the Agency believes that the imposition of a fine will lead to the controller fulfilling its obligations in the field of personal data protection in a timely and appropriate manner.
x yields the following
SOLUTION
Request x to establish a violation of the right to personal data protection is rejected as
ungrounded.
Form layout
The Agency for the Protection of Personal Data (hereinafter: the Agency) received a request for
determination of violation of the right to protection of personal data x (hereinafter: the applicant)
in which he states that the Center for Social Welfare y (hereinafter referred to as the processing manager) brought
Decision, CLASS..., NUMBER: ... by which the applicant is recognized with a guaranteed minimum
compensation and in which it is determined that the same will be paid to the applicant as a beneficiary on a monthly basis,
through the competent center for social welfare to a current account. In this regard, the applicant points out how
his compensation for the month of September was not paid through a current account, but through the company of Croatia
pošte d.d. and points out that an employee of the said company visited him when he arrived at his home
address, asked for an identity card and the signing of the receipt. Therefore, the applicant considers it as it is
the processing manager disclosed personal data about him as a user of the Social Center without authorization
care and society Hrvatska pošta d.d.
2
Along with his request, the applicant submitted the Decision of the Center for Social Welfare y, CLASS:
.., NUMBER: ... from ... year; Decision of the Center for Social Welfare y, CLASS: .., NUMBER: .. of
... years; Complaint sent to the Center for Social Welfare y and the response from the Center for Social Welfare y,
CLASS: .., NUMBER: .... years.
The request is not founded.
First of all, it should be noted that from May 25, 2018, in the Republic of
In Croatia, Regulation (EU) 2016/679 of the European Parliament is directly and bindingly applied
of the Council of April 27, 2016 on the protection of individuals in connection with the processing of personal data and on
free movement of such data and repealing Directive 95/46/EC (General
data protection regulation) SL EU L119.
The General Data Protection Regulation in Article 4, Paragraph 1, Point 1 stipulates that they are personal
data all data relating to an individual whose identity has been determined or can be determined, a
an individual whose identity can be established is a person who can be identified directly or
indirectly, especially with the help of identifiers such as name, identification number, information about
location, network identifier or with the help of one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that individual.
Pursuant to Article 5 of the General Data Protection Regulation, personal data must be: (a)
lawfully, fairly and transparently processed with respect to the data subject ("lawfulness, fairness,
transparency"); (b) collected for specific, express and lawful purposes and may not be further
process in a way that is inconsistent with those purposes ("purpose limitation"); (c) appropriate,
relevant and limited to what is necessary in relation to the purposes for which they are processed ("reduction
amount of data"); (d) accurate and as necessary up-to-date; every reasonable measure must be taken
in order to ensure that personal data that are not accurate, taking into account the purposes for which
process, delete or correct without delay ("accuracy"); (e) stored in a form that enables
identification of the respondent only for as long as is necessary for the purposes for which it is personal
data processing ("storage limitation"); (f) processed in the manner in which it is secured
adequate security of personal data, including protection against unauthorized or illegal access
processing and from accidental loss, destruction or damage by applying appropriate technical or
organizational measures ("integrity and confidentiality").
Furthermore, in accordance with Article 6 of the General Data Protection Regulation, processing is only lawful
if and to the extent that at least one of the following is met: (a) the subject has given consent
to process your personal data for one or more specific purposes; (b) processing is necessary for
execution of a contract to which the respondent is a party or to take action upon request
of the respondent before the conclusion of the contract; (c) processing is necessary to comply with the controller's legal obligations
processing; (d) processing is necessary to protect the key interests of the data subject or other natural person;
(e) processing is necessary for the performance of a task of public interest or in the exercise of official authority
processing manager; (f) the processing is necessary for the legitimate interests of the controller or a third party
parties, except when those interests are stronger than the interests or fundamental rights and freedoms of the respondents who
require the protection of personal data.
3
Also, it should be emphasized that the right to protection of personal data is not absolute
the law itself must be considered in relation to its function in society and should be harmonized
with other fundamental rights in accordance with the principle of proportionality.
As a separate law, we cite the Postal Services Act ("Narodne novine", number:
144/12, 153/13, 78/15 and 110/19) regulating postal services, prescribe the conditions for
performance of these services and for the provision and financing of universal service, govern the rights,
obligations and responsibilities of providers and users of postal services, conditions of access to the postal network,
issuance of postage stamps of the Republic of Croatia and surcharge stamps is determined by jobs
Croatian regulatory agencies for network activities in the part related to regulatory
tasks in the field of postal services, performing inspection supervision in the field of postal services
services, and regulate other issues related to the performance of postal services.
Also, Article 44 of the aforementioned Act stipulates that the provider of postal services
obliged to adopt general conditions for the performance of postal services in domestic and/or international
traffic. Based on the quoted article, Hrvatska pošta d.d. is on July 1, 2021.
passed the General Terms and Conditions for the provision of universal services, which regulate the manner and conditions
performance of the universal service provided by HP-Hrvatska pošta d.d., delivery deadlines,
method and conditions of payment for postal services, method of marking payment for postal services on
to the postal shipment, the responsibility of HP d.d. and compensation for damage and the submission and settlement procedure
complaints of users of postal services.
In this connection, it is necessary to point out article 47 of the aforementioned General Terms and Conditions, in which
stipulated that the sender, receiver or other authorized person proves his identity, between
among other things, with an identity card, and the type and number of the identification document that established the identity
it is entered in the corresponding place of the postal document.
Furthermore, by looking at the Answer, CLASS: .., CODE: .. from ... which is the Center for
social care y as a processing manager delivered to the applicant, it is clear that the manager
processing, informed the applicant that he had sent the amounts through the mail.
As a result of the above, on the basis of the submitted evidence in this administrative matter it was established
that the Center for Social Welfare, as the processing manager, did not provide personal data for use
of the applicant for this to an unauthorized recipient/third party and in this sense the request
rejects the applicant as unfounded.
Namely, in the specific case there was a legitimate purpose and legal basis from Article 5 i
6. General regulations on data protection for forwarding certain personal data to a third party
(company Hrvatska pošta d.d.), and all so that the applicant could realize the right that belongs to him
in accordance with the adopted Decision, CLASS: .., NUMBER: .. from the year ... or the right to
guaranteed minimum compensation.
4
In this regard, it should be emphasized that in the conducted procedure it was not determined that
personal data of the applicant were forwarded by the processing manager to the company
Hrvatska pošta d.d. to a greater extent than is necessary for the specific purpose of guaranteed delivery
minimum fees and that the applicant has not proven in any way that the information about him is as
to the user of the Center for Social Care, disclosed to a third party without authorization.
Likewise, in the specific case it was established that the company Hrvatska pošta d.d.
during the delivery/payment of the guaranteed minimum compensation, it complied with the prescribed procedures and
in accordance with Article 47 of the General Terms and Conditions for the provision of universal services, identity verification
of the applicant as the payee.
Additionally, and further to the applicant's statement that he is guaranteed a minimum compensation
should have been paid to the current account as determined by the Decision, CLASS: .., NUMBER: ...
from ... year, we point out that the method of delivery/payment of the user's minimum fee is not in
jurisdiction of this Agency, but it is the decision of the processing manager himself in accordance with the special
regulation.
In conclusion, and taking into account all the circumstances of the specific case, there is no evidence that
indicate that the applicant's personal data were processed contrary to the General provisions
regulations on data protection.
Due to the aforementioned circumstances, it was decided as in the Proclamation of the Decision.
LEGAL REMEDY
No appeal is allowed against this decision, but an administrative dispute can be initiated before the Administrative Court
by the court in Zagreb within 30 days from the date of delivery of the decision.
DEPUTY DIRECTOR
Igor Vulje
Deliver:
1.
2.
3. Stationery, here.
</pre>
</pre>

