AP (The Netherlands) - 10.12.2020 (Booking.com): Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Netherlands |DPA-BG-Color= |DPAlogo=LogoNL.png |DPA_Abbrevation=AP |DPA_With_Country=AP (The Netherlands) |Case_Number_Name=n/a |ECLI= |Origi...")
 
m (formatting)
Line 50: Line 50:
The Dutch Data Protection Authority Autoriteit Persoonsgegevens (AP) imposed a fine of 475,000 euros on Booking.com for reporting a data breach to the AP too late. Booking.com became aware of the data breach on 13 January 2019 but did not report it to the AP until February 7, which is 22 days too late.
The Dutch Data Protection Authority Autoriteit Persoonsgegevens (AP) imposed a fine of 475,000 euros on Booking.com for reporting a data breach to the AP too late. Booking.com became aware of the data breach on 13 January 2019 but did not report it to the AP until February 7, which is 22 days too late.


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
On 7 February 2019 Booking.com (Booking) submitted a data breach notification to the AP. An unknown person(s) gained access to the reservation system of Booking by pretending to be a Booking employee. About 40 accommodations in the United Arab Emirates Personal were affected. Personal data of guests from different EU and non-EU countries were exposed. Booking stated in the notification that they became aware of the breach on 10 January 2019, which triggered an AP investigation under Article 33(1) GDPR (obligation to notify the supervisory authority about a breach within 72 hours).
On 7 February 2019 Booking.com (Booking) submitted a data breach notification to the AP. An unknown person(s) gained access to the reservation system of Booking by pretending to be a Booking employee. About 40 accommodations in the United Arab Emirates Personal were affected. Personal data of guests from different EU and non-EU countries were exposed. Booking stated in the notification that they became aware of the breach on 10 January 2019, which triggered an AP investigation under Article 33(1) GDPR (obligation to notify the supervisory authority about a breach within 72 hours).


Line 59: Line 59:
This breach was a result of what is called by AP a social engineering attack: an unknown person contacted a Trip Provider by the phone and obtained a username, password and the “2FA pin code” necessary to access Extranet by pretending to be a Booking employee. Personal data of about 4109 guest got compromised, including first and last names, addresses, phone numbers, check-in and check-out dates, total price, price per night, reservation numbers, communication between hotels and guests, 283 credit card details with CVCs of about 97 of them.
This breach was a result of what is called by AP a social engineering attack: an unknown person contacted a Trip Provider by the phone and obtained a username, password and the “2FA pin code” necessary to access Extranet by pretending to be a Booking employee. Personal data of about 4109 guest got compromised, including first and last names, addresses, phone numbers, check-in and check-out dates, total price, price per night, reservation numbers, communication between hotels and guests, 283 credit card details with CVCs of about 97 of them.


Timeline on the incident.
'''Timeline on the breach.'''
19 December 2018 – social engineering phone call, start of the incident.
 
19 December 2018 – social engineering phone call, start of the incident
 
9 January 2019 – 1st email to Booking from accommodation 1. A guest of that hotel had been approached by email sent from a Hotmail account by a “reservation employee”. The “employee” had asked for he guest’s birth date, which was necessary to complete the payment. The night rate was mentioned in the email, a PDF with the reservation details was attached to the email.
9 January 2019 – 1st email to Booking from accommodation 1. A guest of that hotel had been approached by email sent from a Hotmail account by a “reservation employee”. The “employee” had asked for he guest’s birth date, which was necessary to complete the payment. The night rate was mentioned in the email, a PDF with the reservation details was attached to the email.
13 January 2019 – 2nd notification from the same accommodation: another guest got a phone call from “Booking”, asking for the credit card information and other personal data.
13 January 2019 – 2nd notification from the same accommodation: another guest got a phone call from “Booking”, asking for the credit card information and other personal data.
20 January 2019 – 3rd notification from accommodation 1, reporting another phone call to a guest, the caller had asked for the credit card details.
20 January 2019 – 3rd notification from accommodation 1, reporting another phone call to a guest, the caller had asked for the credit card details.
20 January 2019 – accommodation 2 reports multiple notifications from guests. All guests mention the attempts to get their credit card details, using hotel’s name, arrival/departure dates and other information.  
20 January 2019 – accommodation 2 reports multiple notifications from guests. All guests mention the attempts to get their credit card details, using hotel’s name, arrival/departure dates and other information.  
31 January 2019 – Booking’s Security team gets involved.  
31 January 2019 – Booking’s Security team gets involved.  
4 February 2019 – Preliminary report of the security team, confirming the breach. Privacy teams gets involved, affected individuals get informed of the incident.
4 February 2019 – Preliminary report of the security team, confirming the breach. Privacy teams gets involved, affected individuals get informed of the incident.
6 February 2019 – Privacy team qualifies the incident as a personal data breach that needs to be reported to the AP.
6 February 2019 – Privacy team qualifies the incident as a personal data breach that needs to be reported to the AP.
7 February 2019 – Breach is reported to the AP.
7 February 2019 – Breach is reported to the AP.
28 February 2019 – Final report of the Security team.
28 February 2019 – Final report of the Security team.


=== Dispute ===
===Dispute===
Main disagreement between the AP and Booking was about exactly when Booking became aware of this breach, but other points were also outlined in the AP’s report.
Main disagreement between the AP and Booking was about exactly when Booking became aware of this breach, but other points were also outlined in the AP’s report.


Notification within 72 hours of “becoming aware”
 
'''Notification within 72 hours of “becoming aware”'''
 
Booking’s position is that it can take months to finish an incident investigation, so notifications within 3 days are not always possible. Furthermore, A29WP’s data breach guidelines say, according to Booking, that it can take time for controllers to investigate and properly report all connected incidents. So Booking is of the opinion that it reported the breach within 72 hours from becoming aware of it on 4 February 2019.
Booking’s position is that it can take months to finish an incident investigation, so notifications within 3 days are not always possible. Furthermore, A29WP’s data breach guidelines say, according to Booking, that it can take time for controllers to investigate and properly report all connected incidents. So Booking is of the opinion that it reported the breach within 72 hours from becoming aware of it on 4 February 2019.
AP did not share this logic. It pointed out that companies can report breaches in stages where all information is not available at the moment of the notification. Moreover, according to the AP, Booking became aware of the breach on 13 January 2019:
AP did not share this logic. It pointed out that companies can report breaches in stages where all information is not available at the moment of the notification. Moreover, according to the AP, Booking became aware of the breach on 13 January 2019:
a) The email of 9 January should have given Booking a first serious suspicion that something was not right;
a) The email of 9 January should have given Booking a first serious suspicion that something was not right;
b) That first incident should have been brought to the attention of Booking’s Security team right away;
b) That first incident should have been brought to the attention of Booking’s Security team right away;
c) The email of 13th of January was the second signal. Accommodation stressed that that incident was similar to the previous one and that there must have been a breach at Booking. On 13 January 2019 Booking had reasonable certainty that a security incident affecting personal data had occurred.  
c) The email of 13th of January was the second signal. Accommodation stressed that that incident was similar to the previous one and that there must have been a breach at Booking. On 13 January 2019 Booking had reasonable certainty that a security incident affecting personal data had occurred.  
In addition, the AP pointed out that Booking’s own “Data Incident Response Policy” was clear: all suspected incidents needed to be reported to the Security team immediately. Which did not happen here until 31 January.
In addition, the AP pointed out that Booking’s own “Data Incident Response Policy” was clear: all suspected incidents needed to be reported to the Security team immediately. Which did not happen here until 31 January.


Controller
 
'''Controller'''
 
According to Booking, it is a controller of personal data in Booking platform, but Trip Providers have their own purposes for processing data in Extranet. AP concluded that Booking was the responsible controller in this case, considering that:
According to Booking, it is a controller of personal data in Booking platform, but Trip Providers have their own purposes for processing data in Extranet. AP concluded that Booking was the responsible controller in this case, considering that:
1) Booking’s Privacy statement outlines the data categories and purposes of processing.
1) Booking’s Privacy statement outlines the data categories and purposes of processing.
2) Booking is responsible for the security measures on Extranet.
2) Booking is responsible for the security measures on Extranet.
3) Booking submitted the data breach notification to AP.
3) Booking submitted the data breach notification to AP.




Risks
'''Risks'''
 
Booking noted that it had taken measures to minimize the risks for the affected individuals. For example: in general, only contact information was affected with no email or reservation information being leaked; emails in Extranet were hashed and could not be extracted from the system; credit card data was stored according to the PCI DSS requirements; clients were informed about social engineering and other forms of possible fraud; immediate communication to the affected individuals; Booking also offered them a compensation of financial damage.
Booking noted that it had taken measures to minimize the risks for the affected individuals. For example: in general, only contact information was affected with no email or reservation information being leaked; emails in Extranet were hashed and could not be extracted from the system; credit card data was stored according to the PCI DSS requirements; clients were informed about social engineering and other forms of possible fraud; immediate communication to the affected individuals; Booking also offered them a compensation of financial damage.
AP is of the opinion that there is a risk to rights and freedoms of individuals when their personal data is seen by unauthorized individuals. In the present case the risks of financial loss and identity fraud have materialized. Financial damage compensation does not remove the risks themselves but only helps to minimize their consequences.  
AP is of the opinion that there is a risk to rights and freedoms of individuals when their personal data is seen by unauthorized individuals. In the present case the risks of financial loss and identity fraud have materialized. Financial damage compensation does not remove the risks themselves but only helps to minimize their consequences.  


'''Trip Provider did not properly report the breach to Booking'''


Booking argued that the Trip Providers are obliged to report all security incidents via the so called “Partner portal” to the Security team directly, which was not the case here. AP rejected this argument: obligations under GDPR stand separated from private agreements between companies.


Trip Provider did not properly report the breach to Booking
Booking argued that the Trip Providers are obliged to report all security incidents via the so called “Partner portal” to the Security team directly, which was not the case here. AP rejected this argument: obligations under GDPR stand separated from private agreements between companies.


'''Employee policy breach'''


Employee policy breach
Booking argued the fact that an employee had breached an internal protocol by not reporting the suspected incident to the Security team, should not be held against Booking. Booking referred AP to a decision by a Hungarian DPA, according to Booking, supported this conclusion.  
Booking argued the fact that an employee had breached an internal protocol by not reporting the suspected incident to the Security team, should not be held against Booking. Booking referred AP to a decision by a Hungarian DPA, according to Booking, supported this conclusion.  
AP disagreed: the case in question could not be applied to the current situation. In addition, AP’s reading of the conclusion of that decision differs from that of Booking.
AP disagreed: the case in question could not be applied to the current situation. In addition, AP’s reading of the conclusion of that decision differs from that of Booking.




=== Holding ===
===Holding===
The AP concluded that Booking violated the breach reporting obligation under Article 33(1) of the GDPR. According to the Fine Policy of the AP, the basis fine for this violation is 525000 EUR. The AP took into account the measures taken by Booking to minimize the consequences of the breach and reduced the fine to 475000 EUR.
The AP concluded that Booking violated the breach reporting obligation under Article 33(1) of the GDPR. According to the Fine Policy of the AP, the basis fine for this violation is 525000 EUR. The AP took into account the measures taken by Booking to minimize the consequences of the breach and reduced the fine to 475000 EUR.


== Comment ==
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.



Revision as of 20:23, 5 April 2021

AP - n/a
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 33(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 10.12.2020
Published: 31.03.2021
Fine: 475000 EUR
Parties: Booking.com B.V.
National Case Number/Name: n/a
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Dutch
Original Source: Autoriteit Persoonsgegevens (in NL)
Initial Contributor: n/a

The Dutch Data Protection Authority Autoriteit Persoonsgegevens (AP) imposed a fine of 475,000 euros on Booking.com for reporting a data breach to the AP too late. Booking.com became aware of the data breach on 13 January 2019 but did not report it to the AP until February 7, which is 22 days too late.

English Summary

Facts

On 7 February 2019 Booking.com (Booking) submitted a data breach notification to the AP. An unknown person(s) gained access to the reservation system of Booking by pretending to be a Booking employee. About 40 accommodations in the United Arab Emirates Personal were affected. Personal data of guests from different EU and non-EU countries were exposed. Booking stated in the notification that they became aware of the breach on 10 January 2019, which triggered an AP investigation under Article 33(1) GDPR (obligation to notify the supervisory authority about a breach within 72 hours).

Booking maintains the reservation platform where the so called “Trip Providers” can offer accommodation, flights, car rentals and day trips to the users of Booking. These users have to give the contact-, reservation and payment data in order to complete the reservation. That information is then shared with the Trip Providers via Extranet, an online administration dashboard for reservations. Access to Extranet is secured: representatives of Trip Providers have to fill in a username, password and a “2FA pin code”.

This breach was a result of what is called by AP a social engineering attack: an unknown person contacted a Trip Provider by the phone and obtained a username, password and the “2FA pin code” necessary to access Extranet by pretending to be a Booking employee. Personal data of about 4109 guest got compromised, including first and last names, addresses, phone numbers, check-in and check-out dates, total price, price per night, reservation numbers, communication between hotels and guests, 283 credit card details with CVCs of about 97 of them.

Timeline on the breach.

19 December 2018 – social engineering phone call, start of the incident

9 January 2019 – 1st email to Booking from accommodation 1. A guest of that hotel had been approached by email sent from a Hotmail account by a “reservation employee”. The “employee” had asked for he guest’s birth date, which was necessary to complete the payment. The night rate was mentioned in the email, a PDF with the reservation details was attached to the email.

