Dutch Issue GDPR Fines for Breach Notice That Came 22 Days Late

The fines provided for in the European Union's General Data Protection Regulation (GDPR) are being imposed on companies. This week the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) imposed a €475,000 fine on Booking.com. See this press release on the DPA's site.


The popular online hotel reservation service was fined for waiting until February 7, 2019 to report a data breach it discovered on January 13, 2019. Article 33 of the GDPR requires a supervisory authority to be notified of a data breach within 72 hours of its discovery. The breach involved credit card information for 300 individuals, and other personal data for 4,000 individuals.


The Dutch DPA has an online form businesses can use to report data breaches. The form includes a timeline section which requires that the date the breach was discovered be stated, and specifically directs that an explanation be given for breaches reported more than 72 hours after notice is first obtained of the breach.



The form also requires the reporting of the following information:

  • A contact person to provide ongoing information about the breach to the DPA.

  • The types of information compromised including Citizen Service Numbers; biometric data, genetic data, access data, and health information.

  • Which part of the data was encrypted.

  • Whether unauthorized persons gained access to the data.

  • Whether inaccurate data was disclosed.

  • Whether essential services cannot be provided to data subjects.