Dutch Data Protection Authority: Booking.com now reports data leaks on time


Booking.com now reports data leaks on time, says the Dutch Data Protection Authority after a year of intensive supervision. In 2021, the platform was fined 475,000 euros because a data breach was reported too late. The company now complies with the rules, says the AP.

According to the GDPR, companies are obliged to report data leaks to European regulators within 72 hours, but Booking.com only did this in 2019 after three weeks . The company was fined for this in 2021. Because of that fine 'and because the company may subsequently have failed to report some data leaks in time', the Dutch Data Protection Authority introduced intensive supervision in 2023.

As part of that intensive supervision, Booking.com had to report on measures that the platform had taken to report data leaks in time. In addition, the company had to report on measures to prevent incidents and the Authority checked whether Booking.com wrongly did not report 'certain incidents'. “During the period of intensified supervision, the company appeared to actually report all incidents that it had to report,” writes the Dutch Data Protection Authority.

In 2023, Booking.com reported 'various fraud cases'. In many of these, criminals were able to take over accounts of accommodations. Booking.com users were scammed again. For example, they asked users via Booking.com's messaging system for payments, which did not go to the accommodation but to the criminal. “Because of these types of incidents, the AP continues to closely monitor Booking.com.” The AP says that timely reports are important, 'so that the AP can advise where necessary'.