Hotel – €15,000 Fine (Croatia, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A hotel was fined €15,000 for asking guests for excessive personal information when booking accommodations. This is significant because it shows that businesses must only collect data that is necessary for their services. It reminds hotels to be careful about the information they request from customers.
What happened
The hotel requested unnecessary personal information, including credit card security numbers and copies of ID documents, for reservations.
Who was affected
Guests who attempted to book accommodations at the hotel.
What the authority found
The authority ruled that the hotel did not have a lawful basis for processing sensitive personal data and failed to provide clear information about data handling.
Why this matters
This case underscores the importance of data minimization and transparency in data collection practices. Hotels and other businesses should review their data collection policies to ensure compliance.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Croatian DPA (AZOP) has imposed of fine of EUR 15,000 to a hotel. The hotel was collecting personal data from guests in excess of what would have been necessary for the purpose of booking a hotel room and without a valid legal basis. Specifically, the hotel collected the CVC number of guests' credit cards and copies of their identification documents. The hotel also failed to provide clear and transparent information to guests on the collection and use of their data. The hotel claimed it collected the CVC numbers of credit cards and even copies of personal identification document, when the booking was made via email, in order to prevent misuse of the credit cards. The booking was possible via third party platforms and the hotel’s email and web form. The booking via email and web form enables solely booking, but not payment. Regardless of this, the hotel still requested provision of financial data (information on the credit card and CVC number). Taking into consideration that the booking was possible without provision of the CVC number, AZOP found that hotel did not have a legal basis for processing of such data. The hotel also failed to provide clear and transparent information to guests on the collection and use of their data. Neither the hotel's general terms and conditions nor the form of consent for use of personal data provided sufficient information on circumstances of processing. In addition, the hotel did not undertake adequate technical and organisational measures, e.g. encryption of data. Finally, by appointing the hotel manager as the data protection officer, the controller violated the provisions of Art. 38 (6) GDPR. Although the data protection officer may also perform other tasks and duties, the controller must ensure that such tasks and duties do not lead to a conflict of interest. Accordingly, the controller should have been aware that there is a conflict of interest in relation to the tasks and duties that the hotel manager performs. It is clear
Related Enforcement Actions (2)
Other enforcement actions involving Hotel in HR
Fine
€15K
Details
Fine Date
26 September 2023
Authority
Agencija za zaštitu osobnih podataka
Fine Amount
€15,000
Enforcement Tracker ID
ETid-2060
About this data
Cite as: Cookie Fines. Hotel - Croatia (2023). Retrieved from cookiefines.eu
Last updated: