AP (The Netherlands) - 10.12.2020 (Booking.com): Difference between revisions

From GDPRhub
No edit summary
 
(One intermediate revision by the same user not shown)

Latest revision as of 17:15, 12 December 2023

AP - booking.com B.V.
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 33(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 10.12.2020
Published: 31.03.2021
Fine: 475000 EUR
Parties: Booking.com B.V.
National Case Number/Name: booking.com B.V.
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Dutch
Original Source: Autoriteit Persoonsgegevens (in NL)
Initial Contributor: n/a

The Dutch Data Protection Authority (AP) imposed a fine of €475,000 on Booking.com for reporting a data breach with undue delay. Booking.com became aware of the data breach on 13 January 2019 but did not report it to the AP until February 7, which is 22 days too late.

English Summary

Facts

On 7 February 2019 Booking.com (Booking) submitted a data breach notification to the AP. An unknown person(s) gained access to the reservation system of Booking by pretending to be a Booking employee. About 40 accommodations in the United Arab Emirates Personal were affected. Personal data of guests from different EU and non-EU countries were exposed. Booking stated in the notification that they became aware of the breach on 10 January 2019, which triggered an AP investigation under Article 33(1) GDPR (obligation to notify the supervisory authority about a breach within 72 hours).

Booking maintains the reservation platform where the so called “Trip Providers” can offer accommodation, flights, car rentals and day trips to the users of Booking. These users have to give the contact-, reservation and payment data in order to complete the reservation. That information is then shared with the Trip Providers via Extranet, an online administration dashboard for reservations. Access to Extranet is secured: representatives of Trip Providers have to fill in a username, password and a “2FA pin code”.

This breach was a result of what is called by AP a social engineering attack: an unknown person contacted a Trip Provider by the phone and obtained a username, password and the “2FA pin code” necessary to access Extranet by pretending to be a Booking employee. Personal data of about 4109 guest got compromised, including first and last names, addresses, phone numbers, check-in and check-out dates, total price, price per night, reservation numbers, communication between hotels and guests, 283 credit card details with CVCs of about 97 of them.

Timeline on the breach.

19 December 2018 – social engineering phone call, start of the incident

9 January 2019 – 1st email to Booking from accommodation 1. A guest of that hotel had been approached by email sent from a Hotmail account by a “reservation employee”. The “employee” had asked for he guest’s birth date, which was necessary to complete the payment. The night rate was mentioned in the email, a PDF with the reservation details was attached to the email.

13 January 2019 – 2nd notification from the same accommodation: another guest got a phone call from “Booking”, asking for the credit card information and other personal data.

20 January 2019 – 3rd notification from accommodation 1, reporting another phone call to a guest, the caller had asked for the credit card details.

20 January 2019 – accommodation 2 reports multiple notifications from guests. All guests mention the attempts to get their credit card details, using hotel’s name, arrival/departure dates and other information.

31 January 2019 – Booking’s Security team gets involved.

4 February 2019 – Preliminary report of the security team, confirming the breach. Privacy teams gets involved, affected individuals get informed of the incident.

6 February 2019 – Privacy team qualifies the incident as a personal data breach that needs to be reported to the AP. 7 February 2019 – Breach is reported to the AP.

28 February 2019 – Final report of the Security team.

Dispute

Main disagreement between the AP and Booking was about exactly when Booking became aware of this breach, but other points were also outlined in the AP’s report.


Notification within 72 hours of “becoming aware”

Booking’s position is that it can take months to finish an incident investigation, so notifications within 3 days are not always possible. Furthermore, A29WP’s data breach guidelines say, according to Booking, that it can take time for controllers to investigate and properly report all connected incidents. So Booking is of the opinion that it reported the breach within 72 hours from becoming aware of it on 4 February 2019. AP did not share this logic. It pointed out that companies can report breaches in stages where all information is not available at the moment of the notification. Moreover, according to the AP, Booking became aware of the breach on 13 January 2019:

a) The email of 9 January should have given Booking a first serious suspicion that something was not right;

b) That first incident should have been brought to the attention of Booking’s Security team right away;

c) The email of 13th of January was the second signal. Accommodation stressed that that incident was similar to the previous one and that there must have been a breach at Booking. On 13 January 2019 Booking had reasonable certainty that a security incident affecting personal data had occurred. In addition, the AP pointed out that Booking’s own “Data Incident Response Policy” was clear: all suspected incidents needed to be reported to the Security team immediately. Which did not happen here until 31 January.


Controller

According to Booking, it is a controller of personal data in Booking platform, but Trip Providers have their own purposes for processing data in Extranet. AP concluded that Booking was the responsible controller in this case, considering that:

1) Booking’s Privacy statement outlines the data categories and purposes of processing.

2) Booking is responsible for the security measures on Extranet.

3) Booking submitted the data breach notification to AP.


Risks

Booking noted that it had taken measures to minimize the risks for the affected individuals. For example: in general, only contact information was affected with no email or reservation information being leaked; emails in Extranet were hashed and could not be extracted from the system; credit card data was stored according to the PCI DSS requirements; clients were informed about social engineering and other forms of possible fraud; immediate communication to the affected individuals; Booking also offered them a compensation of financial damage. AP is of the opinion that there is a risk to rights and freedoms of individuals when their personal data is seen by unauthorized individuals. In the present case the risks of financial loss and identity fraud have materialized. Financial damage compensation does not remove the risks themselves but only helps to minimize their consequences.

Trip Provider did not properly report the breach to Booking

Booking argued that the Trip Providers are obliged to report all security incidents via the so called “Partner portal” to the Security team directly, which was not the case here. AP rejected this argument: obligations under GDPR stand separated from private agreements between companies.


Employee policy breach

Booking argued the fact that an employee had breached an internal protocol by not reporting the suspected incident to the Security team, should not be held against Booking. Booking referred AP to a decision by a Hungarian DPA, according to Booking, supported this conclusion. AP disagreed: the case in question could not be applied to the current situation. In addition, AP’s reading of the conclusion of that decision differs from that of Booking.


Holding

The AP concluded that Booking violated the breach reporting obligation under Article 33(1) of the GDPR. According to the Fine Policy of the AP, the basis fine for this violation is €525,000. The AP took into account the measures taken by Booking to minimize the consequences of the breach and reduced the fine to €475,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Subject 
Decision to impose an administrative fine 

Dear [DELETED], 
 
The Dutch Data Protection Authority (AP) has decided to impose an administrative fine on Booking.com B.V. (Booking) in the amount of penalty of € 475,000. The AP is of the opinion that Booking has violated Article 33(1) of the General Data Protection Regulation (AVG) from 16 January 2019 up to and including 6 February 2019, because Booking did not has violated Article 33(1) of the General Data Protection Regulation (AVG) from 16 January 2019 until 6 February 2019, because Booking failed to report a personal data breach within 72 hours of becoming aware of it.  
72 hours after becoming aware of it, to the AP.  
 
Below, the decision is explained in more detail. Chapter 1 contains an introduction and chapter 2 describes the legal framework. In chapter 3, the AP assesses its authority, the processing responsibility and the breach. and the offence. Chapter 4 sets out the (level of the) administrative fine and Chapter 5 contains the operative part and the contains the operative part and the legal remedies clause. 
1. Introduction 
1.1 Legal entities involved 
 
Booking is a private limited company with its registered office at Herengracht 597 (1017 CE) in Amsterdam. Booking was established on 23 June 1997 and is registered with the Chamber of Commerce under number 31047344. Booking offers an online platform on which Trip Providers, such as accommodations, can offer their products and services for reservation and users of the platform can subsequently reserve these. 
Booking is, through various Dutch and English legal entities, an indirect 100% subsidiary of Booking Holdings Inc., listed on the American NASDAQ Stock Market. According to its public and consolidated financial statements for 2019, the latter had a turnover of USD 15.1 billion (EUR 13,727,410,000) and a net result of USD 4.9 billion (EUR 4,454,590,000).  
 
