To date, 9 DPAs (+3 in comparison to the 2021 ETR) have imposed 37 fines (+20 in comparison to the 2021 ETR) on restaurants, hotels and other companies in the accommodation and hospitality sector, amounting to a total of EUR 21,484,707 (+EUR 539,100 in comparison to the 2021 ETR). Disregarding one fine above EUR 20 million by the British ICO, the fines are relatively moderate. The overall average of fines in this sector (including the extraordinary fine of the British ICO) is EUR 631,903. The Spanish DPA has been particularly “active” in this sector (21 fines), followed by the German DPAs (9 fines).
As in 2020, the majority of the fines in the accommodation and hospitality sector in 2021 were imposed due to illegal video surveillance (26 cases; +14 in comparison to the 2021 ETR).
Let's take a closer look
- Judging by the fines imposed in this sector, the authorities do not only focus on larger entities but also on small restaurants, stores or hotels. This is also the reason why the actual fines are – with a few exceptions – comparatively low.
- The highest fine by far in this sector was issued in 2020: the British ICO imposed a fine of EUR 20.45 million on Marriott International, Inc. (ETid-60) based on a cyber incident originating from a vulnerability in the IT systems of the Starwood hotels group which was acquired by Marriott in 2016. This vulnerability led to the exposure of personal data from approximately 339 million guest records. Originally the ICO had planned to impose an even higher fine of EUR 115.6 million. However, the supervisory authority reduced the fine, citing the impact of the Covid-19 pandemic on the accommodation sector as one of the reasons.
- The Dutch DPA imposed a fine of EUR 475,000 on Booking.com B.V. (ETid-612) for not reporting a data breach in a timely manner. Criminals gained access to the data of 4,109 people who had booked a hotel room through the booking site as well as the credit card data of 283 people and managed to access the credit card's security code in 97 cases. The fine is rather high, which is likely due to the fact that Booking.com did not report this security incident to the DPA until 22 days after it became aware of it (according to the GDPR, such a report must be made no later than 72 hours).
- 26 fines amounting to EUR 91,400 in total were imposed on bars and several restaurants for unlawful use of CCTV systems. While the amount is relatively small in comparison – however, adequately reflecting the annual turnover of the respective businesses – video surveillance seems to be a key issue in the DPAs' monitoring of data protection compliance in the accommodation and hospitality sector. With regard to the unlawful use of CCTV systems it seems the Spanish DPA still imposes more fines (19 of the 26 cases), but with relatively moderate amounts (range between EUR 900 and 6,000).
Non-compliance with general data protection principles may result in fines even for small companies in the accommodation and hospitality sector. DPAs have shown that they are willing to impose 5-, 6- or even 7-figure fines, especially when large amounts of personal data are exposed due to insufficient data security measures.