Revision as of 07:06, 7 October 2023

AZOP - Decision 1-9-2023
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 6(1) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Article 32(1) GDPR
Article 32(4) GDPR
Article 38(6) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 01.09.2023
Published: 26.09.2023
Fine: 15000 EUR
Parties: Hotel*
National Case Number/Name: Decision 1-9-2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: Karlo Paljug

The DPA has imposed an administrative fine in the amount of EUR 15,000.00 to the hotel due to multiple violations of the GDPR provisions.

English Summary

Facts

The Agency received a report from a data subject who stated that when booking accommodation in the hotel, it had been requested CVV of the credit card (via a form) through completely unprotected channels (via e-mail). Also, he was not informed in the terms of the article 13. The hotel had three options for booking accommodation: - through the service provider, - online reservation through a web form, and - through e-mail, (*through the web form and e-mail only reservation can be made without payment)

When making a reservation via the web form, it was necessary to enter: name, surname, e-mail address, address and financial data (card number, date and year until which the card is valid, CVV number and name of the card holder), while for the reservation via e-mail, it was necessary to submit the specified information and a copy of a valid identification document with a photo, all for the reason that there would be no misuse of the bank card by third parties, as claimed by the hotel.

Holding

In the case in question, and taking into account the established violations, the Agency decided to impose an administrative fine due to the existence of a high risk for the rights and freedoms of the respondents, which the data controller was obliged to take into account before processing the personal data in question. So, we are talking about a data controller whose business consists of processing personal data, and through the aforementioned procedure, personal data was collected without the existence of an appropriate legal basis, and personal data were collected that are not necessary for the purpose for which they were collected from the respondents during the reservation of hotel accommodation.

The existence of a legal basis has not been proven for the processing of the CVV number of the bank card and a copy of the personal document, which violates Article 6, paragraph 1 of the GDPR. . The controller did not inform the data subject in a clear/transparent way about the processing of personal data. In the specific case, the hotel did not adequately provide information on the processing of personal data to guests who booked accommodation at the hotel.

At the same time, the form "Consent to the use of personal data", which the controller submits for the purpose of providing information to the data subjects about the processing of their personal data when booking accommodation via e-mail, does not contain accurate or complete information.

