France: CNIL fines Accor €600,000 for various direct marketing violations
The French data protection authority ('CNIL') announced, on 17 August 2022, that it had issued, on 3 August 2022, Deliberation of CNIL's Restricted Committee No. SAN-2022-017 in which it imposed a fine of €600,000 to Accor SA, for violations of Articles 12, 13, 15, 21, and 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and Article L. 34-5 of the Postal and Electronic Communications Code (last amended in 2016), following complaints received by various European data protection auhtorities.
Background to the case
In particular, CNIL outlined that it and various other European data protection authorities had received complaints regarding challenges encountered when exercising data subject rights with Accor, a hotel company.
Findings of CNIL
During the course of its investigation, CNIL determined that indidivuals making a reservation directly with Accor, or one of the brands within its group, are automatically added to a list of recipients of a newsletter containing commercial offers due to a pre-ticked box consenting to the same. Furthermore, CNIL discovered that technical issues prevented individuals from exercising their right to object to the receipt of direct marketing messages.
More specifically, CNIL found Accor responsible for the following violations:
- obligation to obtain consent of the data subject to process personal data for direct marketing purposes, according to Article L. 34-5 of the Code;
- failure to provide data subjects with the necessary information when creating a customer account or mentioning consent as the legal bases for processing personal data for direct marketing purposes, violating Articles 12 and 13 of the GDPR;
- failure to respond to data subject access requests within the required timeframes, violating Articles 12 and 15 of the GDPR;
- failure to respect data subject requests to object to direct marketing communications, violating Articles 12 and 21 of the GDPR; and
- failure to ensure the security of personal data, as it allowed the use of insecure passwords, violating Article 32 of the GDPR.
Consequently, CNIL issued a draft decision to the relevant European data protection authorities, to which the European Data Protection Board ('EDPB') responded that the size of the fine should have increased. In light of this, CNIL imposed the aforementioned fine of €600,000 on Accor.
Lastly, CNIL confirmed that Accor has complied with the aforementioned requirements as part of the enforcement procedure.