Commercial prospecting and hospitality: Sanction of the CNIL against Accor

The CNIL has accused the ACCOR group of the following breaches:

1. Lack of consent from individuals for commercial prospecting: a pre-checked box for individuals reserving a hotel room in order to receive commercial prospecting via email concerning partner companies is not valid consent compliant with the GDPR. For reference, in order to be exempt from the obligation of obtaining consent, commercial prospecting via email must relate to services and products provided by the same company. Consequently, if commercial prospecting via email includes services and products provided by third partner companies, consent must be obtained from individuals.
2. Lack of consent from individuals creating a customer area for commercial prospecting: the CNIL considers that creating a customer area without prior reservation does not allow defining the persons concerned as clients, therefore the collection of consent to receive commercial prospecting is necessary and mandatory.
3. Lack of personal data information in accordance with articles 12 and 13 of the GDPR: no mention of information was present during the creation of a customer account or the enrollment in the loyalty program.
4. No response within one month of a request to exercise rights.
5. No consideration of the rights of opposition of individuals: the CNIL has noted various malfunctions of unsubscribe links and the mistreatment of several opposition requests.
6. Failure to comply with the obligation to ensure the security of personal data: The CNIL criticized the company for not implementing a sufficiently robust password policy for access to the internal newsletter management software. Furthermore, in the context of suspicion of fraudulent access to a customer account, the only way to unlock the account consisted of transmitting the person’s identity card by email to the company. The CNIL criticized the company for requesting this information via simple email without the data being encrypted.

Since then, the company has come into compliance with all of these violations.

What should be noted from this CNIL decision?

• To ensure the collection of consent from individuals for commercial prospecting purposes in accordance with Article L. 34-5 of the Code of Posts and Electronic Communications and without a pre-checked box!
• Inform the individuals in accordance with Articles 12 and 13 of the GDPR and ensure that the information is provided in a clear and accessible manner.
• Do not underestimate a request to exercise rights and, in particular, a request for access or opposition; The absence of consideration or response to these requests may trigger a control by the CNIL or any DPA. Also, pay attention to the management of unsubscribe links; these malfunctions can be the origin of dissatisfaction and complaints to the CNIL or the competent DPA.
• Give the highest importance to the security of personal data (Article 32 of the GDPR), in particular regarding the robustness of passwords and within the context of copies of identity cards transmitted, ensure that these data are encrypted.

Specializing in personal data protection law, Aumans Avocats supports you in all your data-related projects, with the goal of achieving clear, reliable, and lasting compliance. Contact us today for tailored support.