AZOP (Croatia) - Decision 26-09-2023: Difference between revisions
No edit summary |
No edit summary |
||
Line 112: | Line 112: | ||
== English Machine Translation of the Decision == | == English Machine Translation of the Decision == | ||
The decision below is a machine translation of the | The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details. | ||
<pre> | <pre> | ||
https://azop.hr/upravna-novcana-kazna-u-iznosu-od-15-000-eura-izrecena-hotelu/ |
Revision as of 13:06, 6 November 2023
AZOP - Decision 24-09-2023 | |
---|---|
Authority: | AZOP (Croatia) |
Jurisdiction: | Croatia |
Relevant Law: | Article 6(1) GDPR Article 7 GDPR Article 8 GDPR Article 13(1) GDPR Article 13(2) GDPR Article 32(1) GDPR Article 32(4) GDPR Article 38(6) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 01.09.2023 |
Published: | 26.09.2023 |
Fine: | 15000 EUR |
Parties: | Hotel |
National Case Number/Name: | Decision 24-09-2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Croatian |
Original Source: | AZOP (in HR) |
Initial Contributor: | Karlo Paljug |
The DPA has imposed an administrative fine in the amount of EUR 15,000.00 to the hotel due to multiple violations of the GDPR provisions.
English Summary
Facts
he Agency received a report from a data subject who stated that when booking accommodation in the hotel, it had been requested CVV of the credit card (via a form) through completely unprotected channels (via e-mail). Also, he was not informed in the terms of the article 13.
The hotel had three options for booking accommodation:
- through the service provider,
- online reservation through a web form, and
- through e-mail,
(*through the web form and e-mail only reservation can be made without payment)
When making a reservation via the web form, it was necessary to enter: name, surname, e-mail address, address and financial data (card number, date and year until which the card is valid, CVV number and name of the card holder), while for the reservation via e-mail, it was necessary to submit the specified information and a copy of a valid identification document with a photo, all for the reason that there would be no misuse of the bank card by third parties, as claimed by the hotel.
Holding
In the case in question, and taking into account the established violations, the Agency decided to impose an administrative fine due to the existence of a high risk for the rights and freedoms of the respondents, which the data controller was obliged to take into account before processing the personal data in question. So, we are talking about a data controller whose business consists of processing personal data, and through the aforementioned procedure, personal data was collected without the existence of an appropriate legal basis, and personal data were collected that are not necessary for the purpose for which they were collected from the respondents during the reservation of hotel accommodation.
The existence of a legal basis has not been proven for the processing of the CVV number of the bank card and a copy of the personal document, which violates Article 6, paragraph 1 of the GDPR. The controller did not inform the data subject in a clear/transparent way about the processing of personal data. In the specific case, the hotel did not adequately provide information on the processing of personal data to guests who booked accommodation at the hotel.
At the same time, the form "Consent to the use of personal data", which the controller submits for the purpose of providing information to the data subjects about the processing of their personal data when booking accommodation via e-mail, does not contain accurate or complete information.
By not taking appropriate organizational and technical protection measures in the processing of the personal data there was a violation of Article 32. The controller did not take appropriate technical and organizational measures, all to ensure an adequate level of security with regard to the risk, including, among other things, encryption of personal data and the implementation of processes for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures.
By appointing the hotel manager as a DPO, the data controller acted contrary to the provisions of Article 38, paragraph 6. Namely, the data protection officer can fulfill other tasks and duties, however, the data controller ensures that such tasks and duties do not lead to a conflict of interest.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
https://azop.hr/upravna-novcana-kazna-u-iznosu-od-15-000-eura-izrecena-hotelu/