1.2 Reason for the investigation  
 
On 7 February 2019, Booking notified the AP of a personal data breach (data leak). An unknown third party had gained access to a reservation system of Booking by posing as an employee of Booking at multiple accommodations. As a result, the personal data of several persons, who had made hotel reservations via the Booking platform, was compromised.  Because Booking indicated in the notification form that Booking had discovered the personal data breach on 10 January 2019, the AP initiated an investigation into Booking's compliance with Article 33(1) of the AVG.  
 1.3 Course of proceedings 
 
By letter of 12 February 2019, the AP sent Booking a request for information. This request was also sent by email on 26 February 2019.  
 
On 27 February 2019, Booking provided a substantive supplement to the notification of the aforementioned personal data breach. 
 
By letter of 1 March 2019, Booking responded in writing to the information request of 12 February 2019.  
 
By letter dated 6 March 2019, the AP sent Booking a supplementary request for information. 
 
By letter dated 13 March 2019, Booking responded in writing to the request of 6 March 2019. 
 
By email dated 19 March 2019, the AP sent Booking a supplementary request for information.  
 
By email dated 19 March 2019, Booking sent the requested information and a supplementary document to the AP.  
 
Due to the cross-border nature of the case, the AP informed the other supervisory authorities of this case on 19 March 2019, also noting that the AP is acting as the lead supervisor as Booking's head office is located in the Netherlands. 
 
By letter dated 16 July 2019, the AP sent an intention to enforce and the investigation report to Booking, giving Booking the opportunity to express its views.  In a letter dated 3 September 2019, Booking provided its views on this intention and the underlying report in writing.  
 
On 23 October 2020, the AP submitted a draft decision to the supervisory authorities concerned in accordance with Article 60 of the AVG. No objections to this were submitted.  

2. Legal Framework  
2.1 Scope of the AVG 
 
Pursuant to Article 2(1) of the AVG, this Regulation applies to the processing of personal data wholly or partly by automatic means, and to the processing of personal data which form part of a filing system or are intended to form part of a filing system.   Pursuant to Article 3, paragraph 1, of the AVG, this Regulation applies to the processing of personal data in connection with the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.  Pursuant to Article 4 of the AVG, for the purposes of this Regulation the following definitions shall apply:  
(1) "Personal data" means any information relating to an identified or identifiable natural person ("data subject"); [...].  Processing" means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means; [...].  Controller' means a [...] legal person [...] who alone or jointly with others determines the purposes and means of the processing of personal data; [...]. 
12. "Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, data transmitted, stored or otherwise processed; 
Cross-border processing" means [...] (b) processing of personal data in the context of the activities of a single establishment of a controller [...], which significantly affects or is likely to affect data subjects in more than one Member State. 
 
2.2 Personal data breach notification 
 
Pursuant to Article 4(12) of the AVG, a "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, data transmitted, stored or otherwise processed. 
 
Pursuant to Article 33(1) of the AVG, a controller must notify a personal data breach without unreasonable delay and, if possible, no later than 72 hours after having become aware of it, to the supervisory authority competent under Article 55, unless the breach is not likely to present a risk to the rights and freedoms of natural persons (...).  In case the notification to the supervisor is not made within 72 hours, it shall be accompanied by a justification for the delay. 
 
2.3 Competence of the leading supervisory authority 
 
Pursuant to Article 55, first paragraph, of the AVG, each supervisory authority has the competence to carry out, on the territory of its Member State, the duties assigned to it under this Regulation and to exercise the powers conferred on it under this Regulation. 
Pursuant to Article 56(1) of the AVG, the supervisory authority of the principal or the sole establishment of the controller (...) shall, without prejudice to Article 55, be competent to act as a leading supervisory authority for cross-border processing by that controller (...), in accordance with the procedure laid down in Article 60.  
 
3. Assessment 
3.1 Competence of the AP 
 
This case concerns the processing of personal data by Booking, as a result of which data subjects in more than one Member State are substantially affected.1 This constitutes cross-border processing within the meaning of Article 4(23)(b) of the AVG. The AP notes that, pursuant to Article 56 of the AVG, it is competent to act as lead supervisory authority, since the head office of Booking is located in Amsterdam.   
1 See section 3.4.2 in this respect. 
 
3.2 Processing of personal data 
 
According to Article 4(1) of the AVG, personal data refers to any information relating to an identified or identifiable natural person ("the data subject"). An identifiable person is a natural person who can be identified, directly or indirectly, for example, by one or more factors specific to the physical or physiological identity of that natural person.  
 
Article 4(2) of the AVG defines processing as any operation on personal data, such as collecting, recording, storing, retrieving, consulting or using such data.  
 
Booking offers an online booking platform where so-called "Trip Providers", such as accommodation providers and other suppliers, offer available accommodation, flights, rental cars and day trips. Via the platform, visitors can search for, among other things, overnight addresses and day trips, which can then be booked via the platform.  
When making a reservation via the Booking platform, the party concerned enters personal data such as contact details, reservation details and payment details. Booking shall subsequently provide the details of the reservation to the Trip Provider via Booking's Extranet. 2 The Booking Extranet is an online administrative dashboard with secure access. In addition to access to reservation details in the Extranet, the Trip Providers have access to all information displayed on the Trip Provider page at Booking.com, including payment options and policies.  
2 File piece 1: Personal data breach notification 7-2-2019, p3. 
3 File Document 9, Booking's Responses to Request for Information, Attachment 5. 
In order to gain access to the Extranet, the Trip Provider must enter a username, password and two factor authentication pin code. After the Trip Provider has logged on to the Extranet, they can consult the necessary reservation data of the guests. 
The Security Team of Booking, which was called in to investigate the breach, has established that an unknown third party has gained access to the Booking Extranet. The findings of the Security Team have been recorded in a Security Incident Summary report. The Security Incident Summary report dated 28 February 2019, which is included in the file, shows that the following data of guests that was saved in the Extranet was compromised, among other things: first name, last name, address, telephone number, check-in and check-out date, total price, reservation number, price per night, any correspondence between accommodation and guest and, with regard to 283 data subjects, the credit card data of which 97 with the 'card verification code'.3  
 
The reported infringement regarding personal data of Booking therefore concerns, inter alia, names, address details, telephone numbers and credit card details of hotel guests. Since this concerns information about identified or identifiable natural persons, the aforementioned data qualify as personal data as provided in Article 4, part 1 of the AVG.  
 
The AP notes that through the Extranet, processing of personal data takes place: the data is recorded, stored and further accessed in the Extranet. The entirety of the processing within the Extranet constitutes processing of personal data within the meaning of Article 4, part 2, of the AVG.  
 
3.3 Controller 
 
In the context of the question of who can be held responsible for committing a violation of the AVG, it must be determined who can be regarded as the data controller within the meaning of Article 4.7 of the AVG. In this respect it is important to determine who determines the purposes and means of the processing of personal data - in this case the processing of personal data of data subjects using Booking's platform.  
 
The AP considers that Booking determines the purposes and means of the processing of the personal data relating to reservations made using Booking.com and subsequently processed using Booking's Extranet. The AP explains this as follows. 
 
The Privacy Statement of Booking, as published on its website, states which personal data will be processed by Booking, as well as the reasons why and the manner in which these data are processed. The Privacy Statement states, inter alia, that Booking shares data with third parties, including the "travel provider", i.e. the Trip Provider. That the data is shared with the Travel Provider via the Extranet is evident from, among other things, the notification of the breach on 7 February 2019 and the view of Booking.4 The Privacy Statement also explicitly states that the processing of the personal data referred to above is done by Booking (Herengracht 597, 1017 CE Amsterdam, the Netherlands).5    
4 File reference 20: Investigation report, edge number 17 et seq., viewpoint edge number 2.3 et seq. 
5 Under the heading "Who is responsible for the processing of personal data by Booking.com and how to reach us? 
6 Opinion, marginal 2.5.  
7 Inspection, marginal numbers 2.6, 3.2 and 3.3. 
8 View, marginal 2.2. 
 
In addition, Booking determines the interpretation of the security of the Extranet by taking security measures for the access control, such as the "two factor authentication" (the code for which is also generated by Booking).6 Furthermore, in addition to other security measures, Booking has set up a data breach reporting procedure which relates to incidents concerning the Extranet.7   
 
Therefore, based on the above, the AP establishes that Booking determines the purposes and means of the processing of the personal data which relate to reservations made using Booking's platform, and which are processed using the Extranet (a system used and managed by Booking). 
 
In its view, Booking has argued, on the one hand, that Booking is the data controller in respect of the customer data processed in relation to its platform.8 On the other hand, Booking states 
that the Trip Provider acts as the data controller in respect of the customer data made available via the Extranet, and that Booking does not consider itself responsible for data processing activities of the Trip Providers.9  
9 Opinion, ref. 2.3. 
10 Opinion, marginal 2.2. 
11 In other words: a Trip Provider. 
 
The fact that Trip Providers can also (physically) access the Extranet and process personal data therein does not alter the fact that Booking is the party responsible for processing the Extranet. And therefore also responsible for what happens to the personal data in the Extranet. Therefore, the argument of Booking does not serve any purpose. 
The fact that Booking also considers itself to be responsible for processing the personal data processed via the Extranet is also evidenced by the fact that on 7 February 2019 Booking notified the AP of the personal data breach, and also in its view Booking states that it is responsible for processing the customer data processed via its platform.10 
 
Based on the foregoing, the AP finds that Booking is the data controller within the meaning of Article 4(7) of the AVG. 
 
3.4 Violation regarding the reporting of a violation 
 
3.4.1 Introduction 
Article 33(1) of the AVG stipulates that, if a personal data breach has occurred, the controller must, without unreasonable delay and, if possible, not later than 72 hours after having become aware of it, notify the (...) competent supervisory authority, unless the personal data breach is not likely to present a risk to the rights and freedoms of natural persons. In the event that the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a justification for the delay. 
 
In this section, the AP will first outline the facts and then assess whether Booking should have notified the personal data breach to the supervisor (in a timely manner).   
3.4.2 Facts 
 
9 January 2019 
On 9 January 2019, an accommodation 11(I) in the United Arab Emirates reports to a [PROVIDED] from Booking by email that a guest had complained about being contacted by an unknown party posing as an employee of the accommodation by email, stating that his credit card was not working and whether the guest wanted to provide his date of birth or other bank card details so that a reserved overnight stay could be paid for. In his e-mail message the accommodation manager asks Booking to investigate the incident, since the accommodation does not have access to customers' e-mail addresses from the Extranet, and he believes it is probably a matter of 
a (data) leak at Booking since the unknown party was aware of the reservation made at the accommodation via Booking's platform.  
 
Email dated 9 January 2019 18:00 
"Good Afternoon [...],  
We received a complaint from a guest stating that he had provided his personal information and credit card information to a 'stranger' posing as a Reservations employee of our property [...]. In the 1st attachment a person by the name of [CONFIDENTIAL] had directly email the guest (from a Hotmail account) requesting his credit card and personal info to pay for his booking. We are not sure if the guest had sent the details over. We got to know when someone from B.com called the property to check if anyone had sent the email. We contacted the guest via the phone number listed in the reservation form - he forwarded the [TRUSTED] email to us. As we do not get guest email address from the extranet, the issue here is likely to be from B.com. We don't know how this [PRECIOUS] managed to get hold of the guest email and that he had made a booking at our property from B.com. Can you review and share the outcome with us. Guest has the perception and understanding that we had leaked the information which is not true. Our brand confidence is at stake here, so is B.com. 
 
Kind Regards [...]" 
 
Attached to the aforementioned e-mail was the e-mail that the data subject had received from the unknown third party. This email shows that the unknown third party is attempting to obtain personal and/or payment information using the reservation details of the data subject. 
 
Email dated 8 January 2019 22:32  
"Dear sir 
My name is [...] and this email is regarding your booking in out hotel. We got your email address from your office actually sir your bank card is not working. Ever time we attempted the payment it on terminal it is asking for card holder date of birth. Kindly provide us with your date of birth or a different card no so we can take the initial deposit of 1 night in order to guarantee the booking the rate for 1st night is 450 emarati dirhams. 
 
Many thanks 
[...] 
Reservations department"  
13 January 2019 
On 13 January 2019, the same accommodation (I) reported to the aforementioned [CONFIDENTIAL] of Booking that a similar complaint had been received from another guest. An unknown party had made himself known to the guest - this time by telephone - on behalf of Booking attempting to obtain his credit card and personal details.  
 
Email of 13 January 2019 10:18 am 
"Subject: RE: [External Fraud] / Leaked Guest Information / URGENT 
Hi [...] 
We receive a complaint from another guest...this time someone claiming to be from B.com (UK number) called the guest and was trying to get his cc and personal details for 1 night charge.  
I am not sure if the guest provided his details, but he contacted us which we clarified the same (similar clarification as our 1st case). We had requested the guest to call B.com instead. 
We had taken precautions by changing all our logins (for those who has access) last week Thursday. 
Booking no. [...] 
 
Regards 
[...] [CONFIDENTIAL]" 
 
20 January 2019 
On 20 January 2019, Accommodation I reported that a third guest had complained because he had been contacted by telephone requesting to provide his credit card details. The accommodation manager informs Booking's [CONFIDENTIAL] that given the seriousness of the situation, the matter will be scaled up to head office.  
 
Email dated 20 January 2019 17:14 
"Subject: RE: [External] Fraud / Leaked Guest Information /URGENT 
[...] 
Hi [...] 
We receive another complaint from a guest about someone calling them to get cc details. Below is his booking - we have advised him to contact B.com. 
As it looks serious now, we are escalating the issue to our head office in Singapore. 
 
Kind regards, 
[...] [CONFIDENTIAL]" 
 
On also 20 January 2019, a second accommodation reports to Booking that there is "an alarming situation with Booking.com reservations". Several guests who had made reservations through Booking were contacted by telephone requesting them to provide their credit card details. This accommodation is also requesting the [CONFIDENTIAL] from Booking to investigate. 
 
Email dated 20 January 2019 11:35 am 
"Good morning [...] 
We have an alarming situation with Booking.com reservations. The last couple of days, we have guests reserved through booking.com, contacting us to inform us that someone from our in-house reservations department called them to get their credit card details for their reservations. The person who calls the guests knows their reservation details (arrival/departure etc.). Attached and below you can find more details about this matter. 
We have already changed the [CONFIDENTIAL] password as well as my own password. 
 
Can you please look into this? 
 
