Privacy & Information Security Law Blog

On March 31, 2021, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”), announced a fine of €475,000 for Dutch headquartered online travel agency Booking.com for failure to report a data breach within 72 hours of becoming aware of the incident in 2019.

The breach involved unauthorized access to login credentials, enabling criminals to gain access to the personal data of more than 4,000 customers. Compromised details included names, addresses, telephone numbers and approximately 300 credit card numbers.

In a statement (in Dutch) the Dutch DPA noted that Booking.com was informed of the breach on January 13, 2019, but only reported the incident to the regulator on February 7, 2019, some 22 days later and well outside the 72 hour timeframe mandated by Article 33 of the GDPR. Booking.com notified affected customers on February 4, 2019. The regulator noted that Booking.com had taken (unspecified) steps to limit damage to customers and offered to compensate them for any damage suffered. The Dutch DPA’s statement does not explain the reason for Booking.com’s delay in reporting, but states that Booking.com will not object to or appeal the fine.

“This is a serious violation,” said Monique Verdier, Vice President of the Dutch DPA. “Unfortunately, a data breach can happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the repetition of such a data breach, you must report this in time. That speed is very important. . . . Such a large company, with valuable personal data of millions of customers in its systems, has a great responsibility. Customers entrust their personal data to Booking.com. And they must do everything they can to protect the data properly. That means good security to prevent a leak, but also quick action should things go wrong unexpectedly.”