Administrative fine imposed on travel agency for data protection violations
The Office of the Data Protection Ombudsman has imposed an administrative fine on a travel agency for violating the General Data Protection Regulation. There were particular shortcomings in the company’s operations in the areas of secure data processing and realising the rights of the data subject. Among other things, the travel agency has used an unencrypted network connection for its visa application forms and stored personal data on a public web server.
A customer of the travel agency told the Office of the Data Protection Ombudsman of suspicions that the travel agency was not processing the data on the electronic visa order form in compliance with data protection regulations. The customer had also requested the travel agency to erase their data from the system, but the company had not fulfilled the customer's request.
Shortcomings in the security of personal data processing
The company’s website and electronic visa application form have been accessed via an unencrypted network connection. Furthermore, the information entered on the form was saved as a PDF file in the web server's files folder that was open to access from the internet.
The information entered on the forms included the customer's name, contact details and passport number. The Data Protection Ombudsman emphasises that, when connected to other information, the passport number in particular poses a risk.
The Data Protection Ombudsman finds that the travel agency has neglected its duty to protect the data appropriately and process it securely. The company also violated its obligation to fulfil the data subject’s request to have their data erased.
In December 2021, the Sanctions Board of the Office of the Data Protection Ombudsman imposed an administrative fine of 6,500 euros on the small travel industry group that the travel agency is considered a part of.
The decisions are not yet final.
Data Protection Ombudsman Anu Talus, anu.talus(at)om.fi, tel. +358 29 566 676
The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, and it has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.