AZOP (Croatia) - Decision 14-09-2023
| AZOP - Decision 24-9-2023 | |
|---|---|
 | |
| Authority: | AZOP (Croatia) |
| Jurisdiction: | Croatia |
| Relevant Law: | Article 6(1) GDPR Article 13(1) GDPR Article 13(2) GDPR Article 32(1) GDPR Article 32(4) GDPR Article 38(6) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 01.09.2023 |
| Published: | 26.09.2023 |
| Fine: | 15000 EUR |
| Parties: | Hotel* |
| National Case Number/Name: | Decision 24-9-2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Croatian |
| Original Source: | AZOP (in HR) |
| Initial Contributor: | Karlo Paljug |
The DPA has imposed an administrative fine in the amount of EUR 15,000.00 to the hotel due to multiple violations of the GDPR provisions.
English Summary
Facts
The Agency received a report from a data subject who stated that when booking accommodation in the hotel, it had been requested CVV of the credit card (via a form) through completely unprotected channels (via e-mail). Also, he was not informed in the terms of the article 13. The hotel had three options for booking accommodation: - through the service provider, - online reservation through a web form, and - through e-mail, (*through the web form and e-mail only reservation can be made without payment)
When making a reservation via the web form, it was necessary to enter: name, surname, e-mail address, address and financial data (card number, date and year until which the card is valid, CVV number and name of the card holder), while for the reservation via e-mail, it was necessary to submit the specified information and a copy of a valid identification document with a photo, all for the reason that there would be no misuse of the bank card by third parties, as claimed by the hotel.
Holding
In the case in question, and taking into account the established violations, the Agency decided to impose an administrative fine due to the existence of a high risk for the rights and freedoms of the respondents, which the data controller was obliged to take into account before processing the personal data in question. So, we are talking about a data controller whose business consists of processing personal data, and through the aforementioned procedure, personal data was collected without the existence of an appropriate legal basis, and personal data were collected that are not necessary for the purpose for which they were collected from the respondents during the reservation of hotel accommodation.
The existence of a legal basis has not been proven for the processing of the CVV number of the bank card and a copy of the personal document, which violates Article 6, paragraph 1 of the GDPR. . The controller did not inform the data subject in a clear/transparent way about the processing of personal data. In the specific case, the hotel did not adequately provide information on the processing of personal data to guests who booked accommodation at the hotel.
At the same time, the form "Consent to the use of personal data", which the controller submits for the purpose of providing information to the data subjects about the processing of their personal data when booking accommodation via e-mail, does not contain accurate or complete information.
By not taking appropriate organizational and technical protection measures in the processing of the personal data there was a violation of Article 32. The controller did not take appropriate technical and organizational measures, all to ensure an adequate level of security with regard to the risk, including, among other things, encryption of personal data and the implementation of processes for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures.
By appointing the hotel manager as a DPO, the data controller acted contrary to the provisions of Article 38, paragraph 6. Namely, the data protection officer can fulfill other tasks and duties, however, the data controller ensures that such tasks and duties do not lead to a conflict of interest.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
The Personal Data Protection Agency imposed an administrative fine in the amount of EUR 15,000.00 (113,017.50 kuna) to the hotel's processing manager (that is, the legal entity within which the hotel in question operates), due to the following violations of the General Data Protection Regulation: The processing manager processed the personal data of the respondent (hotel guest) to an excessive extent, namely data on the security number of the bank card (CVC number), as well as copies of personal documents when booking hotel accommodation via the hotel's online form and by e-mail. The existence of a legal basis has not been proven for the processing of the CVC number of the bank card and a copy of the personal document, which violates Article 6, paragraph 1 of the General Data Protection Regulation. The hotel had no obligation to collect the CVC number from the bank card of the persons who made the reservation of the accommodation unit, considering that the reservation of the accommodation was possible even without submitting the data in question. The controller did not inform the respondents in a clear/transparent way about the processing of their personal data through the General Terms and Conditions document, which is available on the hotel's website, and regarding the collection of personal data when booking hotel accommodation via an online form and via e-mail, and what contrary to the provisions of Article 13, paragraphs 1 and 2 of the General Data Protection Regulation. In the specific case, the hotel did not adequately provide information on the processing of personal data to guests who booked accommodation at the hotel, including information on the collection of data on the CVC number and a copy of the identification document. Bearing in mind the provisions of the regulations governing the protection of personal data, the hotel was obliged to inform the guest what types of personal data it collects for what purpose, the legal basis for personal data processing, how personal data is used, that is, who uses personal data and what measures protection of personal data undertaken. The hotel was obliged to provide all information about the processing of personal data in a concise, comprehensible and easily accessible form, using clear and simple language, and was obliged to inform the respondent of all his rights according to the General Data Protection Regulation. At the same time, the form "Consent to the use of personal data", which the controller submits for the purpose of providing information to respondents about the processing of their personal data when booking accommodation via e-mail, does not contain accurate or complete information, thus the controller acted contrary to the provisions of Article 13. paragraph 1 and 2 of the General Data Protection Regulation. By not taking appropriate organizational and technical protection measures in the processing of the personal data of the respondents by the processing manager, there was a violation of Article 32, paragraph 1. a) and d) and paragraph 4 of the General Regulation on Data Protection. The controller did not take appropriate technical and organizational measures, all to ensure an adequate level of security with regard to the risk, including, among other things, encryption of personal data and the implementation of processes for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of processing. By appointing the hotel manager as a data protection officer, the data controller acted contrary to the provisions of Article 38, paragraph 6 of the General Data Protection Regulation. Namely, the data protection officer can fulfill other tasks and duties, however, the data controller ensures that such tasks and duties do not lead to a conflict of interest. When appointing a data protection officer, the controller had to be aware that there is a conflict of interest in relation to the tasks and duties he performs. From the job description of the hotel manager, it is evident that he is largely responsible for making management decisions at the level of personal data processing, while on the other hand, as a data protection officer, he is obliged to monitor the compliance of the business in the processing of personal data with the regulations governing the protection of personal data. The Agency for the Protection of Personal Data received a report from a citizen who stated that when booking accommodation in the hotel in question, confirmation of the reservation is requested by sending a CVC credit card (via a form) through completely unprotected channels (via e-mail). Likewise, in the received application, it was stated that the potential guest was not informed who has access to his personal data, i.e. the personal document that he is obliged to send when requesting a hotel in order to be able to charge his credit card. Namely, the hotel in question had three options for booking accommodation - through the service provider, online reservation through a web form on the hotel's website and through e-mail, with a note that only the reservation was made through the web form and e-mail, and not the payment. When making a reservation via the web form, it was necessary to enter the guest's personal data: name, surname, e-mail address, address and financial data (card number, date and year until which the card is valid, CVC number and name of the card holder), while for the reservation via e-mail, it was necessary to submit the specified information and a copy of a valid identification document with a photo, all for the reason that there would be no misuse of the bank card by third parties, as claimed by the hotel. In the case in question, and taking into account the established violations, the Agency decided to impose an administrative fine due to the existence of a high risk for the rights and freedoms of the respondents, which the data controller was obliged to take into account before processing the personal data in question. So, we are talking about a data controller whose business consists of processing personal data, and through the aforementioned procedure, personal data was collected without the existence of an appropriate legal basis, and personal data were collected that are not necessary for the purpose for which they were collected from the respondents during the reservation. hotel accommodation. Also, the Agency believes that the imposition of a fine will lead to the controller fulfilling its obligations in the field of personal data protection in a timely and appropriate manner.
