Fastbooking Hacking: How can you comply with the GDPR after the theft of hotel guest data?

Fastbooking, the AccorHotels subsidiary specializing in digital hotel services, confirmed that it was the victim of a hacking attack in which the booking data was stolen from private individuals. The Kyos law expert Dashnim Murati explains the requirements of the GDPR, the hoteliers in the case of a data theft have to fulfill.

As you may be aware, the General Data Protection Regulations (GDPR) were approved by the European Parliament on 14 April 2016. Since 25 May 2018, this Regulation has applied directly to all players active in the European Union but also to certain Swiss companies. Indeed, the GDPR is applicable to them in particular when they process data of European citizens and insofar as such processing is linked to the supply of goods or services to such persons within the Union.

The GDPR imposes a series of obligations on any data controller subject to it. In particular, the controller has an obligation to notify the competent supervisory authority of the violation of personal data. The notion of breach is defined by the Regulation as a security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed.

The communication must be made as soon as possible, but, unless there is a just cause, no later than 72 hours after becoming aware of the violation. In the event that the controller assigns a processor, such as an IT service provider, to process personal data, the latter is also obliged to notify the controller, but not a supervisory authority, of any breach as soon as possible after becoming aware of it.

The communication to the competent supervisory authority must contain a certain amount of information. The controller is required to describe the violation of personal data including, if possible, the categories and approximate number of persons concerned by the violation and the categories and approximate number of personal data records concerned. It must also provide the name and contact details of the Data Protection Officer or other contact point from which additional information can be obtained, describe the likely consequences of the breach of personal data, but also describe the measures taken or proposed to be taken to remedy the breach of personal data, including, where appropriate, measures to mitigate any negative consequences.

These approaches and compliance with other obligations imposed by the GDPR may be relatively burdensome for companies and may not be easy to implement, compounded by the fact that penalties for non-compliance may be particularly severe.

That’s why Kyos accompanies you and helps you to comply with all these new rules.

For more information on this subject >>> Contact