Date of final decision: 16 December 2021
Cross-border case or national case: National case
Legal Reference: Integrity and confidentiality (Art. 5(1)(f)), data protection by design and by default (Art. 25(1)), security of processing (Art. 32(1) and Art. 32(2)), right to erasure (Art. 17(1))
Decision: Administrative fine and reprimand
Key words: security of processing, right to erasure, right to be forgotten
Summary of the Decision
Origin of the case
A customer of the travel agency told the Office of the Data Protection Ombudsman of suspicions that the travel agency was not processing the data on the electronic visa order form in compliance with data protection regulations. The customer had also requested the travel agency to erase their data from the system, but the company had not fulfilled the customer's request.
The travel agency has used an unencrypted network connection for its visa application forms and stored personal data on a public web server. The information entered on the form was saved as a PDF file in the web server's files folder that was open to access from the internet.
The information entered on the forms included the customer's name, contact details and passport number. The Data Protection Ombudsman emphasises that, when connected to other information, the passport number in particular poses a risk.
The Data Protection Ombudsman finds that the travel agency has neglected its duty to protect the data appropriately and process it securely. The company also violated its obligation to fulfil the data subject’s request to have their data erased.
The Sanctions Board of the Office of the Data Protection Ombudsman imposed an administrative fine of 6,500 euros on the small travel industry group that the travel agency is considered a part of.
For further information:
- Administrative fine imposed on travel agency for data protection violations (27 January 2022)
- Decisions of the Data Protection Ombudsman and Sanctions Board in Finlex (in Finnish)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.