13 January 2019 – 2nd notification from the same accommodation: another guest got a phone call from “Booking”, asking for the credit card information and other personal data.

20 January 2019 – 3rd notification from accommodation 1, reporting another phone call to a guest, the caller had asked for the credit card details.

20 January 2019 – accommodation 2 reports multiple notifications from guests. All guests mention the attempts to get their credit card details, using hotel’s name, arrival/departure dates and other information.

31 January 2019 – Booking’s Security team gets involved.

4 February 2019 – Preliminary report of the security team, confirming the breach. Privacy teams gets involved, affected individuals get informed of the incident.

6 February 2019 – Privacy team qualifies the incident as a personal data breach that needs to be reported to the AP. 7 February 2019 – Breach is reported to the AP.

28 February 2019 – Final report of the Security team.

Dispute

Main disagreement between the AP and Booking was about exactly when Booking became aware of this breach, but other points were also outlined in the AP’s report.


Notification within 72 hours of “becoming aware”

Booking’s position is that it can take months to finish an incident investigation, so notifications within 3 days are not always possible. Furthermore, A29WP’s data breach guidelines say, according to Booking, that it can take time for controllers to investigate and properly report all connected incidents. So Booking is of the opinion that it reported the breach within 72 hours from becoming aware of it on 4 February 2019. AP did not share this logic. It pointed out that companies can report breaches in stages where all information is not available at the moment of the notification. Moreover, according to the AP, Booking became aware of the breach on 13 January 2019:

a) The email of 9 January should have given Booking a first serious suspicion that something was not right;

b) That first incident should have been brought to the attention of Booking’s Security team right away;

c) The email of 13th of January was the second signal. Accommodation stressed that that incident was similar to the previous one and that there must have been a breach at Booking. On 13 January 2019 Booking had reasonable certainty that a security incident affecting personal data had occurred. In addition, the AP pointed out that Booking’s own “Data Incident Response Policy” was clear: all suspected incidents needed to be reported to the Security team immediately. Which did not happen here until 31 January.


Controller

According to Booking, it is a controller of personal data in Booking platform, but Trip Providers have their own purposes for processing data in Extranet. AP concluded that Booking was the responsible controller in this case, considering that:

1) Booking’s Privacy statement outlines the data categories and purposes of processing.

2) Booking is responsible for the security measures on Extranet.

3) Booking submitted the data breach notification to AP.


Risks

Booking noted that it had taken measures to minimize the risks for the affected individuals. For example: in general, only contact information was affected with no email or reservation information being leaked; emails in Extranet were hashed and could not be extracted from the system; credit card data was stored according to the PCI DSS requirements; clients were informed about social engineering and other forms of possible fraud; immediate communication to the affected individuals; Booking also offered them a compensation of financial damage. AP is of the opinion that there is a risk to rights and freedoms of individuals when their personal data is seen by unauthorized individuals. In the present case the risks of financial loss and identity fraud have materialized. Financial damage compensation does not remove the risks themselves but only helps to minimize their consequences.

Trip Provider did not properly report the breach to Booking

Booking argued that the Trip Providers are obliged to report all security incidents via the so called “Partner portal” to the Security team directly, which was not the case here. AP rejected this argument: obligations under GDPR stand separated from private agreements between companies.


Employee policy breach

Booking argued the fact that an employee had breached an internal protocol by not reporting the suspected incident to the Security team, should not be held against Booking. Booking referred AP to a decision by a Hungarian DPA, according to Booking, supported this conclusion. AP disagreed: the case in question could not be applied to the current situation. In addition, AP’s reading of the conclusion of that decision differs from that of Booking.


Holding

The AP concluded that Booking violated the breach reporting obligation under Article 33(1) of the GDPR. According to the Fine Policy of the AP, the basis fine for this violation is 525000 EUR. The AP took into account the measures taken by Booking to minimize the consequences of the breach and reduced the fine to 475000 EUR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

