Quastels
  • Expertise
    • Corporate & Commercial
    • Commercial Real Estate
    • Residential Real Estate
    • Digital Assets & Blockchain
    • Data Protection & Privacy
    • Employment
    • Dispute Resolution
    • Sports
    • Private Client
    • Immigration & Recruitment
  • Team
  • News
  • Careers
  • Contact
Menu
Quastels
  • Home
  • Expertise
  • Team
  • Careers
  • Fees
  • News
  • Contact
Quastels

Data Protection Update: Marriott Fined

  • Home
  • News
  • News
  • Data Protection Update: Marriott Fined
  • 9 November 202025 November 2021
  • Well Studio

Ann-Maree Blake, Data Protection and Corporate Partner

The Information Commissioner’s Office (ICO) has fined Marriott International Inc (Marriott) £18.4 million for breaching its data security obligations under the GDPR.  The amount of the fine actually imposed is a significant reduction on the £99,200,396 million the ICO announced it intended to fine Marriott back in July. In imposing the fine the ICO has considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty.

The fine imposed by the ICO demonstrates the importance of carrying out a thorough due diligence when making a corporate acquisition and, in particular, as part of the due diligence exercise ensuring that an assessment is carried out into how personal data is protected.

The breaches left about 339 million guest records worldwide exposed to a cyber-attack on Starwood Hotels and Resorts Worldwide Inc’s (Starwood) reservation database in 2014. Marriott acquired Starwood in 2016, but the exposure of customer data was only discovered in 2018, at which time Marriott notified the ICO and updated its systems.

Information Commissioner, Elizabeth Denham, said:

“Personal data is precious and businesses have to look after it.  Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.

 When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

If you require any advice on Data Protection or GDPR matters, please get in touch with Ann-Maree Blake.

Please note – this article does not constitute legal advice.

Posted in News
© All right reserved
  • +44 (0)20 7908 2525
  • enquiries@quastels.com
  • Quastels LLP, Watson House, 54 Baker Street, London W1U 7BU

We are using cookies to give you the best experience on our website. Find out more in our Cookie Policy and Website Privacy Policy

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Find out more in our Cookie Policy, Client Privacy Policy and Website Privacy Policy

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.

3rd Party Cookies

This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Enabling this cookie enabled helps us to improve our website.

Please enable Strictly Necessary Cookies first so that we can save your preferences!