By not taking appropriate organizational and technical protection measures in the processing of the personal data there was a violation of Article 32. The controller did not take appropriate technical and organizational measures, all to ensure an adequate level of security with regard to the risk, including, among other things, encryption of personal data and the implementation of processes for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures.

By appointing the hotel manager as a DPO, the data controller acted contrary to the provisions of Article 38, paragraph 6. Namely, the data protection officer can fulfill other tasks and duties, however, the data controller ensures that such tasks and duties do not lead to a conflict of interest.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

The Personal Data Protection Agency imposed an administrative fine in the amount of EUR 15,000.00 (113,017.50 kuna) to the hotel's processing manager (that is, the legal entity within which the hotel in question operates), due to the following violations of the General Data Protection Regulation:

The processing manager processed the personal data of the respondent (hotel guest) to an excessive extent, namely data on the security number of the bank card (CVC number), as well as copies of personal documents when booking hotel accommodation via the hotel's online form and by e-mail. The existence of a legal basis has not been proven for the processing of the CVC number of the bank card and a copy of the personal document, which violates Article 6, paragraph 1 of the General Data Protection Regulation. The hotel had no obligation to collect the CVC number from the bank card of the persons who made the reservation of the accommodation unit, considering that the reservation of the accommodation was possible even without submitting the data in question.
The controller did not inform the respondents in a clear/transparent way about the processing of their personal data through the General Terms and Conditions document, which is available on the hotel's website, and regarding the collection of personal data when booking hotel accommodation via an online form and via e-mail, and what contrary to the provisions of Article 13, paragraphs 1 and 2 of the General Data Protection Regulation. In the specific case, the hotel did not adequately provide information on the processing of personal data to guests who booked accommodation at the hotel, including information on the collection of data on the CVC number and a copy of the identification document. Bearing in mind the provisions of the regulations governing the protection of personal data, the hotel was obliged to inform the guest what types of personal data it collects for what purpose, the legal basis for personal data processing, how personal data is used, that is, who uses personal data and what measures protection of personal data undertaken. The hotel was obliged to provide all information about the processing of personal data in a concise, comprehensible and easily accessible form, using clear and simple language, and was obliged to inform the respondent of all his rights according to the General Data Protection Regulation.
At the same time, the form "Consent to the use of personal data", which the controller submits for the purpose of providing information to respondents about the processing of their personal data when booking accommodation via e-mail, does not contain accurate or complete information, thus the controller acted contrary to the provisions of Article 13. paragraph 1 and 2 of the General Data Protection Regulation.
By not taking appropriate organizational and technical protection measures in the processing of the personal data of the respondents by the processing manager, there was a violation of Article 32, paragraph 1. a) and d) and paragraph 4 of the General Regulation on Data Protection. The controller did not take appropriate technical and organizational measures, all to ensure an adequate level of security with regard to the risk, including, among other things, encryption of personal data and the implementation of processes for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of processing.
By appointing the hotel manager as a data protection officer, the data controller acted contrary to the provisions of Article 38, paragraph 6 of the General Data Protection Regulation. Namely, the data protection officer can fulfill other tasks and duties, however, the data controller ensures that such tasks and duties do not lead to a conflict of interest. When appointing a data protection officer, the controller had to be aware that there is a conflict of interest in relation to the tasks and duties he performs. From the job description of the hotel manager, it is evident that he is largely responsible for making management decisions at the level of personal data processing, while on the other hand, as a data protection officer, he is obliged to monitor the compliance of the business in the processing of personal data with the regulations governing the protection of personal data.
The Agency for the Protection of Personal Data received a report from a citizen who stated that when booking accommodation in the hotel in question, confirmation of the reservation is requested by sending a CVC credit card (via a form) through completely unprotected channels (via e-mail). Likewise, in the received application, it was stated that the potential guest was not informed who has access to his personal data, i.e. the personal document that he is obliged to send when requesting a hotel in order to be able to charge his credit card.

Namely, the hotel in question had three options for booking accommodation - through the service provider, online reservation through a web form on the hotel's website and through e-mail, with a note that only the reservation was made through the web form and e-mail, and not the payment.

When making a reservation via the web form, it was necessary to enter the guest's personal data: name, surname, e-mail address, address and financial data (card number, date and year until which the card is valid, CVC number and name of the card holder), while for the reservation via e-mail, it was necessary to submit the specified information and a copy of a valid identification document with a photo, all for the reason that there would be no misuse of the bank card by third parties, as claimed by the hotel.

In the case in question, and taking into account the established violations, the Agency decided to impose an administrative fine due to the existence of a high risk for the rights and freedoms of the respondents, which the data controller was obliged to take into account before processing the personal data in question. So, we are talking about a data controller whose business consists of processing personal data, and through the aforementioned procedure, personal data was collected without the existence of an appropriate legal basis, and personal data were collected that are not necessary for the purpose for which they were collected from the respondents during the reservation. hotel accommodation. Also, the Agency believes that the imposition of a fine will lead to the controller fulfilling its obligations in the field of personal data protection in a timely and appropriate manner.