<!DOCTYPE html><!--[if lt IE 7]>      <html class="no-js lt-ie9 lt-ie8 lt-ie7" lang="nl"> <![endif]--><!--[if IE 7]>         <html class="no-js lt-ie9 lt-ie8" lang="nl"> <![endif]--><!--[if IE 8]>         <html class="no-js lt-ie9" lang="nl"> <![endif]--><!--[if gt IE 8]><!--><html class="no-js" lang="nl"><!--<![endif]--><head><title> Fine Booking.com for late reporting data breach | Dutch Data Protection Authority </title><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes"><meta name="author" content=""/><meta name="description" content=""><!-- absolute url to image for facebook --><meta property="og:image" content="/profiles/cbp/themes/cbp/src/templates/presentation/img/ap_logo-200x200.png"><!-- For third-generation iPad with high-resolution Retina display: --><link rel="apple-touch-icon-precomposed" sizes="152x152" href="/profiles/cbp/themes/cbp/src/templates/presentation/img/ap_logo-152x152.png"><!-- For iPhone with high-resolution Retina display: --><link rel="apple-touch-icon-precomposed" sizes="120x20" href="/profiles/cbp/themes/cbp/src/templates/presentation/img/ap_logo-120x120.png"><!-- For first- and second-generation iPad: --><link rel="apple-touch-icon-precomposed" sizes="72x72" href="/profiles/cbp/themes/cbp/src/templates/presentation/img/ap_logo-72x72.png"><!-- For non-Retina iPhone, iPod Touch, and Android 2.1+ devices: --><link rel="apple-touch-icon-precomposed" href="/profiles/cbp/themes/cbp/src/templates/presentation/img/ap_logo-57x57.png"><link rel="icon" sizes="200x200" href="/profiles/cbp/themes/cbp/src/templates/presentation/img/ap_logo-200x200.png"><link rel="shortcut icon" href="/profiles/cbp/themes/cbp/ap_favicon.ico" type="image/vnd.microsoft.icon" /><!--[if IE 8]> <link href="/profiles/cbp/themes/cbp/src/templates/presentation/ie8.css" rel="stylesheet" type="text/css" media="screen"/>
  <script src="/profiles/cbp/themes/cbp/src/templates/behaviour/IE9.js"></script><![endif]--><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta property="og:title" content="Fine Booking.com for late reporting of data breach" /><link type="text/css" rel="stylesheet" href="https://autoriteitpersoonsgegevens.nl/sites/default/files/css/css_evcz7bSXIDmzfjJLCk5DYJEg6zvZHIe9tZRwmYQjBaE.css" media="all" /><link type="text/css" rel="stylesheet" href="https://autoriteitpersoonsgegevens.nl/sites/default/files/css/css_lTCg8sconCr6x4ZveeqUBMsO9VQb6J2zSp5XWeO5HIA.css" media="all" /><!--[if !IE]><!--><link type="text/css" rel="stylesheet" href="https://autoriteitpersoonsgegevens.nl/sites/default/files/css/css_I0v96izA8i-GyEHKRA12SFFhh2rWTYhMKaswssVsgqg.css" media="screen" /><!--<![endif]--><!--[if lte IE 9]>
<link type="text/css" rel="stylesheet" href="https://autoriteitpersoonsgegevens.nl/sites/default/files/css/css_rGRDEH3gEthmV_wwagrJV8TQAVPwohcLF--_NCWkGY4.css" media="screen" />
<![endif]--><!--[if gt IE 8]>
<link type="text/css" rel="stylesheet" href="https://autoriteitpersoonsgegevens.nl/sites/default/files/css/css_FH2spmH1NCWvlmsSbvThQWXU-7xi8P3uiCUYoNQIP8k.css" media="screen" />
<![endif]--><link type="text/css" rel="stylesheet" href="https://autoriteitpersoonsgegevens.nl/sites/default/files/css/css_ZKk63fo-ILt8Zvr_L4yMi4nNzZRnGdwdCdlNhT6VpZs.css" media="all" /><link type="text/css" rel="stylesheet" href="https://autoriteitpersoonsgegevens.nl/sites/default/files/css/css_VD3KFnMvOkXOhpybJJAsM4E06dhkwzzaV7Fr5xNNOQU.css" media="print" /><link type="text/css" rel="stylesheet" href="https://autoriteitpersoonsgegevens.nl/sites/default/files/css/css_ReOU5p9fEDP2pfIeTzdGlfAJZ1egFj7V0NxiMTneYsc.css" media="screen" /></head><body class="html not-front not-logged-in no-sidebars page-node page-node- page-node-8218 node-type-news i18n-nl" ><header><div id="header-wrapper"><div id="logo"> <a href="/nl"><img alt="Homepage Dutch Data Protection Authority" src="/profiles/cbp/themes/cbp/src/img/ap_logo.png"></a></div><!-- SKIPLINKS --> <a class="skipLink" id="skipLinkMenu" href="#mainMenuSkip">To main navigation menu</a> <a class="skipLink" id="skipLinkMainContent" href="#mainContentSkip">To main content</a><div id="contrast-switch"> <a id="contrast-switcher" href="#" title="Increase contrast" ><img src="/profiles/cbp/themes/cbp/src/img/contrast_icon.png" alt="Increase contrast"></a></div><div id="language-switch"><ul><li> <a href="/nl" title="Dutch" class="selected"><abbr>NL</abbr></a></li><li> <a href="/en" title="English"><abbr>AND</abbr></a> </li></ul></div><div id="search-box-container"><form class="search-box" action="/nl/zoekresultaten" method="get" id="views-exposed-form-search-panel-pane-1-1" accept-charset="UTF-8"><div class="form-item form-type-select input-group form-item-sort-by"><select style="display: none;" id="edit-sort-by" name="sort_by" class="form-select"><option value="search_api_relevance_1" selected="selected"> Sort by</option><option value="cbp_date_1"> Date ascending</option><option value="cbp_date"> Date descending</option><option value="search_api_relevance"> Relevance </option></select></div><input type="hidden" name="cbp_date" value="" /><input type="hidden" name="cbp_date_1" value="" /><fieldset><legend> Search the entire site </legend><div class="field-container"><input class="text ctools-auto-submit-exclude auto_submit form-text form-autocomplete" title="Enter your search term" placeholder="Doorzoek de gehele site" size="" data-search-api-autocomplete-search="search_api_views_search" type="text" id="search_api_views_fulltext-1" name="search_api_views_fulltext" value="" maxlength="128" /><input type="hidden" id="search_api_views_fulltext-1-autocomplete" value="https://autoriteitpersoonsgegevens.nl/index.php?q=nl/search_api_autocomplete/search_api_views_search/body%3Asummary%20body%3Avalue%20field_display_title%20field_extra_search_terms%20field_intro%20field_linked_scald_atom%3Afield_case_number%20field_linked_scald_atom%3Afield_extra_search_terms%20field_linked_scald_atom%3Ascald_tags%3Adescription%20field_linked_scald_atom%3Ascald_tags%3Aname%20field_paragraphs%3Afield_paragraph_body%3Avalue%20field_paragraphs%3Afield_paragraph_title%20field_qa_themes%3Afield_qa_questions%3Afield_extra_search_terms%20field_qa_themes%3Afield_qa_questions%3Afield_qa_answer%3Afield_paragraph_body%3Avalue%20field_qa_themes%3Afield_qa_questions%3Afield_qa_answer%3Afield_paragraph_title%20field_qa_themes%3Afield_qa_questions%3Atitle%20field_qa_themes%3Atitle%20field_topics%3Atitle%20title%20search_api_views_fulltext" disabled="disabled" class="autocomplete" /><input class="submit form-submit" type="submit" id="edit-submit" name="op" value="Search" /></div></fieldset></form></div><div id="alert"> <a href="/nl/klacht" class="linkbutton">Report a complaint</a> </div></div></header><article><div class="center"><div id="breadcrumb-back" class="breadcrumb-container breadcrumb-hidden"><ol class="breadcrumb"><li><a class="back" href="#"></a></li></ol></div><div id="main-content" class=""><div class="main-content-article"><div id="mainContentSkip" tabindex="-1"></div><h1 class="generic">Fine Booking.com for late reporting of data breach</h1><div class="article-info"><div> <span class="type">Press release</span> / <span class="date">March 31, 2021</span></div><div class="category"> <span>Category:</span><ul><li class="first"> <a href="/nl/onderwerpen/beveiliging/acties-bij-datalekken">Actions in the event of data breaches</a></li><li class="last"> <a href="/nl/onderwerpen/beveiliging/meldplicht-datalekken">Obligation to report data leaks</a></li></ul></div></div><p class="intro"> The Dutch Data Protection Authority (AP) has imposed a fine of EUR 475,000 on Booking.com for reporting a data breach to the AP too late. In the data breach, criminals looted the personal data of more than 4,000 customers. They were also able to obtain credit card details of nearly 300 victims.