„ROBINSON-TOURS” Tourism and Service Ltd. – €51,250 Fine (Hungary, 2020)

While browsing on the Internet, a complainant typed his father's name into Google search and through one of the results managed to open a database without any authorization check. The DPA initiated an investigation. It concluded that the database included personal data of clients of a travel agency Robinson-Tours, such as names, dates of booking, reservation status, address, ID card details, passport numbers with date of issue and expiry, date of conclusion of the travel contract. On the website, it was also possible to filter people by destination and date. In some of the cases, it was possible to upload a passport photo or freely download individual customers' travel contracts. As it turned out during the investigation, Robinson-Tours assigned Next Time Media Agency as a data processor with a task to implement appropriate security measures: firewall, anti-virus, multi-level authentication and access control, strong use and forced exchange of passwords, daily backup. Exposed data came from a test database which was filled with data of 781 real customers. They were available to anyone from November 13, 2019 to February 4, 2020. The controller did not communicate data breach to data subjects. It did not carry out regular checks for security risks. What constitutes appropriate technical and organizational measures to ensure data protection by design and by default (Article 25 GDPR)? The DPA held that Robinsons-Tour and Next Time Media Agency did not implement appropriate technical and organisational measures to ensure security of personal data of its customers. Hence, they failed to comply with provisions of Article 25 GDPR introducing a principle of data protection by default and by design. Robinsons-Tour and Next Time Media Agency were fined respectively 20 000 000 HUF and 500 000 HUF .