Hotel – €15,000 Fine (Croatia, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A hotel in Croatia was fined EUR 15,000 for improperly collecting personal information from guests. This ruling is significant because it shows that businesses must be clear about how they use personal data and cannot ask for excessive information.
What happened
The hotel collected unnecessary personal information, like credit card security numbers and ID copies, without a valid legal basis.
Who was affected
Guests who tried to book accommodations at the hotel.
What the authority found
The Croatian DPA ruled that the hotel did not have a legal basis for processing sensitive personal data and failed to provide clear information about data usage.
Why this matters
This case sets a precedent that businesses must limit data collection to what is necessary and be transparent about their data practices. Hotels and similar businesses should review their data collection methods to avoid similar issues.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A data subject wanted to book accommodation in an hotel, the controller, which offered three options to do so on its website: through an external service provider, through a web form and via e-mail, the last two allowing only to make a reservation but no payment. When making a reservation via the web form, the data subject was requested to provide his name, surname, e-mail address, address and financial data including his credit card security number (CVC number). On the other hand, for making a reservation via e-mail, it was necessary to submit the same information and also a copy of a valid ID document with a photo, which, according to the controller, was necessary in order to prevent misuse of the credit card information by third parties. The data subject found no information as regards the lawful basis for processing, nor any other relevant information about the way in which his personal data was processed and filed a complaint with the AZOP. The AZOP found that in the hotel's terms and conditions, no mention was made of a legal basis under Article 6(1) GDPR that allowed for the processing of the CVC number of the data subject's credit card and copy of his personal document, making such processing unlawful. Further the AZOP specified that processing of such data was excessive as it could not be considered necessary for the purposes for which they were collected, namely merely making a hotel reservation. On top of that, the controller did not provide information in a clear and transparent way about the processing of personal data for purposes of booking accomodation via its web form and via e-mail, acting contrary to Article 13(1) GDPR and Article 13(2) GDPR. Further, the AZOP held that the controller failed to adopt appropriate technical and organizational measures in order to ensure an adequate level of security of processing. Among others, the controller did not encrypt the collected personal data nor did it implement any processes for regular testing,
Related Enforcement Actions (2)
Other enforcement actions involving Hotel in HR
Fine
€15K
Details
Fine Date
1 September 2023
Authority
Agencija za zaštitu osobnih podataka
Fine Amount
€15,000
GDPRhub ID
gdprhub-6425About this data
Cite as: Cookie Fines. Hotel - Croatia (2023). Retrieved from cookiefines.eu
Last updated: