Hotel – €15,000 Fine (Croatia, 2023)

A data subject wanted to book accommodation in an hotel, the controller, which offered three options to do so on its website: through an external service provider, through a web form and via e-mail, the last two allowing only to make a reservation but no payment. When making a reservation via the web form, the data subject was requested to provide his name, surname, e-mail address, address and financial data including his credit card security number (CVC number). On the other hand, for making a reservation via e-mail, it was necessary to submit the same information and also a copy of a valid ID document with a photo, which, according to the controller, was necessary in order to prevent misuse of the credit card information by third parties. The data subject found no information as regards the lawful basis for processing, nor any other relevant information about the way in which his personal data was processed and filed a complaint with the AZOP. The AZOP found that in the hotel's terms and conditions, no mention was made of a legal basis under Article 6(1) GDPR that allowed for the processing of the CVC number of the data subject's credit card and copy of his personal document, making such processing unlawful. Further the AZOP specified that processing of such data was excessive as it could not be considered necessary for the purposes for which they were collected, namely merely making a hotel reservation. On top of that, the controller did not provide information in a clear and transparent way about the processing of personal data for purposes of booking accomodation via its web form and via e-mail, acting contrary to Article 13(1) GDPR and Article 13(2) GDPR. Further, the AZOP held that the controller failed to adopt appropriate technical and organizational measures in order to ensure an adequate level of security of processing. Among others, the controller did not encrypt the collected personal data nor did it implement any processes for regular testing,