Details:
Summary | The French DPA (CNIL) has imposed a fine of EUR 600,000 on ACCOR SA.
Both CNIL and other European DPAS had received complaints against ACCOR from several individuals. In the course of its investigation, CNIL found that hotel guests who made a booking directly with the hotel or on one of the hotel group’s websites automatically became recipients of an advertising newsletter as the box for consent to receive the newsletter was pre-ticked. In addition, the CNIL found that due to technical problems, many individuals were unable to opt-out of receiving the promotional emails. In this context, CNIL found that ACCOR had not sufficiently informed data subjects about the processing of their personal data in the context of promotional messages and thus violated Art. 12 GDPR and Art. 13 GDPR. Further, ACCOR had failed to respond to data subjects’ requests for access to personal data in a timely manner, and thus the CNIL found a violation of Art. 12 GDPR and Art. 15 GDPR. The company had also failed to comply with the data subjects’ right to object due to the technical problems. The CNIL therefore found a violation of Art. 12 GDPR and Art. 21 GDPR. Finally, the CNIL found a violation of Art. 32 GDPR because ACCOR allowed the use of passwords that were not sufficiently secure. In imposing the fine, CNIL considered aggravatingly that the violations affected several fundamental principles of personal data protection and constituted a fundamental infringement of the rights of the data subjects, as well as the number of data subjects involved. |
Link: | link link |
Related articles: | Art. 12 GDPR, Art. 13 GDPR, Art. 15 GDPR, Art. 21 GDPR, Art. 32 GDPR, L. 34-5 CPCE |
Type: | Insufficient fulfilment of data subjects rights |
Fine: | EUR 600,000 |
Sector | Accomodation and Hospitalty |
All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/