Thank you, 
[...]  
CONFIDENTIAL]" 
 
Booking applies the policy that suspicions and reports of incidents must be immediately forwarded to Booking's Security Team.12  
12 See file 15, Response to request for information regarding internal policy documents concerning data leaks. 
13 File documents 9, Booking's response to request for information, Appendix 5. 
14 Reporting form and view, marginal 4.4 under d. 
Booking's [DELETED] who had been informed by the accommodations of the fraudulent acts by an unknown third party informed Booking's Security Team on 
31 January 2019. 
On 4 February 2019, Booking's Security Team completed its initial investigation and concluded that Booking's Privacy Team should be notified. The Security Team's investigation findings are recorded in the aforementioned Security Incident Summary Report dated 28 February 2019.13 
 
This investigation by the Security Team revealed that 40 accommodations in the United Arab Emirates were victims of social engineering fraud, in which the personal data of potentially 4109 data subjects was compromised. An unknown third party pretended to be an employee of Booking by phone to obtain the username, password and two-factor authentication code ("2FA") of the accommodations. With this information, the third party was able to log in to Booking's Extranet which contains reservation data of guests. The Security Team has determined that 19 December 2018 was the start date of the security incident.  The individuals involved were from both Europe (including Great Britain, France, Ireland, Switzerland, Belgium, the Netherlands) and other parts of the world (including South Africa, America, Canada and Bahrain). 
 
The personal data involved included first name, last name, address, telephone number, check-in and check-out date, total price, reservation number, price per night, any correspondence between accommodation and guest and credit card details in respect of 283 data subjects of which 97 had the 'card verification code'. 
 
On 4 February 2019, the Security Team informed Booking's Privacy Team of the results of the investigation. Also on 4 February 2019, all data subjects were informed by Booking.14 
 
On 6 February 2019, Booking's Privacy Team determined that there was a data breach that needed to be reported to the AP.  
 
On 7 February 2019, Booking filed a notification with the AP as referred to in Article 33(1) of the AVG.15 
15 File note 1, Notification of personal data breach 7-2-2019. P 5. 
 
3.4.3 Assessment 
Article 33(1) of the AVG provides that if a personal data breach has occurred, the controller shall, without unreasonable delay and, where possible, no later than 72 hours after having become aware of it, notify the breach to the (...) competent supervisory authority, unless the personal data breach is not likely to present a risk to the rights and freedoms of natural persons.  
 
Before the notification is made, therefore, the controller should first assess whether a personal data breach has occurred. The next step should be to assess whether the breach poses a risk to the rights and freedoms of natural persons.  
 
A personal data breach 
As established by the AP in section 3.4.2, an unknown third party has had access to Booking's Extranet and has thus gained unauthorised access to the data processed by Booking with regard to reservations made by guests of accommodations. Booking also does not dispute that there was a breach in connection with personal data.  The AP therefore concludes that there has been a personal data breach within the meaning of Article 4(12) of the AVG. 
 
Risk to the rights and freedoms of natural persons 
After the unauthorized acquisition of the personal data referred to above, the unknown third party subsequently attempted to use these personal data to obtain credit card information from guests who had booked through Booking's online platform. As a result, the AP not only finds that the personal data breach is likely to present a risk to the rights and freedoms of natural persons, but also that this risk materialised, as the unknown third party contacted many, if not hundreds, of data subjects in an attempt to steal credit card data from them on improper grounds. The breach of data confidentiality not only created a risk of financial loss but also of identity fraud or other harm. The AP therefore finds that the personal data breach posed a risk to the rights and freedoms of natural persons.  
 
Notification to the competent supervisory authority pursuant to Article 55 
In section 3.3 it was established that Booking is the data controller. In section 3.1, the AP established that, pursuant to Article 56 of the AVG, it is competent to act as the leading supervisory authority, as the head office of Booking is located in Amsterdam. Booking notified the breach to the AP on 7 January 2019. By doing so, Booking has made the notification to the competent authority in this case in accordance with Section 55 of the AVG. 
 
Notification no later than 72 hours after the controller becomes aware of a personal data breach 
The Guidelines for the Notification of Personal Data Breaches under Regulation 2016/67916 ("Guidelines"), prepared by the Article 29 Data Protection Working Party ("WP29"), explain the notification obligation(s) in the AVG and provide guidance on how to proceed in the event of various types of breaches. 
16 Guidelines on the notification of personal data breaches under Regulation 2016/679, Data Protection Working Party Article 29, last revised and approved on 6 February 2018, 18/NL WP250rev.01. 
 
Exactly when a data controller can be deemed to have become aware of a particular breach depends on the circumstances of the specific breach. Under the WP29, a controller must be deemed to have become aware of a personal data breach when it has a reasonable degree of certainty that a security incident has occurred that has resulted in the compromise of personal data. 
 
The AP is of the opinion that Booking was aware of the personal data breach in any event on 13 January 2019 and considers the following in this respect.  
 
On 9 January 2019, the [DELETED] received a first signal from Booking, via an email originating from a Trip Provider in the United Arab Emirates (accommodation I), that there was a serious suspicion of a data breach among the data subject and the Trip Provider. On 8 January 2019, the data subject was approached via email by a third party (who remained unknown) that was familiar with the reservation made via the Booking platform and attempted to obtain more personal data by means of which, allegedly, a payment for an overnight stay could be made. The e-mail of 8 January 2019, which was included in the file, shows that it also contained a pdf file with the reservation details. This pdf file was not submitted by Booking and was therefore not included in the file. 
 
In the opinion of the AP, the aforementioned incident should have been passed on by Booking (the [CONFIDENTIAL] of Booking) to the Security Team of Booking for further investigation, since the e-mail in question contained the exact reservation details of the person concerned and it was also established that the booking had been made using Booking's platform. This is all the more so since the Trip Provider had already come to the conclusion that there must be a security incident and had already made an initial assessment on the basis of the information at its disposal. This is also evident from the subject of the e-mail mentioned by the accommodation manager: "[External] Fraud / Leaked Guest Information/ URGENT". The Security Team could have started an exploratory investigation already then. 
On 13 January 2019, (the same [VERTROUWELIJK] of) Booking received a second signal from the aforementioned Trip Provider. The person in question had been asked for his personal data by telephone by someone posing as an employee of Booking, who was aware of the reservation made by the person via Booking's platform. In his e-mail to Booking's [CONFIDENTIAL], the accommodation manager explicitly stated that he considered the incident to be equivalent to the earlier incident and was of the opinion that, once again, the incident was caused by a third party. 
the earlier incident and was again of the opinion that there must be a data breach on the part of Booking.  
 
The AP considers that, at least on 13 January 2019, Booking is deemed to have knowledge of the personal data breach, because with the above information, Booking had a reasonable degree of certainty that a security incident had occurred that led to the compromise of personal data processed by Booking. After all, the accommodation manager of the Trip Provider had already concluded that there must have been a security incident with regard to the Extranet, in which personal data of guests had been compromised. 
 
Given the alarming situation, Booking should have immediately forwarded the incident to Booking's Security Team so that an investigation could be carried out into the extent of the breach, which however Booking failed to do until 31 January 2019. 
 
Based on the foregoing, the 72-hour period prescribed in Article 33(1) of the AVG for reporting a breach to the AP commenced on 13 January 2019. Consequently, Booking should have notified the personal data breach to the AP by 16 January 2019 at the latest. It is undisputed that Booking did not make this notification until 7 February 2019, therefore 22 days too late.  
 
This would also apply if the date of 20 January 2019, the date on which, in addition to accommodation I, another Trip Provider (accommodation II) in the United Arab Emirates also reported similar incidents to Booking's [CONFIDENTIAL], were taken into account. Also in this email notification, the subject matter was conspicuously stated in capital letters: **SECURITY BREACH**. In that case, the personal data breach would have been reported to the supervisory authority 15 days late. 
 
3.4.4 Opinion of Booking and response of AP 
 
Notification of infringement 
In its view, Booking primarily took the position that there is no violation since it did not become aware of the violation until 4 February 2019, after the completion of the internal investigation, after which it reported the violation in time and without unreasonable delay within 72 hours after becoming aware of it, which, according to Booking, is in line with Article 33(1) of the AVG.  
 
