Dutch SA fines Booking.com for delay in reporting data breach

Background information

  • Date of final decision: 10 December 2020

  • Cross-border case or national case: cross-border case 66777 (Article 60 Case register)

  • If cross-border, LSA: Netherlands

  • and CSAs: Belgium, France, Sweden, Portugal, Denmark, Germany, Poland, United Kingdom, Italy, Romania, Spain, Hungary, Austria, Bulgaria, Estonia, Ireland, Lithuania, Croatia, Cyprus, Latvia, Luxembourg, Malta, Slovenia, Slovakia, Finland and Czech Republic          

  • Controller: Booking.com     

  • Legal Reference: Notification personal data breach to supervisory authority, article 33 (1)

  • Decision: Infringement of the GDPR, administrative fine

  • Key words: Data breach, delayed notification


Summary of the Decision


Origin of the case

In a telephone scam targeting 40 hotels in the United Arab Emirates in December 2018, criminals persuaded hotel staff to reveal the log-in details for their accounts in a Booking.com system. In this way, the criminals gained access to the data of 4,109 people who had booked a hotel room in the UAE. The data included their names, addresses and telephone numbers, as well as details of their booking.

The criminals were also able to access the credit card information of 283 people. In 97 cases, the credit card security code was obtained as well. The criminals also tried to get hold of the credit card information of other victims, by posing as Booking.com staff in emails or on the telephone.


Key Findings

Booking.com was informed of the data breach on 13 January 2019, but did not report it to  Supervisory Authority (SA) until 7 February, which is 22 days too late: data breaches must be reported within 72 hours. On 4 February 2019, Booking.com informed the affected customers of the breach. The company also took other measures to limit the damage, such as offering to compensate any losses.



The Dutch Supervisory Authority (SA) has imposed a €475,000 fine on Booking.com because the company took too long to report a data breach to the SA.

For further information: decision in national language (NL)

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.