</p><p> Criminals extracted login details to their accounts in a Booking.com system from employees of 40 hotels in the United Arab Emirates by telephone.</p><p> For example, in December 2018, the criminals gained access to the data of 4,109 people who had booked a hotel room in that country via the booking site. This included their names, addresses and telephone numbers and details about their booking.</p><p> The criminals also saw the credit card details of 283 people. Including the security code of the credit card in 97 cases. In addition, they tried to obtain the credit card details of other victims by posing as an employee of Booking.com by email or telephone.</p><h2> Phishing</h2><p> "Booking.com customers ran the risk of being robbed here," says AP vice president Monique Verdier. Even if the criminals did not steal credit card details, but only someone's name, contact details and information about his or her hotel booking. The scammers used that data for phishing. '</p><p> 'By pretending to belong to the hotel by phone or email, they tried to take money from people. This can be very credible if such a scammer knows exactly when you have booked which room. And asks if you want to pay for those nights. The damage can then be considerable, 'says Verdier.</p><h2> Reported 22 days late</h2><p> Booking.com was notified of the data breach on January 13, 2019, but did not report it to the AP until February 7. That is 22 days late. It is mandatory to report a data breach within 72 hours.</p><p> Booking.com notified affected customers of the leak on February 4, 2019. In addition, the company took other measures to limit the damage, such as the offer to compensate for any damage.</p><p> "This is a serious violation," says Verdier. 'A data breach can unfortunately happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time. '</p><p> 'That speed is very important. In the first place for the victims of a leak. After such a report, the AP can, among other things, order a company to immediately warn affected customers. In this way, for example, to prevent criminals from having weeks to continue trying to defraud customers. '</p><h2> Great responsibility</h2><p> Verdier: 'Such a large company, with valuable personal data of millions of customers in its systems, has a great responsibility. Customers entrust their personal data to Booking.com. And they must do everything they can to protect the data properly. That means good security to prevent a leak, but also quick action should things go wrong unexpectedly. '</p><p> Booking.com will not object or appeal against the fine of the AP.</p><h2> International research</h2><p> The Booking.com investigation was an international investigation. It is an international company with customers from different countries. Booking.com has its global headquarters in the Netherlands. That is why the AP conducted this investigation. Because this is an international issue, the AP has coordinated the investigation with the other European privacy regulators.</p><h2> Obligation to report data leaks</h2><p> The <a href="/nl/onderwerpen/beveiliging/meldplicht-datalekken">data breach reporting obligation</a> means that both companies and governments must immediately (and no later than within 72 hours) report to the AP when they have a serious data breach. In certain cases, they must also report the data breach to the people whose personal data has been leaked. Reporting a data breach is done via the <a href="https://datalekken.autoriteitpersoonsgegevens.nl/actionpage?0">DPA's Reporting Desk for data leaks</a> .</p><h2> Explosive increase in data theft</h2><p> In 2020, the AP noted an explosive increase in the number of hacks aimed at the looting of personal data. The number of reports increased by no less than 30% in 2020 compared to 2019, according to the <a href="/nl/nieuws/ap-luidt-noodklok-explosieve-toename-hacks-en-datadiefstal" target="_blank">Report on Data Leaks 2020</a> . Data theft can often be prevented through better security. </p></div></div><div id="side-content" class=""><a name="publications"></a><div id="side-content-publications"><h2> Publications</h2><ul class="article-list"><li><div class="article-info"> <span class="type">Report</span> / <span class="date">December 10, 2020</span></div> <a href="https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/besluit_boete_booking.pdf" class="download external"><span class="pdf">Download</span> <span class="linktitle">PDF Decision fine Booking.com</span> <span class="linkbutton">Download</span></a> </li></ul></div></div></div></article><nav><div class="center"><div id="mainnav"><div id="mainMenuSkip" tabindex="-1"></div><ul class="topnav"><li> <a href="/nl" title="Home">Home</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/corona">Corona</a></li><li class="foldout"> <a href="/nl/over-privacy">About privacy</a><ul class="subnav"><li> <a href="/nl/over-privacy/waarom-is-privacy-belangrijk">Why is privacy important?</a></li><li> <a href="/nl/over-privacy/jouw-privacy-voor-jongeren">Your privacy (for young people)</a></li><li> <a href="/nl/over-privacy/privacyverhalen" title="Privacy Stories">Privacy Stories</a></li><li> <a href="/nl/over-privacy/privacyblogs" title="Privacy blogs">Privacy blogs</a></li><li> <a href="/nl/over-privacy/persoonsgegevens">Personal data</a></li><li> <a href="/nl/over-privacy/wetten">Laws</a></li><li> <a href="/nl/over-privacy/het-werk-van-de-ap">The work of the Dutch Data Protection Authority</a></li></ul></li><li class="foldout"> <a href="/nl/onderwerpen" title="subjects">subjects</a><ul class="subnav"><li> <a href="/nl/onderwerpen/corona">Corona</a></li><li> <a href="/nl/onderwerpen/avg-europese-privacywetgeving">General information AVG</a></li><li> <a href="/nl/onderwerpen/beveiliging">Security</a></li><li> <a href="/nl/onderwerpen/financien" title="Finances">Finances</a></li><li> <a href="/nl/onderwerpen/foto-en-film" title="Photo and film">Photo and film</a></li><li> <a href="/nl/onderwerpen/gezondheid" title="Health">Health</a></li><li> <a href="/nl/onderwerpen/identificatie" title="Identification">Identification</a></li><li> <a href="/nl/onderwerpen/internationaal" title="International">International</a></li><li> <a href="/nl/onderwerpen/internet-telefoon-tv-en-post">Internet, telephone, TV and post</a></li><li> <a href="/nl/onderwerpen/onderwijs" title="Education">Education</a></li><li> <a href="/nl/onderwerpen/overheid" title="Township">Government</a></li><li> <a href="/nl/onderwerpen/politie-en-justitie" title="Police and justice">Police and justice</a></li><li> <a href="/nl/onderwerpen/werk-en-uitkering" title="Work and benefits">Work and benefits</a></li></ul></li><li class="foldout"> <a href="/nl/zelf-doen" title="Do it yourself">Do it yourself</a><ul class="subnav"><li> <a href="/nl/zelf-doen/privacyrechten">Use your privacy rights</a></li><li> <a href="/nl/zelf-doen/voorbeeldbrieven-privacyrechten">Sample