AZOP (Croatia) - Decision 26-09-2023
|AZOP - Decision 24-09-2023
|Article 6(1) GDPR
Article 7 GDPR
Article 8 GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Article 32(1) GDPR
Article 32(4) GDPR
Article 38(6) GDPR
|National Case Number/Name:
|European Case Law Identifier:
|AZOP (in HR)
The Croatian DPA imposed an administrative fine in the amount of €15,000 on a controller due to multiple GDPR violations in the context of its online booking system.
English Summary[edit | edit source]
Facts[edit | edit source]
A data subject wanted to book accommodation in an hotel, the controller, which offered three options to do so on its website: through an external service provider, through a web form and via e-mail, the last two allowing only to make a reservation but no payment.
When making a reservation via the web form, the data subject was requested to provide his name, surname, e-mail address, address and financial data including his credit card security number (CVC number). On the other hand, for making a reservation via e-mail, it was necessary to submit the same information and also a copy of a valid ID document with a photo, which, according to the controller, was necessary in order to prevent misuse of the credit card information by third parties.
The data subject found no information as regards the lawful basis for processing, nor any other relevant information about the way in which his personal data was processed and filed a complaint with the AZOP.
Holding[edit | edit source]
The AZOP found that in the hotel's terms and conditions, no mention was made of a legal basis under Article 6(1) GDPR that allowed for the processing of the CVC number of the data subject's credit card and copy of his personal document, making such processing unlawful. Further the AZOP specified that processing of such data was excessive as it could not be considered necessary for the purposes for which they were collected, namely merely making a hotel reservation.
On top of that, the controller did not provide information in a clear and transparent way about the processing of personal data for purposes of booking accomodation via its web form and via e-mail, acting contrary to Article 13(1) GDPR and Article 13(2) GDPR.
Further, the AZOP held that the controller failed to adopt appropriate technical and organizational measures in order to ensure an adequate level of security of processing. Among others, the controller did not encrypt the collected personal data nor did it implement any processes for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures. Thereby, the controller violated Article 32 GDPR.
Lastly, the AZOP found that the controller had appointed the hotel manager as DPO, thus acting contrary to the provision of Article 38(6) GDPR. As a matter of fact, it is up to the data controller to ensure that a DPO's tasks do not lead to a conflict of interest, which was the case here as the hotel manager and DPO was responsible for both taking management decisions on data processing and ensuring compliance of such processing activities.
In the case in question, and taking into account the established violations, the AZOP decided to impose an administrative fine in the amount of 15,000€ due to the existence of a high risk for the rights and freedoms of the data subject, which the data controller was obliged to take into account before processing.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
The Personal Data Protection Agency imposed an administrative fine in the amount of EUR 15,000.00 (HRK 113,017.50) to the manager of the hotel (that is, the legal entity within which the hotel in question operates), due to the following violations of the General Data Protection Regulation: The processing manager processed the personal data of the respondent (hotel guest) to an excessive extent, namely data on the security number of the bank card (CVC number), as well as copies of personal documents when booking hotel accommodation via the hotel's online form and by e-mail. The existence of a legal basis has not been proven for the processing of the CVC number of the bank card and a copy of the personal document, which violates Article 6, paragraph 1 of the General Data Protection Regulation. The hotel had no obligation to collect the CVC number from the bank card of the persons who made the reservation of the accommodation unit, considering that the reservation of the accommodation was possible even without submitting the data in question. The controller did not inform the respondents in a clear/transparent way about the processing of their personal data through the General Terms and Conditions document, which is available on the hotel's website, and regarding the collection of personal data when booking hotel accommodation via an online form and via e-mail, and what contrary to the provisions of Article 13, paragraphs 1 and 2 of the General Data Protection Regulation. In the specific case, the hotel did not adequately provide information on the processing of personal data to guests who booked accommodation at the hotel, including information on the collection of data on the CVC number and a copy of the identification document. Bearing in mind the provisions of the regulations governing the protection of personal data, the hotel was obliged to inform the guest what types of personal data it collects for what purpose, the legal basis for personal data processing, how personal data is used, that is, who uses personal data and what measures protection of personal data undertaken. The hotel was obliged to provide all information about the processing of personal data in a concise, comprehensible and easily accessible form, using clear and simple language, and was obliged to inform the respondent of all his rights according to the General Data Protection Regulation. At the same time, the form "Consent to the use of personal data", which the controller submits for the purpose of providing information to respondents about the processing of their personal data when booking accommodation via e-mail, does not contain accurate or complete information, thus the controller acted contrary to the provisions of Article 13. paragraph 1 and 2 of the General Data Protection Regulation. By not taking appropriate organizational and technical protection measures in the processing of the personal data of the respondents by the processing manager, there was a violation of Article 32, paragraph 1. a) and d) and paragraph 4 of the General Regulation on Data Protection. The controller did not take appropriate technical and organizational measures, all to ensure an adequate level of security with regard to the risk, including, among other things, encryption of personal data and the implementation of processes for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of processing. By appointing the hotel manager as a data protection officer, the data controller acted contrary to the provisions of Article 38, paragraph 6 of the General Data Protection Regulation. Namely, the data protection officer can fulfill other tasks and duties, however, the data controller ensures that such tasks and duties do not lead to a conflict of interest. When appointing a data protection officer, the controller had to be aware that there is a conflict of interest in relation to the tasks and duties he performs. From the job description of the hotel manager, it is evident that he is largely responsible for making management decisions at the level of personal data processing, while on the other hand, as a data protection officer, he is obliged to monitor the compliance of the business in the processing of personal data with the regulations governing the protection of personal data. The Agency for the Protection of Personal Data received a report from a citizen who stated that when booking accommodation in the hotel in question, confirmation of the reservation is requested by sending a CVC credit card (via a form) through completely unprotected channels (via e-mail). Likewise, in the received application, it was stated that the potential guest was not informed who has access to his personal data, i.e. the personal document that he is obliged to send when requesting a hotel in order to be able to charge his credit card. Namely, the hotel in question had three options for booking accommodation - through the service provider, online reservation through a web form on the hotel's website, and through e-mail, with a note that only the reservation was made through the web form and e-mail, and not the payment. When making a reservation via the web form, it was necessary to enter the guest's personal data: name, surname, e-mail address, address and financial data (card number, date and year until which the card is valid, CVC number and name of the card holder), while for the reservation via e-mail, it was necessary to submit the specified information and a copy of a valid identification document with a photo, all for the reason that there would be no misuse of the bank card by third parties, as claimed by the hotel. In the case in question, and taking into account the established violations, the Agency decided to impose an administrative fine due to the existence of a high risk for the rights and freedoms of the respondents, which the data controller was obliged to take into account before processing the personal data in question. So, we are talking about a data controller whose business consists of processing personal data, and through the aforementioned procedure, personal data was collected without the existence of an appropriate legal basis, and personal data were collected that are not necessary for the purpose for which they were collected from the respondents during the reservation. hotel accommodation. Also, the Agency believes that the imposition of a fine will lead to the controller fulfilling its obligations in the field of personal data protection in a timely and appropriate manner.