AZOP (Croatia) - Decision 26-09-2023

From GDPRhub
Revision as of 13:04, 6 November 2023 by Karlo (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Croatia |DPA-BG-Color= |DPAlogo=LogoHR.png |DPA_Abbrevation=AZOP |DPA_With_Country=AZOP (Croatia) |Case_Number_Name=Decision 24-09-2023 |ECLI= |Original_Source_Name_1=AZOP |Original_Source_Link_1=https://azop.hr/upravna-novcana-kazna-u-iznosu-od-15-000-eura-izrecena-hotelu/ |Original_Source_Language_1=Italian |Original_Source_Language__Code_1=IT |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Sour...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AZOP - Decision 24-09-2023
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 6(1) GDPR
Article 7 GDPR
Article 8 GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Article 32(1) GDPR
Article 32(4) GDPR
Article 38(6) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 01.09.2023
Published: 26.09.2023
Fine: 15000 EUR
Parties: Hotel
National Case Number/Name: Decision 24-09-2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: AZOP (in IT)
Initial Contributor: Karlo Paljug

The DPA has imposed an administrative fine in the amount of EUR 15,000.00 to the hotel due to multiple violations of the GDPR provisions.

English Summary

Facts

he Agency received a report from a data subject who stated that when booking accommodation in the hotel, it had been requested CVV of the credit card (via a form) through completely unprotected channels (via e-mail). Also, he was not informed in the terms of the article 13.

The hotel had three options for booking accommodation:

- through the service provider,

- online reservation through a web form, and

- through e-mail,

(*through the web form and e-mail only reservation can be made without payment)

When making a reservation via the web form, it was necessary to enter: name, surname, e-mail address, address and financial data (card number, date and year until which the card is valid, CVV number and name of the card holder), while for the reservation via e-mail, it was necessary to submit the specified information and a copy of a valid identification document with a photo, all for the reason that there would be no misuse of the bank card by third parties, as claimed by the hotel.

Holding

In the case in question, and taking into account the established violations, the Agency decided to impose an administrative fine due to the existence of a high risk for the rights and freedoms of the respondents, which the data controller was obliged to take into account before processing the personal data in question. So, we are talking about a data controller whose business consists of processing personal data, and through the aforementioned procedure, personal data was collected without the existence of an appropriate legal basis, and personal data were collected that are not necessary for the purpose for which they were collected from the respondents during the reservation of hotel accommodation.

The existence of a legal basis has not been proven for the processing of the CVV number of the bank card and a copy of the personal document, which violates Article 6, paragraph 1 of the GDPR. The controller did not inform the data subject in a clear/transparent way about the processing of personal data. In the specific case, the hotel did not adequately provide information on the processing of personal data to guests who booked accommodation at the hotel.

At the same time, the form "Consent to the use of personal data", which the controller submits for the purpose of providing information to the data subjects about the processing of their personal data when booking accommodation via e-mail, does not contain accurate or complete information.

By not taking appropriate organizational and technical protection measures in the processing of the personal data there was a violation of Article 32. The controller did not take appropriate technical and organizational measures, all to ensure an adequate level of security with regard to the risk, including, among other things, encryption of personal data and the implementation of processes for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures.

By appointing the hotel manager as a DPO, the data controller acted contrary to the provisions of Article 38, paragraph 6. Namely, the data protection officer can fulfill other tasks and duties, however, the data controller ensures that such tasks and duties do not lead to a conflict of interest.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.