The AP does not accept this position. As appears from the above, the AP has established that Booking became aware of the breach on 13 January 2019. It follows that Booking did not notify the personal data breach in accordance with the provisions of article 33, paragraph 1, of the AVG. 
 
Reports from accommodations 
With regard to the signal from accommodation I on 9 January 2019, Booking argued in its view that Booking's [VERTROUWELIJK] had made the consideration at the time that there was no reason to scale up the notification to Booking's Security Team, because the 
concerned had been approached by email. Booking states that e-mail addresses in the Extranet are hashed and cannot be extracted. Furthermore, Booking argues that the affected accommodation and Booking's [DELETED] had jointly reached the conclusion that "it was probably not an incident at Booking". 
 
As regards the latter, the AP notes that, besides the fact that no substantiation was provided in the view, it is an established fact that Booking's [VERTROUWELIJK] did not act in accordance with Booking's own protocol, which requires that any suspected incident be immediately forwarded to Booking's Security Team. The AP is of the opinion that despite the fact that e-mail addresses are hashed in the Extranet, the aforementioned incident should have been reported by Booking to the Security Team. After all, the fact that the e-mail in question contained the exact reservation details of the person concerned and the fact that the booking was made using Booking's platform, should have alerted Booking's [CONFIDENTIAL] and prompted them to take further action.  
 
With regard to the incident of 13 January 2019, Booking argued that the [CONFIDENTIAL] in question did not see any direct similarities with the earlier incident which would not allow it to be said with a reasonable degree of certainty that a security incident had occurred at Booking.  
 
However, the AP is of the opinion that the fact that the (accommodation manager of the) Trip Provider had already considered that there was a similar incident and that the security incident had to be related to the Extranet, for which Booking is the data controller, means that at that time Booking did know - and therefore had knowledge - with a reasonable degree of certainty that a personal data breach had taken place. Also in this case, the exact booking details of the data subject were known to an unknown third party who falsely presented himself as an employee of Booking. At this point, Booking had a reasonable degree of certainty of the security incident in which personal data had been compromised. It was highly certain that this data had been obtained from a platform used by Booking for its business activities, as the email correspondence between the Trip Provider and the persons involved showed that it could be excluded that a security incident had occurred on their side. 
 
Breach of the internal reporting obligation 
Booking furthermore argued that it cannot be held against it that the accommodations in question17 have violated the procedure for reporting security incidents, which entails that security incidents must be reported by the Trip Providers to Booking's Security Team via the so-called "Partner Portal". According to Booking, the breach of that obligation to report and the fact that Booking's [PRECIOUS] did not immediately escalate cannot be held against Booking as an undertaking. In this respect, Booking referred to a decision of the Hungarian privacy regulator, which would have ruled that negligence from only one part of the organisation cannot be held against the entire organisation if appropriate measures had been taken.18 
17 In this case, the accommodations in the United Arab Emirates. 
18 Fine decision Hungarian National Authority for Data Protection and Freedom of Information of 21 May 2019, NAIH/2019/3854.  
 
The AP first notes that Booking, as the controller, is under an obligation to investigate any possible security breach of personal data at the time of any alarming signal, so that action can be taken in a timely manner and in line with the provisions of the AVG if a personal data breach has occurred. According to the AP, this is separate from any private agreements made by Booking with a third party in this respect, such as the Trip Providers involved in the case in question. Furthermore, it is apparent from section 5.1 of the "Data Incident Response Policy" submitted by Booking that all suspicions of incidents, even if reported to Booking by "third party service providers" such as the aforementioned Trip Providers, must be immediately passed on to Booking's Security Team: 
"Prompt Reporting 
All (suspected) Data Incidents must immediately be reported to the Booking.com security team ("Security"). This includes Data Incidents notified to Booking.com from any third party service providers or business partners or other individuals. (...)".  
 
Both on 9, 13 and 20 January 2019, various data incidents were reported by the accommodations to (the [INAUDIBLE] of) Booking, which, however, did not lead to the required notification thereof to the Security Team - laid down in its own procedures. Already on 13 January 2019, Booking's [CONFIDENTIAL] was aware of the breach, nevertheless the Security Team was not notified until 31 January 2019. 
 
To the extent that Booking has sought to invoke the principle of equality by reference to the decision of the Hungarian supervisor, the AP notes that that case not only involves a breach of an entirely different order, namely a breach of the confidentiality of personal data by the same organisational unit (of a government body) and not a case of "social engineering" involving a form of fraud, but also that the AP reads in that decision a different opinion of the supervisor than that outlined by Booking. The fact that in that case a breach within the meaning of Article 33(1) of the AVG was reported too late by an employee is, contrary to what Booking suggests, indeed blamed on the organisation in question by the Hungarian supervisor.  
 
Privacy risk 
Booking has furthermore argued that in the investigatory report a risk to the privacy of individuals has wrongly been assumed without making an analysis of the security measures implemented by Booking aimed at protecting the privacy of individuals and removing any adverse consequences, and has given a number of examples in this respect.19  
19 Examples mentioned: if a data leak occurs, this will generally be limited to contact details, without e-mail addresses, and reservation data; credit card details are stored in accordance with the PCI DSS standards; customers are informed about social engineering and other forms of fraud; the parties involved have been informed and advised immediately after the data leak occurs and Booking has indicated to compensate all damage suffered.  
 
The AP does not follow the last mentioned position of Booking. As soon as personal data, as in this case, have reached an unauthorized person and have been viewed, there is already a risk for the rights and freedoms of natural persons. This risk has also manifested itself in the present case since the data subjects were approached by an unknown third party who unlawfully had the personal data of the data subjects at its disposal. The fact that Booking has subsequently promised to compensate any financial loss does not alter the fact that the personal data has ended up in the wrong hands. This does not remove the risk of any consequences of the infringement.   
 
Report within 72 hours 
Booking has furthermore argued that it is not always possible to make a notification within 72 hours as referred to in Section 33(1) of the AVG. It may take specialised security teams weeks or months to connect "data points" and to conclude that a fact pattern is indeed a data breach that must be reported. Furthermore, it would be incorrect and inconsistent with the AVG if the AP were to expect that Booking generally needs only three days to conduct an investigation and take note of a personal data breach. In addition, according to Booking, the WP29 expressly states in its Guidelines that it may take some time for a controller to determine the scope of the breaches and that it is better for the controller to prepare a meaningful notification combining several, closely resembling breaches, rather than reporting each breach separately. Finally, Booking argued that the investigation report wrongly considered that Booking had not provided a legitimate reason for the (alleged) breach of the 72-hour deadline. In the notification of 7 February 2019, clear reasons are given, located in the thorough investigation by Booking, with Booking reiterating its primary position that notification was made within 72 hours of becoming aware of the personal data breach.  
 
In this respect, the AP considers the following.  
The AP endorses the view that an investigation into the scope and exact merits of a breach may take longer than 72 hours. Because it is not always possible to obtain all the necessary information about a breach so that a notification that meets all the requirements laid down in Article 33(3) of the AVG can be made, the option of submitting a notification in stages is included in the AVG. This possibility is laid down in Article 33(4) of the AVG. This does not alter the fact that the notification of the breach pursuant to Article 33, paragraph 1, of the AVG must take place within the legally prescribed period of 72 hours. As already noted in section 3.3.3, Booking must be deemed to have become aware of the personal data breach on 13 January 2019. That the breach should have been reported pursuant to Section 33(1) of the AVG was then also clear. In the present case, Booking waited too long before making the notification prescribed in Article 33(1) of the AVG. The thorough investigation referred to by Booking does not justify the delay of the (initial) notification referred to above, which therefore constitutes an unreasonable delay within the meaning of Article 33(1) of the AVG.   
Meaningful notification 
With regard to the arguments put forward by Booking regarding the drawing up of a meaningful notification in which multiple infringements resembling each other are reported together, the AP considers that the key issue in this case is that Booking was already aware of the infringement on 13 January 2019 and should have made the notification - whether initial or otherwise - in good time. In view of what has been considered above in section 3.4.3, the AP does not consider it relevant that this case concerns several similar breaches that, according to Booking, could be packaged in one meaningful notification.  
 
