Every month, the data protection supervisory authority imposes fines for violations of the General Data Protection Regulation (GDPR). Enclosed you will find 2 current examples.
1 - late notification of a serious data breach
Authority: Autoriteit Persoonsgegevens (Netherlands)
Industry: Travel industry
Infringement: Art. 33 (1) GDPR
Fine: 475,000 euros
The incident occurred back in Dec 2018 at the online travel portal booking.com. A group of criminals managed to steal data records (name, address, phone number, booking details) from a total of 4,109 customers. Among them were 97 cases with credit card information and security codes used.
The hackers contacted many of the affected customers and tried to encourage them to make payments.
The data breach was brought to booking.com's attention on 01/13/2019, but was not reported until 02/07/2021.
2 - Negligent breach of accountability under data protection law
Authority: The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg
Industry: Sports / Football
Infringement: Art. 5 (2) GDPR
Fine: 300.000 Euro
Senior employees of the responsible persons had repeatedly sent membership data (including: cell phone numbers, e-mail addresses) to third parties. The association had given this data on a large scale to a PR agency so that they could advertise for certain votes within the association.