Commercial prospecting and rights of individuals: ACCOR fined 600,000 euros
The CNIL imposed an administrative fine of 600,000 euros on the company ACCOR, in particular for having carried out commercial prospecting without the consent of the individuals concerned and for not having respected the rights of customers and prospects.
The context
The CNIL and several other European data protection authorities have received complaints about difficulties encountered by individuals in exercising their rights with ACCOR, a French hotel group.
The investigations carried out by the CNIL revealed that when an individual made a reservation directly with the staff of a hotel or on the website of one of the ACCOR group's hotel brands, they were automatically sent a newsletter containing commercial offers from partners, as the box relating to consent to receive the newsletter was pre-ticked by default.
The CNIL also noted that technical anomalies, which recurred over several weeks, prevented a significant number of people from effectively objecting to the receipt of prospecting messages.
As the processing operations in question are carried out in many countries of the European Union, the CNIL submitted a draft decision to the data protection authorities concerned. As one of these authorities disagreed with the draft decision, the matter was referred to the European Data Protection Board (EDPB) for a ruling on the dispute. As a result of this procedure, the EDPB ordered the CNIL to reconsider the amount of the fine and to increase it so that the measure taken would be more dissuasive.
The restricted committee (the CNIL body responsible for imposing sanctions) therefore issued a fine of 600,000 euros on ACCOR and decided to make it public.
The CNIL especially took account of the number of alleged breaches by the company, the fact that these breaches concerned several fundamental principles of personal data protection and that they constituted a substantial infringement of individuals' rights, the number of individuals concerned and the financial situation of the company.
Sanctioned breaches
The CNIL found ACCOR to be in breach of French law and observed four breaches of the GDPR that were subjected to the European cooperation:
- A failure to comply with the obligation to obtain the consent of the data subject to process their data for commercial prospecting purposes (Article L. 34-5 of the French Post and Electronic Communications Code).
- A failure to comply with the obligation to inform individuals (Art. 12 and 13 of the GDPR): the company did not provide data subjects with the necessary information in an accessible manner when creating a customer account or when joining the ACCOR group's loyalty program. Nor did the company mention consent as the legal basis for prospecting to promote third party products or services.
- A failure to respect the right of access of individuals to their data (Art. 12 and 15 of the GDPR), as the company did not respond to the requests of a complainant on time.
- A failure to respect the right to object (Art. 12 and 21 of the GDPR), as the company did not take into account the complainants' requests that no more commercial prospecting messages be sent to them, due to malfunctions.
- A failure to ensure the security of personal data (Art. 32 of the GDPR), as the company allowed the use of insufficiently strong passwords. The CNIL also reproached the company for having invited a person to send her identity document by e-mail, without the data in question being encrypted.
The company complied with all the infringements identified during the procedure.
The deliberation [in French]
Official texts
- Article L. 34-5 of the French Post and Electronic Communications Code (commercial prospecting) [in French] - Légifrance
- Article 12 of the RGPD (rights of the data subject) - Eur-lex
- Article 13 of the GDPR (information to be provided when personal data are collected from the data subject) - Eur-lex
- Article 15 of the GDPR (data subject's right of access) - Eur-lex
- Article 21 of the GDPR (right to object) - Eur-lex
- Article 32 of the GDPR (security of processing) - Eur-lex