NAIH - NAIH/2020/66/21
|NAIH - NAIH / 2020/66/21|
|Relevant Law:||Article 25(1) GDPR|
Article 25(2) GDPR
Article 32(1)(b) GDPR
Article 34(1) GDPR
|Parties:||„ROBINSON-TOURS” Tourism and Service Ltd.|
Next Time Media Agency Ltd.
|National Case Number/Name:||NAIH / 2020/66/21|
|European Case Law Identifier:||n/a|
|Original Source:||NAIH (Hungary) (in HU)|
The Hungarian DPA (NAIH) fined a travel agency €55,000 for not implementing appropriate technical and organisational measures, leading to the exposure of the personal data of its customers on a website and a search engine.
English Summary[edit | edit source]
Facts[edit | edit source]
While browsing on the Internet, a complainant typed his father's name into Google search and through one of the results managed to open a database without any authorization check. The DPA initiated an investigation. It concluded that the database included personal data of clients of a travel agency Robinson-Tours, such as names, dates of booking, reservation status, address, ID card details, passport numbers with date of issue and expiry, date of conclusion of the travel contract. On the website, it was also possible to filter people by destination and date. In some of the cases, it was possible to upload a passport photo or freely download individual customers' travel contracts.
As it turned out during the investigation, Robinson-Tours assigned Next Time Media Agency as a data processor with a task to implement appropriate security measures: firewall, anti-virus, multi-level authentication and access control, strong use and forced exchange of passwords, daily backup. Exposed data came from a test database which was filled with data of 781 real customers. They were available to anyone from November 13, 2019 to February 4, 2020.
The controller did not communicate data breach to data subjects. It did not carry out regular checks for security risks.
Dispute[edit | edit source]
What constitutes appropriate technical and organizational measures to ensure data protection by design and by default (Article 25 GDPR)?
Holding[edit | edit source]
The DPA held that Robinsons-Tour and Next Time Media Agency did not implement appropriate technical and organisational measures to ensure security of personal data of its customers. Hence, they failed to comply with provisions of Article 25 GDPR introducing a principle of data protection by default and by design. Robinsons-Tour and Next Time Media Agency were fined respectively 20 000 000 HUF and 500 000 HUF .
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.