As of today, five DPAs (of which three are different regional authorities within Germany) have imposed 11 fines on restaurants, hotels and other companies in the accommodation and hospitality sector, amounting to a total of around EUR 340,000. The Spanish DPA paid particular attention to this sector and is responsible for around half of all fines imposed. However, the Spanish fines range from EUR 3,600 to 15,000 and can thus be considered relatively low.
The data highlights a significant finding: in seven cases, fines were imposed due to illegal video surveillance – showing that the use of video surveillance in the accommodation and hospitality sector is subject to particularly stringent checks by the supervisory authorities.
Let's take a closer look
- In Germany, food delivery service Delivery Hero Germany GmbH was fined EUR 195,407 for insufficient fulfilment of data subjects' rights in multiple cases:
- Delivery Hero had not deleted accounts of former customers in 10 cases, even though these data subjects had not been active on the company's delivery service platform for years – in one case since 2008.
- In addition, eight former customers had complained about unsolicited advertising e-mails from the company.
- A data subject who had expressly objected to the use of his data for advertising purposes nevertheless received a further 15 advertising e-mails from the delivery service.
- In a further five cases, the company failed to provide data subjects with the required information or only did so after the Berlin data protection officer had intervened.
- Seven fines amounting to EUR 21,300 were imposed on several restaurants for inadmissible video surveillance. While the amount seems relatively small – although it does adequately reflect the annual turnover of the respective businesses – video surveillance appears to be a key issue in DPAs' monitoring of data protection compliance in the hospitality sector.
Going forward, even small companies in the hospitality sector – such as the kebab shop next door – should be careful not to collect data from their customers without good reason. The strict requirements around use of video surveillance should be carefully examined in each individual case to avoid fines. Ill-considered surveillance of customers can quickly result in a fine. Data protection authorities have long since ceased to focus solely on the big players in the industry. The risk of fines for inadequate security measures is thus much higher. As such, a trend may be emerging showing that negligence in ensuring adequate technical and organisational measures is sanctioned particularly severely.