Justification for the delayed notification 
Booking has argued that, apart from the Guidelines, there are no instructions available that specify the arguments that can be used to justify a delayed notification, and that the AP cannot apply a new standard with retroactive effect. Moreover, the AP could have asked for further explanation of the delay.  
 
The AP considers that this is not a case of retroactive application of a new standard. The regulation in the AVG on this point is clear: in the event of a personal data breach, this must be reported to the supervisory authority without unreasonable delay and, if possible, no later than 72 hours after becoming aware of it. In the opinion of the AP, the Guidelines provide an explanation of how to comply with the obligation(s) to report breaches included in the AVG; they should therefore in no way be regarded as a new standard. Moreover, it is always up to the controller to provide adequate reasons for a notification that cannot be made in time.  
 
Practical implications of the AP's opinion 
In its view, Booking also expressed its concerns about what it considers to be the practical implications of the opinion of the AP in the investigatory report.20 According to Booking, the strict interpretation referred to therein implies that all potential security incidents, in which there is a chance that personal data is compromised, must be reported within 72 hours, and that the Security Team must investigate every complaint received by Booking - regardless of the manner in which and the contents thereof. This would not only constitute an unreasonable and unrealistic administrative burden, but also an unreasonable and unrealistic financial burden.21 [VERTROUWELIJK]. If all individual complaints had to be investigated immediately as the AP advocates, considerably more manpower would be required than at present. Such unreasonable organisational measures, with associated disproportionate implementation costs, run counter to the rationale behind the security obligation of Article 32 of the AVG, according to Booking. 
20 In paragraph 5 of the Opinion. 
21 [CONFIDENTIAL]. 
 
The AP first notes that the AVG prescribes the obligations which Booking, in its capacity as a controller, must fulfil. Pursuant to Article 32 of the AVG, a controller is obliged to take all appropriate and organisational measures to ensure a level of security appropriate to the risk: the ability to timely detect, address and report a breach must be regarded as an essential part of these measures.22 According to the AP, it does not follow from the investigation report that every potential security incident must be reported and that every complaint received by Booking must be investigated by the Security Team. As soon as a controller becomes aware of a security incident or is informed by another source of a possible breach, the controller must investigate whether there is a breach that requires to be reported.23 It is apparent from the "Data Incident Response Policy" that Booking has structured its policy in such a way that suspicions and reports of alleged security incidents must be immediately escalated to the Security Team for assessment. In the opinion of the AP, the fact that this did not happen in the case in question is for the account and risk of Booking. In this respect, the AP refers once again to the situation that from the various reports from the accommodations almost no other conclusion was possible than that this was a case of a substantial violation that required to be reported. 
22 See Guidelines p. 14/15.  
23 See in detail the Guidelines of the WP29 on this subject. 
 
Manifest mistake in report 
Booking has argued that the investigation report in paragraph 26 incorrectly states 2 February 2019 as the date on which Booking's Security Team recorded its findings, but that this date is not mentioned anywhere else in the documents. The AP assumes that this is a case of an obvious mistake since the documents do not provide any evidence that the Security Team presented its findings on 2 February 2019. 
 
By necessity 
Although this is not at issue in this case, Booking has indicated in the notice that it attaches great value to data security and immediate action on data breaches. It believes that it meets and exceeds the expectations of Article 34 of the AVG by informing the data subjects about data breaches even when it is unlikely that there is a significant risk to the rights and freedoms of the data subjects. The AP welcomes such actions but emphasizes that this does not release Booking from the other obligations set out in the AVG, such as the obligation to notify set out in Section 33(1) of the AVG.  
 
3.4.5 Conclusion 
In view of the foregoing, the AP is of the opinion that Booking violated Article 33(1) of the AVG from 16 January 2019 until 6 February 2019, as Booking failed to report the personal data breach to the AP in a timely manner, without unreasonable delay.  
 
4. Fine 
4.1 Introduction 
 
On account of the violation established above, the AP exercises its power to impose a fine on Booking pursuant to Section 58(2)(i) and Section 83(4) of the AVG, read in conjunction with Section 14(3) of the UAVG. The AP applies the Penalty Policy Rules 2019 (hereinafter: Penalty Policy Rules) for this purpose.24  
24 Stcrt. 2019, 14586, 14 March 2019. 
25 Stcrt. 2019, 14586, 14 March 2019. 
 
In the following, the AP will first briefly explain the penalty system, followed by the justification of the penalty level in the present case. 
 
4.2 Penalty Policy Rules of the Authority for the Protection of Personal Data 2019 (Penalty Policy Rules 2019) 
 
Pursuant to Section 58(2)(i) and Section 83(4) of the AVG, read in conjunction with Section 14(3) of the UAVG, the AP is authorised to impose an administrative fine on Booking in the event of a violation of Section 33(1) of the AVG up to €10,000,000 or up to 2% of the total worldwide annual turnover in the preceding financial year, whichever figure is higher.   The AP has adopted Fines Policy Rules on the interpretation of the aforementioned power to impose an administrative fine, including the determination of the amount thereof.25 Under Article 2, under 2.1, of the Fines Policy Rules 2019, the provisions in respect of which the AP may impose an administrative fine of up to the amount of €10,000,000 or, for an enterprise, up to 2% of the total worldwide annual turnover in the previous financial year, whichever is higher, are classified in Annex 1 in category I, category II or category III.   In Annex 1, Article 33(1) of the AVG is classified as category III.  
 Pursuant to Article 2 (2.3), the AP sets the basic fine for violations classified in category III within the following fine range: € 300,000 and € 750,000 and a basic fine of € 525,000.  Under Article 6, the AP determines the amount of the fine by adjusting the amount of the basic fine upwards (up to the maximum of the band of the category of fine linked to a violation) or downwards (up to the minimum of the band). The basic fine is increased or reduced according to the extent to which the factors mentioned in Article 7 give rise to such an increase or decrease.   Pursuant to Article 7, the AP, without prejudice to Articles 3:4 and 5:46 of the General Administrative Law Act (Awb), shall take into account the factors referred to in Article 7. 
(Awb), take into account the factors derived from Section 83(2) of the AVG, referred to in the Policy Rules at a through k: 
a. the nature, seriousness and duration of the breach, taking into account the nature, scope or purpose of the processing in question, as well as the number of data subjects affected and the extent of the damage suffered by them; 
b. the intentional or negligent nature of the breach; 
c. the measures taken by the data controller [...] to limit the damage suffered by the data subjects; 
d. the degree to which the data controller [...] is responsible in view of the technical and organisational measures which it has implemented in accordance with Articles 25 and 32 of the AVG 
e. previous relevant breaches by the controller [...]; 
f. the degree of cooperation with the supervisory authority to remedy the breach and limit its possible negative consequences 
g. the categories of personal data affected by the breach 
h. the manner in which the supervisory authority became aware of the breach, in particular whether and to what extent the controller [...] notified the breach; 
i. compliance with the measures referred to in Article 58(2) of the AVG, insofar as these were previously taken in respect of the controller [...] in question in relation to the same matter; 
j. adherence to approved codes of conduct pursuant to Article 40 of the AVG or to approved certification mechanisms pursuant to Article 42 of the AVG; and 
k. any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial gains made or losses avoided, whether or not resulting directly from the breach.    
Pursuant to Article 9 of the Penalty Policy Rules 2019, in setting the fine, the AP will take into account, if necessary, the financial circumstances of the offender. In case of reduced or insufficient financial capacity of the offender, the AP may further mitigate the fine to be imposed if, after application of Article 8.1 of the policy rules, adoption of a fine within the range of fines of the next lower category would nevertheless, in its opinion, result in a disproportionately high fine. 
 
