cybersecurityTechnology · 2020

Booking.com B.V.

Booking.com failed to report a personal data breach to the AP within the mandatory 72-hour window under GDPR Art. 33, delaying notification by more than three weeks. In late 2018, fraudsters using phishing attacks against hotel partners compromised employee accounts and accessed the personal and payment card data of approximately 40,000 customers. The AP found Booking.com's internal escalation procedures failed to trigger timely regulatory reporting and that customers were also not promptly informed.

Fine Imposed€475,000.0

Authority

Autoriteit Persoonsgegevens

Stylebalanced

Avg. investigation18 mo

View authority profile

Regulation

Algemene Verordening Gegevensbescherming (Dutch GDPR Implementation)

Max fine€20M or 4% of global annual turnover (Tier 2); €10M or 2% (Tier 1)

Statusactive

Key Takeaways

The 72-hour breach notification clock runs from when an organisation is reasonably aware a breach has occurred — companies must notify supervisory authorities promptly with available information rather than waiting for investigations to conclude.