Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Croatia: AZOP fines hotel €15,000 for unlawful processing of credit card data
The Personal Data Protection Agency (AZOP) announced, on September 26, 2023, that it had imposed a fine of €15,000 on a hotel for violations of the General Data Protection Regulation (GDPR), following a complaint from an individual.
Background to the decision
The AZOP stated that according to the complainant, when booking accommodation in the hotel via an online form, confirmation of reservation was requested by sending the CVC number of the credit card through unprotected channels (i.e., via email). The AZOP further stated that for hotel reservations via email, it was also necessary to submit a copy of a valid identification document with a photo.
Findings of the AZOP
The AZOP found that the hotel did not provide a legal basis for the processing of the CVC number and copies of the identification document, in violation of Article 6(1) of the GDPR. The AZOP further noted that the reservation of the accommodation was possible without submitting the data in question.
Additionally, the AZOP found that the hotel did not inform, in a clear and transparent way, about the processing of personal data in their General Terms and Conditions document on the hotel's website and did not provide accurate and complete information about the processing in their consent to the use of personal data form, in violation of Articles 13(1) and 13(2) of the GDPR.
Moreover, the AZOP found that the hotel did not take appropriate technical and organizational measures, including, among other things, encryption of personal data, and the implementation of processes for regular testing, evaluation, and assessment of the effectiveness of the measures, in violation of Articles 32(1)(a), 31(1)(d), and 32(4) of the GDPR.
Finally, the AZOP found that appointing the hotel manager as a data protection officer (DPO) violated Article 38(6) of the GDPR, noting that the DPO can fulfill other tasks and duties, however, such tasks and duties should not lead to a conflict of interest.
Outcomes
In light of the above, the AZOP issued a fine of €15,000 to the hotel for the aforementioned violations of the GDPR.
You can read the press release, only available in Croatian, here.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