4.3 Level of the fine  
 
4.3.1. Nature, seriousness and duration of the infringement 
Pursuant to Article 7, opening words and under (a) of the Policy Rules on Fines, the AP takes into account the nature, seriousness and duration of the infringement. In its assessment, the AP takes into account the nature, scope or purpose of the processing as well as the number of data subjects affected and the extent of the damage suffered by them. 
 
The protection of natural persons in respect of the processing of personal data is a fundamental right. Under Article 8(1) of the Charter of Fundamental Rights of the European Union and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU), everyone has the right to the 
protection of personal data concerning him or her. The principles and rules on the protection of natural persons with regard to the processing of their personal data must comply with their fundamental rights and freedoms, and in particular their right to the protection of personal data. The AVG aims to contribute to the establishment of an area of freedom, security and justice and of an economic union, as well as to economic and social progress, the strengthening and the convergence of the economies within the internal market, and the well-being of natural persons. The processing of personal data should be for the benefit of human beings. The right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced with other fundamental rights in accordance with the principle of proportionality. Any processing of personal data must be carried out fairly and lawfully. Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. Personal data must be processed in a way which ensures their security and confidentiality, including the prevention of unauthorised access to or use of personal data and the equipment used for processing. 
 
Breach notification should be seen as a means of improving compliance with the rules on the protection of personal data. If a personal data breach occurs or has occurred, it may result in physical, material or immaterial damage to natural persons or any other economic or social harm to the person concerned. Therefore, as soon as the controller becomes aware of a personal data breach, it should notify the supervisor of the personal data breach without undue delay and, if possible, within 72 hours. This enables the supervisory authority to properly perform its duties and powers as laid down in the AVG.  
 
Not only did Booking fail to notify the personal data breach immediately, but it also failed to do so on several occasions, namely on 9, 13 and 20 January 2019, when immediate action should have been expected, resulting in a (very) unreasonably delayed notification to the AP. It has also emerged that instead of making a notification in steps, Booking deliberately chose to first conduct a thorough investigation before making the required notification to the supervisory authority. This is not in line with the regulations laid down in the AVG. 
 
The investigation carried out by Booking's security team revealed that 4109 people may have been affected. These were hotel guests who had booked hotel accommodation at 40 different accommodations via the Booking platform. By means of "social engineering" fraud, in addition to name and address details relating to hotel reservations, credit card details were also obtained by unauthorised third parties. These are sensitive data that, in the hands of unauthorised persons, can lead to financial or other disadvantage. 
 
In view of the nature of the personal data, the number of personal details, the number of persons affected, the duration of the breach and the importance of timely notification to the supervisory authority within 72 hours, the EDPS is of the opinion that the breach is not sufficiently serious to justify the use of the data. 
hours, the AP is of the opinion that this is a serious violation, but in this case the AP sees no reason to increase or decrease the basic amount of the fine. 
 
4.3.2 Intentional or negligent nature of the infringement (culpability) 
Pursuant to Article 5:46(2) of the Awb, when imposing an administrative penalty, the AP takes into account the extent to which the offender can be blamed for the penalty. Pursuant to Article 7(b) of the Penalty Policy Rules 2019, the AP takes into account the intentional or negligent nature of the infringement. 
 
Article 33(1) of the AVG prescribes that a personal data breach must be reported without unreasonable delay and, if possible, no later than 72 hours after the controller becomes aware of it. An obligation to notify as such already exists in the Netherlands since 1 January 2016, when this standard was introduced in the Personal Data Protection Act (Wbp).26 
26 In Section 34a(1) of the Wbp.  
27 Cf. CBb 25 June 2013, ECLI:NL:CBB:2013:4, para 2.3, CBb 25 January 2017, ECLI:NL:CBB:2017:14, para 5.2, CBb 8 March 2017, ECLI:NL:CBB:2017:91, para 6. 
28 Cf. CBb 22 February 2012, ECLI:NL:CBB:2012:BV6713, para. 4.3, CBb 19 September 2016, ECLI:NL:CBB:2016:290, para. 8.6.  
With regard to the knowledge that a party subject to the standard, such as Booking in this case, is expected to have of the applicable legislation and regulations, the AP takes the position that the basic principle is that market parties bear their own responsibility to comply with the law.27  
The AP has also provided market parties with ample information about the applicable legislation and regulations, so that it can be assumed that Booking was also aware of this. In addition, the obligation to report data breaches has received extensive media attention. 
 
In the opinion of the AP, it is sufficiently clear from the above legal framework in conjunction with the applicable guidelines of the WP29, of which Booking could have taken note prior to the breach, that Booking should have reported the breach to the AP in a timely manner and that this should have been done without unreasonable delay, but in any event no later than 72 hours after 13 January 2019. Moreover, the notification to the AP could have been made conditionally, in the sense that the notification could be supplemented at a later stage. The AVG explicitly offers this possibility. 
If doubt had arisen regarding the scope of the prohibition, it is also in accordance with established case law that a professional and multinational market party such as Booking may be expected to inform itself or have itself informed about the restrictions to which its acts are subject, so that it could have adjusted its acts to the scope of that prohibition from the outset.28 
 
In the opinion of the AP, it does not disqualify Booking as an independent bearer of rights and obligations that a [VERTROUWELIJK] of Booking has acted in violation of its own protocol which prescribes to pass on every suspicion of an incident immediately to the Security Team for evaluation. This is attributable to Booking. 
 
Booking was 22 days late in reporting the incident. The AP considers this to be culpable. However, the AP sees no reason to increase or decrease the basic amount of the fine pursuant to Article 7(b) of the 2019 Fine Policy. 
 
4.3.3 Damage reduction measures 
Pursuant to Article 7(c) of the 2019 Penalty Policy Rules, the AP takes into account the measures taken by the controller to mitigate the damage suffered by data subjects. 
 
In its view, Booking has brought forward various concrete remedial actions to limit any damage to data subjects. For example, Booking informed the parties concerned and gave them advice on taking measures to limit the damage. Furthermore, Booking has declared itself willing to compensate any damage (suffered or to be suffered) by the parties concerned.  Finally, Booking immediately informed the accommodations affected and posted warnings on its platform.   
 
The AP is of the opinion that although Booking has failed to notify the supervisor of the infringement in time, it is to the credit of Booking that it has taken the measures referred to above and has declared itself willing to compensate any damage suffered. The fact that Booking ultimately acted energetically in this respect, as a result of which the adverse effects on the parties involved most likely remained limited, is taken into consideration by the AP when determining the level of the fine.  
 
In view of the measures taken by Booking as a result of the infringement to limit the damage to those involved, the AP sees reason to reduce the basic amount of the fine by € 50,000 pursuant to Article 7(c) of the 2019 Penalty Policy Rules. 
 
4.3.4 Other circumstances 
The AP also sees no reason to increase or decrease the basic amount of the fine on the basis of the other circumstances referred to in Article 7 of the 2019 Penalty Policy Rules, insofar as applicable in the present case.  
 
