Romania: DPA fines hotel 15,000 EUR for not protecting list of breakfast guests

The operator of WORLD TRADE CENTER BUCHAREST SA was sanctioned with a fine in the amount of 71.028 lei, the equivalent of 15.000 euro.

The breach of personal data security was that a printed paper list used to check breakfast customers and containing personal data of 46 clients housed at the hotel’s WORLD TRADE CENTER BUCHAREST SA was photographed by unauthorized people outside the company, which led to the disclosure of the personal data of some clients through online publication.

The operator of WORLD TRADE CENTER BUCHAREST SA has been sanctioned because it has not taken steps to ensure that its employees who have access to personal data only process their application, according to the law.

(from 2016) – Lessons from living with high privacy fines (Spain)

The GDPR introduces some very high fines for violations, and for many countries in Europe this will be a major change. – In this context, it’s interesting to have a look at Spain, where the Data Protection Authority can already enforce  fines of up to 600,000 EUR since several years.

Ricard Martinez of the Spanish Data Protection Association APEP wrote a very interesting article on the challenges that come with high privacy fines.

My key take-aways from his post are:

  • The total annual amount of fines in Spain is between 15 to 20 mio EUR in the last decade.
  • The majority of the sanctioned companies are in the telecommunications, video surveillance, and financial industries. Their relative share stays about the same year by year. – So the high fines do not appear to be a crucial deterrent.
  • The legislator had to modulate the sanctions to balance the impact on small and medium enterprises. – It’s important that the DPAs harmonize around this before the GDPR becomes effective, as the overall effect might be unfair.
  • The volume of complaints is steadily increasing from year to year. This has an impact on the ability of the DPA to take actions:  The number of actual infringement statements is staying  constant.  – Any news on DPA actions seem to increase the volume of complaints further.

There’s much more information in Ricard Martinez’ post, and I encourage you to read more at