privacy rights letters</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/aanmeldenfg">Register FG</a></li><li> <a href="/nl/zelf-doen/avg-guidelines" title="AVG guidelines">AVG guidelines</a></li><li> <a href="/nl/zelf-doen/avg-certificaat" title="GDPR certificate">GDPR certificate</a></li><li> <a href="/nl/zelf-doen/avg-gedragscode">GDPR Code of Conduct</a></li><li> <a href="/nl/zelf-doen/data-protection-impact-assessment-dpia">Data protection impact assessment (DPIA)</a></li><li> <a href="/nl/zelf-doen/voorafgaande-raadpleging">Prior consultation</a></li><li> <a href="/nl/zelf-doen/vergunning-aanvragen">Apply for a permit</a></li><li> <a href="/nl/zelf-doen/register-vergunningen">Permits register</a></li><li> <a href="/nl/zelf-doen/zwarte-lijst">Black list</a></li><li> <a href="/nl/zelf-doen/thematische-beleidsregels">Thematic policies</a></li></ul></li><li class="foldout"> <a href="/nl/publicaties" title="Publications">Publications</a><ul class="subnav"><li> <a href="/nl/publicaties/feiten-en-cijfers-over-de-ap">Facts and figures about the AP</a></li><li> <a href="/nl/publicaties/rapportages">Reports</a></li><li> <a href="/nl/onderzoeken" title="To investigate">To investigate</a></li><li> <a href="/nl/publicaties/boetes-en-sancties">Fines and other penalties</a></li><li> <a href="/nl/publicaties/wob-besluiten">Wob decisions</a></li><li> <a href="/nl/wetgevingsadviezen" title="Legislative advice">Legislative advice</a></li><li> <a href="/nl/jaarverslagen" title="Annual reports">Annual reports</a></li></ul></li><li class="foldout"> <a href="/nl/melden">Contact</a><ul class="subnav"><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/contact-met-de-autoriteit-persoonsgegevens/informatie-en-meldpunt-privacy">I have a question about the GDPR</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/privacyrechten/klacht-indienen-bij-de-ap">I want to report a privacy complaint</a></li><li> <a href="https://datalekken.autoriteitpersoonsgegevens.nl">I want to report a data breach</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/aanmelden-nieuwsbrieven">I want to receive the newsletter</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/contact-met-de-autoriteit-persoonsgegevens/contactgegevens-algemeen">General contact information</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/contact-met-de-autoriteit-persoonsgegevens/informatie-voor-de-pers">Information for the press</a></li></ul></li><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/avg-europese-privacywetgeving/functionaris-gegevensbescherming-fg">Info for DPOs</a></li></ul> <a class="drop_menu" title="back to the menu">Menu</a></div></div></nav><footer><div class="center"><div class="footerblock"><h3> Contact with the Dutch Data Protection Authority</h3><ul class="linklist"><li> <a href="/nl/contact-met-de-autoriteit-persoonsgegevens/informatie-en-meldpunt-privacy">Information and Reporting Point Privacy</a></li><li> <a href="/nl/contact-met-de-autoriteit-persoonsgegevens/contactgegevens-algemeen">General contact details</a></li><li> <a href="/nl/contact-met-de-autoriteit-persoonsgegevens/informatie-voor-de-pers">Information for the press</a></li><li> <a href="/nl/contact-met-de-autoriteit-persoonsgegevens/de-fg-van-de-autoriteit-persoonsgegevens">Contact with the DPO of the AP</a></li><li> <a href="/nl/zelf-doen/gebruik-uw-privacyrechten/klacht-melden-bij-de-ap">Report a complaint</a></li><li> <a href="https://datalekken.autoriteitpersoonsgegevens.nl/actionpage?0">Report data breach</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/bezwaar-maken">To object</a></li><li><a href="/nl/contact-met-de-autoriteit-persoonsgegevens/klacht-over-de-autoriteit-persoonsgegevens">Complaint about the AP</a></li></ul></div><div class="footerblock"><h3> About the Dutch Data Protection Authority</h3><ul class="linklist"><li> <a href="/nl/over-de-autoriteit-persoonsgegevens/organisatie">Organization</a></li><li> <a href="/nl/over-de-autoriteit-persoonsgegevens/missie-ambitie-kernwaarden">Mission, ambition, core values</a></li><li> <a href="/nl/over-de-autoriteit-persoonsgegevens/focus-ap-2020-2023">AP Focus 2020-2023</a></li><li> <a href="/nl/over-de-autoriteit-persoonsgegevens/taken-en-bevoegdheden">Duties and powers</a></li><li> <a href="/nl/over-de-autoriteit-persoonsgegevens/het-bestuur-van-de-autoriteit-persoonsgegevens">The board of the AP</a></li><li> <a href="/nl/over-de-autoriteit-persoonsgegevens/raad-van-advies">Advisory Board</a></li><li> <a href="/nl/over-de-autoriteit-persoonsgegevens/nationale-samenwerking">National cooperation</a></li><li> <a href="/nl/over-de-autoriteit-persoonsgegevens/internationale-samenwerking">International cooperation</a></li><li> <a href="/nl/over-de-autoriteit-persoonsgegevens/werken-bij-de-autoriteit-persoonsgegevens">Working at the AP</a></li></ul></div><div class="footerblock"><h3> Privacy & about this site</h3><ul class="linklist"><li> <a href="/nl/privacy-over-deze-site/privacyverklaring-autoriteit-persoonsgegevens" title="Privacy statement AP">Privacy statement AP</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/privacybeleid_ap_okt_2019.pdf">Privacy policy AP</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/ap_verwerkingsregister_feb_2021.pdf">Processing register AP</a></li><li> <a href="/nl/privacy-over-deze-site/cookieverklaring">Cookie statement</a></li><li> <a href="/nl/over-deze-site/publiciteitsbeleid">Publicity policy</a></li><li> <a href="/nl/over-deze-site/copyright">Copyright</a></li><li> <a href="/nl/privacy-over-deze-site/disclaimer">Disclaimer</a></li><li> <a href="/nl/privacy-over-deze-site/toegankelijkheid">Accessibility</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/rss">RSS</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/aanmelden-nieuwsbrieven">Subscribe to newsletters</a></li><li> <a href="https://autoriteitpersoonsgegevens.nl/nl/afmelden-nieuwsbrieven">Unsubscribe from newsletters</a> </li></ul></div></div></footer><script type="text/javascript" src="https://autoriteitpersoonsgegevens.nl/sites/default/files/js/js_dMlv91-WqHpW4RNI9DLymtuvRG59Ep1kATVRcEl0u6I.js"></script><script type="text/javascript" src="https://autoriteitpersoonsgegevens.nl/sites/default/files/js/js_Xk8TsyNfILciPNmQPp9sl88cjH71DQWyeHE0MB62KO4.js"></script><script type="text/javascript" src="https://autoriteitpersoonsgegevens.nl/sites/default/files/js/js_5aaEJDT1Wbn_U23UMb5pg5MgdUTJ4z2w4EXp5Bm-s5Q.js"></script><script type="text/javascript" src="https://autoriteitpersoonsgegevens.nl/sites/default/files/js/js_iMQOhl7FDU5EmAHplneFqG5Tz1oSZvWXMlv4zPNaPCI.js"></script><script type="text/javascript">
<!--//--><![CDATA[//><!--
