Details:
Summary | The Croatian DPA (AZOP) has imposed of fine of EUR 15,000 to a hotel. The hotel was collecting personal data from guests in excess of what would have been necessary for the purpose of booking a hotel room and without a valid legal basis. Specifically, the hotel collected the CVC number of guests’ credit cards and copies of their identification documents. The hotel also failed to provide clear and transparent information to guests on the collection and use of their data.
The hotel claimed it collected the CVC numbers of credit cards and even copies of personal identification document, when the booking was made via email, in order to prevent misuse of the credit cards. The booking was possible via third party platforms and the hotel’s email and web form. The booking via email and web form enables solely booking, but not payment. Regardless of this, the hotel still requested provision of financial data (information on the credit card and CVC number). Taking into consideration that the booking was possible without provision of the CVC number, AZOP found that hotel did not have a legal basis for processing of such data. The hotel also failed to provide clear and transparent information to guests on the collection and use of their data. Neither the hotel’s general terms and conditions nor the form of consent for use of personal data provided sufficient information on circumstances of processing. In addition, the hotel did not undertake adequate technical and organisational measures, e.g. encryption of data. Finally, by appointing the hotel manager as the data protection officer, the controller violated the provisions of Art. 38 (6) GDPR. Although the data protection officer may also perform other tasks and duties, the controller must ensure that such tasks and duties do not lead to a conflict of interest. Accordingly, the controller should have been aware that there is a conflict of interest in relation to the tasks and duties that the hotel manager performs. It is clear from the job description of the hotel manager that they are largely responsible for making management decisions concerning personal data processing, while on the other hand, as the data protection officer, they are obliged to monitor the compliance of the business with the regulations governing the protection of personal data. |
Link: | link |
Related articles: | Art. 6 (1) GDPR, Art. 13 (1), (2) GDPR, Art. 32 (1) a), d) GDPR, Art. 32 (4) GDPR, Art. 38 (6) GDPR |
Type: | Insufficient legal basis for data processing |
Fine: | EUR 15,000 |
Sector | Accomodation and Hospitalty |
All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/