Finnish DPA: Administrative fine imposed on travel agency for data protection violations

8 February 2022

Background information

Date of final decision: 16 December 2021
Cross-border case or national case: National case
Legal Reference: Integrity and confidentiality (Art. 5(1)(f)), data protection by design and by default (Art. 25(1)), security of processing (Art. 32(1) and Art. 32(2)), right to erasure (Art. 17(1))
Decision: Administrative fine and reprimand
Key words: security of processing, right to erasure, right to be forgotten


Summary of the Decision

Origin of the case

A customer of the travel agency told the Office of the Data Protection Ombudsman of suspicions that the travel agency was not processing the data on the electronic visa order form in compliance with data protection regulations. The customer had also requested the travel agency to erase their data from the system, but the company had not fulfilled the customer's request.

Key Findings

There were shortcomings in the company’s operations in the areas of secure data processing and realising the rights of the data subject.

The travel agency has used an unencrypted network connection for its visa application forms and stored personal data on a public web server. The information entered on the form was saved as a PDF file in the web server's files folder that was open to access from the internet.

The information entered on the forms included the customer's name, contact details and passport number. The Data Protection Ombudsman emphasises that, when connected to other information, the passport number in particular poses a risk.

The Data Protection Ombudsman finds that the travel agency has neglected its duty to protect the data appropriately and process it securely. The company also violated its obligation to fulfil the data subject’s request to have their data erased.


The Sanctions Board of the Office of the Data Protection Ombudsman imposed an administrative fine of 6,500 euros on the small travel industry group that the travel agency is considered a part of.

For further information:

Press releases:


The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.