jQuery.extend(Drupal.settings, {"basePath":"\/","pathPrefix":"nl\/","ajaxPageState":{"theme":"cbp","theme_token":"5-xWsN3S31t5oS7Mv39nlztcEyYrW2otX0DlRC9pJ9U","jquery_version":"1.7","js":{"profiles\/cbp\/themes\/cbp\/js\/cbp_external_links.js":1,"profiles\/cbp\/themes\/cbp\/js\/cbp_placeholder.js":1,"profiles\/cbp\/themes\/cbp\/js\/cbp_related_search_links.js":1,"profiles\/cbp\/themes\/cbp\/js\/jquery.tabSlideOut.v1.3.js":1,"profiles\/cbp\/themes\/cbp\/js\/edit_sidebar.js":1,"profiles\/cbp\/themes\/cbp\/js\/cbp_autocomplete_overwrite.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/libs\/idangerous.swiper-2.6.min.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/libs\/raphael-min.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/libs\/g.raphael.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/libs\/g.pie.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/libs\/video-js\/video.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/plugins.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/engine.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/frontpage-swiper-engine.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/frontpage-subjects-swiper-engine.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/normal-subjects-swiper-engine.js":1,"profiles\/cbp\/modules\/contrib\/jquery_update\/replace\/jquery\/1.7\/jquery.min.js":1,"misc\/jquery-extend-3.4.0.js":1,"misc\/jquery.once.js":1,"misc\/drupal.js":1,"misc\/ajax.js":1,"profiles\/cbp\/modules\/contrib\/jquery_update\/js\/jquery_update.js":1,"public:\/\/languages\/nl_ArqMxmzZx4vTfSmHJU8q_DQcJ3zqgd-vjIEVEDXW7u4.js":1,"misc\/progress.js":1,"profiles\/cbp\/modules\/custom\/cbp_panels\/js\/jquery.history.js":1,"profiles\/cbp\/modules\/custom\/cbp_panels\/js\/topic_slider.js":1,"profiles\/cbp\/modules\/custom\/cbp_panels\/js\/backbutton.js":1,"misc\/autocomplete.js":1,"profiles\/cbp\/modules\/contrib\/webform\/js\/webform.js":1,"profiles\/cbp\/modules\/contrib\/search_api_autocomplete\/search_api_autocomplete.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/libs\/modernizr.dev.js":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/head.js":1},"css":{"modules\/field\/theme\/field.css":1,"profiles\/cbp\/modules\/contrib\/scald_file\/scald_file.css":1,"profiles\/cbp\/modules\/contrib\/ctools\/css\/ctools.css":1,"profiles\/cbp\/modules\/contrib\/panels\/css\/panels.css":1,"profiles\/cbp\/modules\/custom\/cbp_panels\/layouts\/twocols\/twocols.css":1,"profiles\/cbp\/modules\/contrib\/search_api_autocomplete\/search_api_autocomplete.css":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/presentation\/screen.css":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/presentation\/ie7.css":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/presentation\/ie9.css":1,"profiles\/cbp\/themes\/cbp\/css\/edit-sidebar.css":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/presentation\/print.css":1,"profiles\/cbp\/themes\/cbp\/css\/override-print.css":1,"profiles\/cbp\/themes\/cbp\/css\/system.base.css":1,"profiles\/cbp\/themes\/cbp\/css\/alerts.css":1,"profiles\/cbp\/themes\/cbp\/src\/templates\/behaviour\/libs\/video-js\/video-js.min.css":1,"profiles\/cbp\/themes\/cbp\/css\/overrides.css":1,"profiles\/cbp\/themes\/cbp\/css\/override-form.css":1}},"backs":{"search":{"text":"Terug naar de zoekresultaten","link":"javascript:history.back();"},"subtopic-7682":{"text":"Terug naar Privacy \u0026 corona","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/corona\/privacy-corona"},"subtopic-8123":{"text":"Terug naar Vaccinatie tegen corona","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/corona\/vaccinatie-tegen-corona"},"subtopic-7740":{"text":"Terug naar Temperaturen tijdens corona","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/corona\/temperaturen-tijdens-corona"},"subtopic-8019":{"text":"Terug naar Sneltesten tijdens corona","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/corona\/sneltesten-tijdens-corona"},"subtopic-8001":{"text":"Terug naar Gezondheidscheck en contactgegevens","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/corona\/gezondheidscheck-en-contactgegevens"},"subtopic-7731":{"text":"Terug naar Onderwijs tijdens corona","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/corona\/onderwijs-tijdens-corona"},"subtopic-7684":{"text":"Terug naar Veilig thuiswerken tijdens corona","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/corona\/veilig-thuiswerken-tijdens-corona"},"subtopic-7685":{"text":"Terug naar Corona op de werkvloer","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/corona\/corona-op-de-werkvloer"},"subtopic-5805":{"text":"Terug naar Introductie AVG","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/algemene-informatie-avg\/algemene-informatie-avg"},"subtopic-6307":{"text":"Terug naar Mag u persoonsgegevens verwerken? ","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/algemene-informatie-avg\/mag-u-persoonsgegevens-verwerken"},"subtopic-5806":{"text":"Terug naar Rechten van betrokkenen","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/algemene-informatie-avg\/rechten-van-betrokkenen"},"subtopic-7416":{"text":"Terug naar Verwerkers","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/algemene-informatie-avg\/verwerkers"},"subtopic-6098":{"text":"Terug naar Verantwoordingsplicht","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/algemene-informatie-avg\/verantwoordingsplicht"},"subtopic-5814":{"text":"Terug naar Functionaris gegevensbescherming (FG)","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/algemene-informatie-avg\/functionaris-gegevensbescherming-fg"},"subtopic-2105":{"text":"Terug naar Beveiliging van persoonsgegevens","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/beveiliging\/beveiliging-van-persoonsgegevens"},"subtopic-7316":{"text":"Terug naar Acties bij datalekken","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/beveiliging\/acties-bij-datalekken"},"subtopic-5247":{"text":"Terug naar Meldplicht datalekken","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/beveiliging\/meldplicht-datalekken"},"subtopic-1730":{"text":"Terug naar Belastingdienst","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/financien\/belastingdienst"},"subtopic-1940":{"text":"Terug naar Financi\u00eble ondernemingen","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/financien\/financiele-ondernemingen"},"subtopic-6852":{"text":"Terug naar Betaaldiensten","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/financien\/betaaldiensten"},"subtopic-1946":{"text":"Terug naar Krediet, inkomen en faillissement","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/financien\/krediet-inkomen-en-faillissement"},"subtopic-1956":{"text":"Terug naar Slimme energiemeter","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/financi%C3%ABn\/slimme-energiemeter"},"subtopic-7290":{"text":"Terug naar Beeldmateriaal","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/foto-en-film\/beeldmateriaal"},"subtopic-1866":{"text":"Terug naar Camera\u0027s bij huis en bij de buren","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/foto-en-film\/cameras-bij-huis-en-bij-de-buren"},"subtopic-1727":{"text":"Terug naar Cameratoezicht op openbare plaatsen","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/foto-en-film\/cameratoezicht-op-openbare-plaatsen"},"subtopic-1859":{"text":"Terug naar Cameratoezicht op de werkplek","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/cameratoezicht\/cameratoezicht-op-de-werkplek"},"subtopic-1724":{"text":"Terug naar Cameratoezicht op school","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/foto-en-film\/cameratoezicht-op-school"},"subtopic-1863":{"text":"Terug naar Cameratoezicht in winkels, horeca en sportclubs","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/cameratoezicht\/cameratoezicht-winkels-horeca-en-sportclubs"},"subtopic-5192":{"text":"Terug naar Cameratoezicht in een zorginstelling","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/cameratoezicht\/cameratoezicht-een-zorginstelling"},"subtopic-1870":{"text":"Terug