The AP sets the fine amount for violation of Article 33, paragraph 1, of the AVG in view of the factors referred to in Article 7 of the AVG at €475,000.   
 
4.3.5 Opinion of Booking and response of the AP 
In its reply, Booking argued primarily that the imposition of an administrative fine would be disproportionate. In this respect, Booking referred to fines imposed by the Lithuanian, Hungarian and Hamburg Authorities for violations of article 33(1) of the AVG.29 Booking takes the view that, within the context of the administrative fine, the administrative fine must be imposed in accordance with the provisions of article 33(1) of the AVG. 
29 Section 9.2(a) of the Opinion. 
the idea of harmonisation, equal fines should be imposed for similar infringements within Europe.  
 
Currently, no common principles for the calculation of fines have been agreed at the European level. For this reason, the AP applies independently the Fines Policy Rules it has adopted for the calculation of fines. Moreover, the AP assesses this case on its own merits and thus according to the specific facts and circumstances of this case. Needless to say, these facts and circumstances differ from case to case and are therefore not comparable. Finally, the penalty decisions of other privacy supervisory authorities referred to by Booking in its opinion were not arrived at through the so-called coherence mechanism, as laid down in Chapter 7 of the AVG, and the AP is therefore already not bound by those decisions and is not obliged to impose a penalty of the same amount in the present case. 
 
In addition, Booking has argued that the imposition of an administrative fine would be in breach of the lex certa principle, because clear guidelines from the AP and the European Data Protection Board for the justification of a delayed notification of a data breach are lacking. 
 
The AP does not share this view of Booking either, and refers to what has been considered in sections 3.4.4 and 4.3.2 of this decision.  
 
Finally, Booking argued (in the alternative) that if the AP decides to impose a fine after all, this should be reduced to the lowest fine in category II, pursuant to article 6 in conjunction with article 8.1 of the Penalty Policy Regulations.  
 
With regard to the nature, seriousness and duration of the violation, Booking has argued, in brief, that the preventive and corrective measures taken by Booking have limited the number of persons affected and the extent of the damage.  
 
With reference to section 4.3.1, the AP sees no reason on this basis to refrain from imposing an administrative fine or to reduce the amount of the fine.  
 
With regard to the intentional or negligent nature of the infringement, Booking has argued that the infringement does not result from any intentional or negligent action on its part and refers to the technical and organisational measures taken to prevent social engineering incidents and to limit the consequences thereof.  
  
The AP rejects this view. As set out in section 4.3.2, the AP is of the opinion that there is negligence attributable to Booking. The AP sees no reason to increase or decrease the basic amount of the fine. 
 
With regard to the measures taken to limit the damage, Booking states that the technical and organisational measures it has taken are appropriate and may even exceed the requirements of the AVG.  
 
As discussed above in section 4.3.3, the AP sees this as a reason to reduce the basic amount of the fine.  
 
As regards the degree of responsibility in view of the technical and organisational measures taken by Booking pursuant to articles 25 and 32 of the AVG, Booking has argued that its systems and organisation have been set up in such a way that the principles of data protection can be implemented effectively, whereby Booking reiterates that in view of the measures taken and the nature of the incident, it cannot be held liable for the data leak and the alleged violation. 
 
The AP does not share this view. Partly in view of the nature and scope of the processing, a professional party such as Booking may be expected to make proper efforts to ascertain the standards applicable to it and to comply with them. As previously considered in section 4.3.2 of this decision, Booking can be held fully responsible for the violation. Therefore, the AP also sees no reason to reduce the fine. 
 
As regards previous relevant violations of the AVG, Booking has argued that it has not received any previous messages from the AP regarding alleged violations of article 33, paragraph 1, of the AVG. 
 
The AP does not see why this position of Booking should lead to a reduction of the basic amount of the fine. The fact that the AP did not previously write to Booking about an identical infringement does not lead to the conclusion that a reduction of the amount of the fine is appropriate.  
CONFIDENTIAL]  
 
In respect of the cooperation between Booking and the AP in order to remedy the alleged violation and limit the possible negative consequences thereof, Booking has argued that it has fully cooperated with the AP by answering all questions in a timely manner, and if the AP had requested a further explanation of the delay in the notification, such explanation would have been provided. 
 
The AP sees no reason to reduce the amount of the fine. The AP is of the opinion that the cooperation of Booking did not go beyond its statutory obligation to comply with Article 33(1) of the AVG. As such, Booking has not cooperated with the AP in any particular manner.  
 
In respect of the other factors, Booking has argued, in brief, that the data does not relate to special categories of personal data or a vulnerable group of persons, that Booking has been fully transparent towards the parties involved and the AP, and that it has itself reported the data breach to the AP. Finally, Booking has argued that if it had submitted its notification to the AP earlier, this would not have resulted in other measures and that it should have taken the necessary measures. 
would not have resulted in other measures being taken by Booking or in further limitation of the risks to the privacy of the data subjects. According to Booking, none of the data subjects suffered any detriment as a result of the time at which the notification was made.  
 
Here too, the AP does not concur with the view of Booking. Despite the fact that, as far as we are aware, the infringement did not involve special personal data, Booking independently informed the parties involved and the (financial) consequences for the parties involved remained limited, the AP sees no reason to further reduce the amount of the fine, given the seriousness of the infringement and Booking's culpability. For the reasons, the AP refers to subsections 4.3.1 and 4.3.2. 
 
4.3.6 Proportionality and statutory maximum penalty 
Finally, pursuant to Sections 3:4 and 5:46 of the Awb (principle of proportionality), the AP assesses whether the application of its policy for determining the amount of the fine does not lead to a disproportionate result in view of the circumstances of the case. According to the Penalty Policy Rules 2019, applying the principle of proportionality implies that the AP, when setting the fine, will take into account, if necessary, the financial circumstances of the offender.   
In view of all of the above, the AP is of the opinion that the amount of the fine to be imposed does not lead to a disproportionate outcome. In addition, the present decision was taken through the coherence mechanism prescribed by the General Block Exemption Regulation. The other European regulators (concerned) have endorsed the opinion of the Authority.   
 
The AP sees no reason to assume that Booking, in view of its financial position, would not be able to sustain a fine of € 475,000. 
 
4.4 Conclusion 
 
The AP fixes the total amount of the fine at € 475,000.  
 
  
5. Operative part of the judgment 
Fine 
 
The AP imposes an administrative fine on Booking, for breach of Article 33(1) of the AVG, in the amount of €475,000 (in words: four hundred seventy-five thousand euro).30  
30 The AP will pass on the above claim to the Central Fine Collection Agency (CJIB).  
 
 
Yours faithfully, Personal Data Authority,  
 
 
 
C.E. Mur  
Board member  
 
 
Legal remedies If you do not agree with this decision, you may lodge a notice of objection with the Dutch Data Protection Authority, either digitally or on paper, within six weeks of the date on which the decision was sent to you.  
Pursuant to Article 38 of the UAVG, lodging a notice of objection suspends the effect of the decision imposing the administrative fine. 
To submit a digital objection, see www.autoriteitpersoonsgegevens.nl, under the heading Objecting to a decision, at the bottom of the page under the heading Contact with the Authority for the Protection of Personal Data. The address for submitting an objection on paper is: Netherlands Personal Data Authority, P.O. Box 93374, 2509 AJ The Hague.  Please mark the envelope as 'Awb-bezwaar' (Objection under the General Administrative Law Act) and put 'bezwaarschrift' in the title of your letter.  Write at least the following in your notice of objection - your name and address; - the date of your objection; - the reference number mentioned in this letter (case number); or attach a copy of this decision; - the reason(s) why you do not agree with this decision; - your signature.