The Information Commissioner’s Office (ICO) has said it will be fining Marriott International £99,200,395 under GDPR for data breaches
The fine is due to an incident in November 2018, which Marriott notified the ICO about. Around 339 million guest records were exposed. Around 30 million contacts were from 31 countries in the European Economic Area, with seven million of those contacts of UK residents.
Elizabeth Denham, information commissioner at ICO said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
In response to the announcement of the ICO’s intention to fine Marriot International, the hotel chain will now have the opportunity to present what the company has done to strengthen security.
This is the second GDPR-related fine this week. British Airways was fined £183,390,000 for compromising the personal data of 500,000 customers.