Dutch DPA fines Transavia for poor personal data security

Nov 12, 2021

Source: European Data Protection Board

Background information

Date of final decision: 23 September 2021
Cross-border case or national case: cross-border case
If cross-border, LSA: Netherlands
and CSAs: Ireland, France, Belgium, Denmark, Poland, Cyprus, Italy, Baden-Württemberg, Austria, Finland, Sweden, Slovakia, Hungary, Berlin, Bavaria private sector, Norway, Rineland Palatinate, Spain, Portugal, Croatia, Iceland, Slovenia
Controller: Transavia Airlines C.V.  
Legal Reference: Security of processing. Article 32 (1) and (2)
Decision: Infringement of the GDPR, administrative fine
Key words: Security of processing, data security breach

Summary of the Decision

Origin of the case

The Dutch DPA started this investigation after a data breach notification by Transavia.

Key Findings

Due to poor security of personal data, a hacker was able to break into Transavia’s systems, in which he could have potentially had access to the data of 25 million passengers. It has been determined that the hacker actually downloaded the personal data of 83,000 people. The hacker broke into Transavia’s systems in September 2019 using two of the company’s IT department accounts. There were three security flaws that made it simple for the hacker to do this:

The password was easy to guess.
Only the password was needed to enter the system. There was no multi-factor authentication in place.
Once the hacker had control over the two accounts, he also had access to multiple Transavia systems. This is because the access rights connected to these accounts were not restricted to necessary systems only.


The Dutch DPA has fined Transavia €400,000.

For further information: Dutch DPA fines Transavia for poor personal data security



The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.

Recent news

EDPB launches first coordinated action

Following the EDPB’s decision to set up a Coordinated Enforcement Framework in October 2020, the EDPB has now decided to launch the proposal for its first coordinated action on the use of Cloud based services by the public sector. In a coordinated action, the EDPB...

read more

EDPB adopts opinion on draft South Korea Adequacy Decision

The EDPB adopted its opinion on the European Commission’s draft adequacy decision for the Republic of Korea. The EDPB focused on general GDPR aspects and access by public authorities to personal data transferred from the European Economic Area (EEA) to the Republic of...

read more

EDPB establishes cookie banner taskforce

During its latest plenary, the EDPB decided to set up a taskforce to coordinate the response to complaints concerning cookie banners filed with several EEA SAs by NOYB. This taskforce was established in accordance with Art. 70 (1) (u) GDPR and aims to promote...

read more