As of today, 6 DPAs (+3 in comparison to the ETR 2020) have imposed 17 fines (+6 in comparison to the ETR 2020) on restaurants, hotels and other companies in the accommodation and hospitality sector, amounting to a total of around EUR 20,945,607 (+20,605,607 in comparison to the ETR 2020). Also in this sector, the Spanish DPA has paid particular attention and is responsible for more than half of all fines imposed. However, the Spanish fines range between EUR 1,500 and 6,000 and are thus to be considered relatively low.
The data presents a significant finding: in 12 cases the fines were imposed due to illegal video surveillance showing that the use of video surveillance in the accommodation and hospitality sector is subject to particularly stringent checks by the supervisory authorities.
Let's take a closer look:
- The ICO imposed the highest fine in this sector, reaching an amount of EUR 20,450,000, on Marriott International, Inc (ETid-60). The decision penalises Marriott for a cyber incident originating from a vulnerability in the IT systems of the Starwood hotels group which was acquired by Marriot in 2016. This vulnerability finally led to the exposure of personal data of approx. 339 million guest records in November 2018. However, originally the ICO had announced in its statement of intent that it planned to impose an even higher fine of EUR 115.6 million. In determining the amount of the fine, the supervisory authority has taken into account the impact of the Covid-19 pandemic on the accommodation sector and Marriott in particular as well as the full cooperation of Marriott with the ICO. Additionally, other mitigating factors led to the reduction of the fine, in particular that Marriott took immediate steps to mitigate the effects of the attack and to implement technical remedial measures.
- The second highest fine and the highest fine in Germany was imposed on the food delivery service Delivery Hero Germany GmbH (ETid-78) in the amount of EUR 195,407 for insufficient fulfilment of data subjects' rights in several cases, ranging from the failure to delete former customer's data to unsolicited advertising emails. One data subject who had expressly objected to the use of his data for advertising purposes nevertheless received a further 15 advertising emails from the delivery service.
- The third highest fine and the highest fine in Denmark in the amount of EUR 147,800 was imposed on Arp Hansen Hotel Group A/S (ETid-361). The authority based its decision on the non-compliance with general data processing principles. During an inspection, the authority discovered that Arp Hansen's reservation systems contained a large amount of personal data that should already have been deleted since they were no longer necessary for the purpose of collection.
- 12 fines amounting to EUR 37,400 were imposed on bars and several restaurants for inadmissible video surveillance. While the amount seems relatively small in comparison – however, adequately reflecting the annual turnover of the respective businesses – video surveillance seems to be a key issue in the DPAs' monitoring of data protection compliance in the hospitality sector in general, but especially in Spain where 9 of the 12 fines were imposed.
In the future, even small companies in the hospitality sector – including the kebab stand next door – should be careful not to collect their guests' data too hastily. In particular, the strict requirements for a permissible use of video surveillance should be carefully examined in each individual case to avoid fines. The ill-considered surveillance of guests can quickly result in a fine. Data protection authorities have long since ceased to focus solely on the big players in the industry.
In terms of numbers, however, the risk of fines for inadequate security measures is much higher. There may be a trend emerging here, showing that negligence in providing for adequate technical and organisational measures is sanctioned with particular severity.