naar Cameratoezicht in het verkeer","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/cameratoezicht\/cameratoezicht-in-het-verkeer"},"subtopic-6163":{"text":"Terug naar Zorgverleners en de AVG","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/gezondheid\/zorgverleners-en-de-avg"},"subtopic-4407":{"text":"Terug naar Medische gegevens gebruiken en delen","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/gezondheid\/medische-gegevens-gebruiken-en-delen"},"subtopic-1721":{"text":"Terug naar Medisch dossier","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/gezondheid\/medisch-dossier"},"subtopic-4408":{"text":"Terug naar Zorgverzekeraars","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/gezondheid\/zorgverzekeraars"},"subtopic-1732":{"text":"Terug naar Identiteitsbewijs","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/identificatie\/identiteitsbewijs"},"subtopic-1731":{"text":"Terug naar Burgerservicenummer (BSN)","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/identificatie\/burgerservicenummer-bsn"},"subtopic-1880":{"text":"Terug naar Biometrie","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/identificatie\/biometrie"},"subtopic-8064":{"text":"Terug naar Brexit","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internationaal-gegevensverkeer\/brexit"},"subtopic-1712":{"text":"Terug naar Doorgifte binnen en buiten de EU","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internationaal\/doorgifte-binnen-en-buiten-de-eu"},"subtopic-5807":{"text":"Terug naar Een-loketmechanisme","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/avg-europese-privacywetgeving\/een-loketmechanisme-onestopshop"},"subtopic-8079":{"text":"Terug naar European Data Protection Board","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internationaal-gegevensverkeer\/european-data-protection-board"},"subtopic-1739":{"text":"Terug naar Binding corporate rules","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internationaal-gegevensverkeer\/binding-corporate-rules"},"subtopic-1733":{"text":"Terug naar Internet en telecom","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internet-telefoon-tv-en-post\/internet-en-telecom"},"subtopic-4415":{"text":"Terug naar Persoonsgegevens op internet","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internet-telefoon-tv-en-post\/persoonsgegevens-op-internet"},"subtopic-6825":{"text":"Terug naar Direct marketing","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internet-telefoon-tv-en-post\/direct-marketing"},"subtopic-7279":{"text":"Terug naar Internet of things","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internet-telefoon-tv-en-post\/internet-things"},"subtopic-2077":{"text":"Terug naar Cookies","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internet-telefoon-tv-en-post\/cookies"},"subtopic-1734":{"text":"Terug naar Smartphones en apps","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internet-telefoon-tv-en-post\/smartphones-en-apps"},"subtopic-4416":{"text":"Terug naar Digitale televisie en smart tv\u0027s","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/internet-telefoon-tv-en-post\/digitale-televisie-en-smart-tvs"},"subtopic-6104":{"text":"Terug naar Gebruik van persoonsgegevens in het onderwijs","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/onderwijs\/gebruik-van-persoonsgegevens-het-onderwijs"},"subtopic-1723":{"text":"Terug naar Leerlingdossiers","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/onderwijs\/leerlingdossiers"},"subtopic-8111":{"text":"Terug naar Onderwijs tijdens corona","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/onderwijs\/onderwijs-tijdens-corona"},"subtopic-7600":{"text":"Terug naar Overheid \u0026 de AVG","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/overheid\/overheid-de-avg"},"subtopic-7843":{"text":"Terug naar Archivering door de overheid","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/overheid\/archivering-door-de-overheid"},"subtopic-1680":{"text":"Terug naar Gemeenten","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/overheid\/gemeenten"},"subtopic-4419":{"text":"Terug naar Sociaal domein","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/overheid\/sociaal-domein"},"subtopic-6082":{"text":"Terug naar Jeugdhulp","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/overheid\/jeugdhulp"},"subtopic-1682":{"text":"Terug naar Basisregistratie Personen (BRP)","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/overheid\/basisregistratie-personen-brp"},"subtopic-1681":{"text":"Terug naar Vereniging en kerk","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/overheid\/vereniging-en-kerk"},"subtopic-8003":{"text":"Terug naar Voor professionals ","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/politie-en-justitie\/voor-professionals"},"subtopic-4411":{"text":"Terug naar Politie","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/politie-justitie\/politie"},"subtopic-4413":{"text":"Terug naar Bijzondere opsporing","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/politie-justitie\/bijzondere-opsporing"},"subtopic-4412":{"text":"Terug naar Justitie","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/politie-justitie\/justitie"},"subtopic-4410":{"text":"Terug naar Europol en Eurojust","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/politie-justitie\/europol-en-eurojust"},"subtopic-4414":{"text":"Terug naar Europese informatiesystemen","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/politie-justitie\/europese-informatiesystemen"},"subtopic-6909":{"text":"Terug naar Particuliere recherche","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/politie-en-justitie\/particuliere-recherche"},"subtopic-7453":{"text":"Terug naar Mijn zieke werknemer","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/werk-en-uitkering\/mijn-zieke-werknemer"},"subtopic-1737":{"text":"Terug naar Mijn privacy bij ziekte","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/werk-en-uitkering\/mijn-privacy-bij-ziekte"},"subtopic-2049":{"text":"Terug naar Sollicitaties","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/werk-uitkering\/sollicitaties"},"subtopic-2050":{"text":"Terug naar Screening","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/werk-uitkering\/screening"},"subtopic-2051":{"text":"Terug naar Controle van werknemers","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/werk-uitkering\/controle-van-personeel"},"subtopic-1738":{"text":"Terug naar Personeelsdossiers","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/werk-en-uitkering\/personeelsdossiers"},"subtopic-4588":{"text":"Terug naar Verstrekken van personeelsgegevens","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/werk-en-uitkering\/verstrekken-van-personeelsgegevens"},"subtopic-2053":{"text":"Terug naar Ondernemingsraad","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/werk-uitkering\/ondernemingsraad"},"subtopic-2054":{"text":"Terug naar Uitkering","link":"https:\/\/autoriteitpersoonsgegevens.nl\/nl\/onderwerpen\/werk-uitkering\/uitkering"}},"urlIsAjaxTrusted":{"\/nl\/zoekresultaten":true},"theme_base_path":"profiles\/cbp\/themes\/cbp"});
//--><!]]>
</script><script type="text/javascript" src="https://autoriteitpersoonsgegevens.nl/sites/default/files/js/js_6Xa3otBMQzR9BLBh4gyNPzsaTEUoNBqL31bjHSJyOWs.js"></script></body></html>