AP fines Booking.com €475,000

The Dutch data protection authority (‘AP’) announced, on 31 March 2021, its decision to fine Booking.com B.V. €475,000 for the late reporting of a data breach. In particular, the AP noted that Booking.com was notified of the data breach on 13 January 2019, but did not report it to the AP until 7 February 2019, 22 days after being made aware of the breach despite being required to notify the AP within 72 hours. In addition, the AP noted that as a result of the data breach, the personal data of more than 4,000 customers had been breached and that the individuals involved were also able to obtain the credit card details of nearly 300 Booking.com customers.

You can read the press release here and the decision here, both only available in Dutch.