PILLOW HOTELS, S.L. – €4,200 Fine (Spain, 2024)

€4,200Agencia Española de Protección de Datos30 May 2024Spain
reduced
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

PILLOW HOTELS, S.L. was fined €4,200 after a guest received a fraudulent message asking for credit card details. The hotel failed to protect its customers from such scams and did not report the incidents. This case shows that businesses must take cybersecurity seriously to protect their customers.

What happened

A guest at PILLOW HOTELS received a phishing message asking for credit card information before their stay.

Who was affected

The hotel guest who was targeted by the fraudulent message.

What the authority found

The Spanish DPA found that PILLOW HOTELS did not implement proper security measures to prevent fraud and failed to report data breaches.

Why this matters

This ruling underscores the need for hotels and similar businesses to strengthen their security measures. It serves as a warning that neglecting cybersecurity can lead to fines and damage to reputation.

GDPR Articles Cited

AI-verified

Art. 5(1)(f) GDPR
Art. 32(1) GDPR
Art. 33(1) GDPR
View original scraped data
Art. 5(1) f) GDPR
Art. 32(1) GDPR
Art. 33(1) GDPR

Original data from scraper before AI verification against source document.

Source verified 15 March 2026
national law identified
Spain enforcementAgencia Española de Protección de Datos actionsAll PILLOW HOTELS, S.L. actions
Full Legal Summary
Detailed

The Spanish DPA has imposed a fine on PILLOW HOTELS, S.L.. A person had filed a complaint with the DPA. The individual had made a booking for an overnight stay with the controller via booking.com. A few days before the trip, they received a WhatsApp message from a person claiming to be the director of the hotel, addressing them by name and asking them to confirm the booking by referring to a fraudulent link to enter their credit card details. The data subject contacted the hotel to confirm the fraud and learned that similar cases were already known. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to prevent such fraud incidents. The DPA also found that the controller had failed to report these data breaches. The original fine of EUR 7,000 was reduced to EUR 4,200 upon admission of responsibility and voluntary payment.

Related Enforcement Actions (0)

No other enforcement actions found for PILLOW HOTELS, S.L. in ES

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

30 May 2024

Authority

Agencia Española de Protección de Datos

Fine Amount

€4,200

Enforcement Tracker ID

ETid-2349

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. PILLOW HOTELS, S.L. - Spain (2024). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: