CNIL (France) - SAN-2022-017
CNIL - SAN-2022-017 | |
---|---|
Authority: | CNIL (France) |
Jurisdiction: | France |
Relevant Law: | Article 12(1) GDPR Article 12(3) GDPR Article 13 GDPR Article 15(1) GDPR Article 21(2) GDPR Article 32 GDPR Article 55(1) GDPR Article 83(1) GDPR Article L34-5 CPCE |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 12.12.2018 |
Decided: | 03.08.2022 |
Published: | 17.08.2022 |
Fine: | 600,000 EUR |
Parties: | Accor |
National Case Number/Name: | SAN-2022-017 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | French |
Original Source: | CNIL (in FR) |
Initial Contributor: | MW |
Following the EDPB's binding resolution, the French DPA increased their fine to ACCOR hotels from €100,000 to €600,000, notably for commercial prospecting without valid consent, not respecting GDPR rights of customers and prospects and using weak passords, in violation of Articles 12, 13, 15, 21 and 32 GDPR.
English Summary
Facts
The controller was Accor, a large, multinational chain that operated hotels in 110 countries. Between December 2018 and September 2019, the French DPA (Commission nationale de l'informatique et des libertés - CNIL) received directly five complaints concerning the controller's failure to honor data subjects' right to object to direct marketing via email. The CNIL also received one complaint regarding difficulties encountered exercising the right of access with personal banking data processed by the controller.
Ten other supervisory authorities declared themselves concerned with the CNIL's investigation, and the CNIL was also notified of five additional complaints from the supervisory authorities of Saarland, Spain, Ireland, Poland, and Lower Saxony. The controller's main establishment was determined to be France, where more than half of its hotels were located. As such, the CNIL was the lead supervisory authority per Article 55(1) GDPR.
On 24 Feburary 2020, the CNIL conducted an investigation of the controller's website. Users supplied their contact info, including email address, when they registered an account with the controller. The registration process featured a pre-ticked box indicating consent to receive promotional materials. Additionally, data subjects were not provided with information about the controller's contact details, the purposes of processing for the data collected, the legal basis for processing, the period for which the data would be retained, potential transfers, or the right to lodge a complaint under the GDPR, and there was no link to a privacy policy that might contain this information.
The controller had also failed to respond to an access request after locking a data subject's account for suspected fraudulent activity even after data subject verified their identity.
Data subjects had also had been unable to unsubscribe from direct marketing emails, as various technical glitches had prevented the emails' "unsubscribe" button from working. Several million people received these emails at valid addresses, though the CNIL's published decision redacted the exact amount.
To access the "Adobe Campaign" account responsible for managing these email communications, a password consisting of seven capital letters and one special character was required., although access was only possible from a terminal connected to the Accor network.
Holding
The DPA found that the controller had committed a "substantial" infringement on data subjects' rights. By using a pre-ticked box indicating consent to receive direct marketing emails, the controller had failed to obtain a "free, specific, and informed" expression of consent before sending such marketing in violation of France's implementation of 5(3) ePrivacy (CPCE).
The DPA held that the controller had violated Articles 12 and 13 GDPR by failing to provide information about the details of processing or even a link to a privacy policy with such information when it collected customers' personal data. They had also violated Articles 12 and 15 for not responding to data subjects' access requests within one month after the receipt of those requests.
Further, the DPA held that the controller had violated Articles 12 and 21 for not removing data subjects who had unsubscribed from its mailing list. Finally, the DPA held that the controller had violated Article 32 by protecting a massive volume of personal data with an eight-character password with only two different kinds of characters, thus not ensuring a strong enough password.
In assessing a fine, the DPA took into account that the controller had suffered a 54% decline in turnover from 2019 to 2020 as a result of the COVID-19 pandemic. The controller had also cooperated fully with the DPA, rectifying infringements throughout the course of the investigation, and the DPA considered that some of the violations "were not of a structural nature." Thus, the DPA held a fine of €100,000 was sufficient.
However, the Polish DPA (Prezes Urzędu Ochrony Danych Osobowych - UODO) objected to the CNIL's draft decision, arguing that the amount of the fine, which was roughly .02% of the controller's estimated turnover in 2020, was too low to effectively deter other controllers from committing similar violations. The UODO wanted further information on the controller's turnover included in the draft decision, without which there was insufficient basis on which to calculate a fine. It argued that, with regard to proportionality, the draft decision did not provide evidence that a higher fine would irretrievably jeopardise the controller's viability, and it was required that there be "objective evidence that the imposition o the fine would irretrievably expose the viability of the company concerned and would result in the loss of all the value of its assets."
The CNIL did not implement the UODO's proposed changes, believing the proposed fine to be effective, proportionate, and dissuasive per Article 83(1) GDPR, and so the EDPB adopted a binding resolution in accordance with Article 65 GDPR to settle the dispute. The EDPB instructed the CNIL to take into account only the controller's most recent turnover without taking into account the drop between 2019 to 2020 caused by the COVID-19 pandemic. Additionally, it found that, since the CNIL itself had called the controller's infringements "substantial," a fine representing .02% of the controllers estimated turnover was not dissausive. The lack of a deterrent and dissuasive fine posed risks to the rights and freedoms of data subjects, andn accordingly, the EDPB found the instructed the CNIL to reassess the proposed fine, taking into account the relevant turnover in particular.
Following the EDPB's decision, the CNIL revised its initial figure and ultimately fined the controller €600,000.
Comment
Share your comments here!
Further Resources
- The French DPA's press release (in English).
- The EDPB's binding resolution under Article 65(1)(a) GDPR.
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Deliberation of the restricted committee no. SAN-2022-017 of August 3, 2022 concerning the company ACCOR SA The National Commission for Computing and Liberties, meeting in its restricted formation composed of Mr. Alexandre LINDEN, Chairman, Mr. Philippe-Pierre CABOURDIN, vice-president, Mrs Christine MAUGÜE, Mr Alain DRU and Mr Bertrand du MARAIS, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of personal data and the free movement of such data; Having regard to Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the sector electronic communications; Having regard to the postal and electronic communications code; Considering the law n 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 and following; y y Considering the decree n 2019-536 of May 29, 2019 taken for the application of the law n 78-17 of January 6 1978 relating to data processing, files and freedoms; Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Computing and Liberties; Having regard to referrals No […]; Having regard to decision no. 2019-046C of February 18, 2019 of the President of the National Commission data processing and liberties to entrust the secretary general with carrying out or having carried out a mission to verify the processing implemented by ACCOR; Having regard to the decision of the President of the National Commission for Computing and Liberties appointing a rapporteur to the restricted committee, dated October 16, 2020; Having regard to the report of Mrs Sophie LAMBREMON, commissioner rapporteur, notified to the company ACCOR on November 24, 2020; Having regard to the written observations submitted by ACCOR on December 22, 2020; Having regard to the other documents in the file; Having regard to decision 01/2022 concerning the dispute relating to the draft decision of the supervisory authority concerning Accor SA pursuant to Article 65, paragraph 1, point a), of the GDPR; Were present at the restricted training session of January 28, 2021: - Mrs. Sophie LAMBREMON, commissioner, heard in her report; As representatives of ACCOR: FRENCH REPUBLIC 3 Place de Fontenoy, TSA 80715 – 75334 PARIS CEDEX 07 – 01 53 73 22 22 – www.cnil.fr The personal data necessary for the performance of the CNIL's missions are processed in files intended for its exclusive use. CNIL personnel via an online form or by post. For more information: www.cnil.fr/donnees-personnelles. data (DPO) of […] ACCOR having spoken last; The Restricted Committee adopted the following draft decision: I. Facts and procedure 1. ACCOR SA (hereinafter “the company”) is a public limited company with advisory board created in 1960, specializing in the hotel sector. Its head office is located at 82, rue Henri Farman in Issy-les-Moulineaux (92130). 2. In 2021, the company achieved a turnover of […]. In the summer of 2020, 5,100 hotels, established in 110 countries, under 39 different brands, were operated under contracts linking their owners to ACCOR (franchise or “management” contracts, principally). The company employs around 1,500 people. 3. Between December 2018 and September 2019, the National Commission for Computing and freedoms (hereinafter "the CNIL" or "the Commission") was directly seized of five complaints (referrals no […]) relating to the failure to take into account the right of opposition to receipt by e-mail of commercial prospecting messages (advertising e-mails, e-mails of welcome to the loyalty program, newsletters) from the company. On September 22, 2019, the CNIL also received a complaint (referral No. […]) relating to the difficulties encountered in the framework of the exercise of the right of access in particular to banking data collected by the company when booking a hotel room. 4. In accordance with Article 56 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter “the Regulation” or “the GDPR”), in the context of the processing of complaints received against the company, the CNIL informed, on December 12, 2018, all European supervisory authorities with jurisdiction to act as a supervisory authority leader concerning the cross-border processing implemented by the company, competence drawn by the CNIL from the fact that the main establishment of the company is in France. 5. Through the exchange platform between European data protection authorities, the CNIL has initiated the procedure allowing the supervisory authorities concerned to declare themselves. Ten authorities declared themselves concerned by this procedure, within the meaning of Article 4 (22) of the GDPR. 6. At the same time, between January 2019 and February 2020, the CNIL was made the recipient, as “lead authority”, pursuant to the cooperation mechanisms provided for by the Settlement, of five other complaints received respectively by the supervisory authorities of the Sarre, Spain, Ireland, Poland and Lower Saxony (referrals No […]). These complaints also related to requests to object to data processing personal information for the purposes of commercial prospecting by e-mail and the exercise of the right of access to data collected by ACCOR. 2 7. On March 6, 2019, pursuant to decision no. 2019-046C of February 18, 2019 of the President from the CNIL, a questionnaire was sent to ACCOR, to which the latter responded er by letter of April 8 then by additional letters of May 22, August 1, October 11 and December 27, 2019. The purpose of this documentary control mission was to verify compliance by the company ACCOR of all the provisions of the GDPR and of the law n° 78-17 of 6 January 1978 relating to data processing, files and freedoms (hereinafter “the law of January 6, 1978 amended” or the law “Informatique et Libertés”). 8. Following this first check, the CNIL, taking into account the response provided by the company to the instruction letter that had been sent to it and its compliance on several points, submitted to its European counterparts on December 23, 2019, pursuant to Article 60 of the GDPR, a draft decision from its president reminding the company of its obligations, in accordance with the provisions of Article 58.2.b) of the GDPR. 9. This draft decision has been objected to by certain authorities concerned. relevant and reasoned within the meaning of Article 60 of the GDPR, requesting that the company does not only the subject of a call to order but that it is sanctioned by a fine administrative and highlighting, in particular, the number of breaches, the number of complaints and the size of the company. In view of these objections and the new complaints received since the first inspection, the CNIL decided to resume its investigations with the company. 10. On February 11, 2020, the CNIL delegation carried out an inspection mission to the premises of the society. An online check of the company's website (www.all.accor.com) was then carried out on February 24, 2020, pursuant to the aforementioned decision no. 2019-046C. Following these investigations, the company sent additional information to the CNIL by letter in date of February 21, March 10, March 19 and August 7, 2020. 11. For the purposes of examining these elements, the President of the Commission, on October 16, 2020, appointed Mrs. Sophie LAMBREMON as rapporteur, on the basis of Article 22 of the amended law of January 6, 1978. 12. Following her investigation, the rapporteur notified the company, on November 24, 2020, of a report detailing the breaches of the provisions of articles L. 34-5 of the postal code and electronic communications (hereinafter the “CPCE”) and 12-1, 12-3, 13, 15-1, 21-2 and 32 of GDPR that it considered constituted in this case. This report proposed to the restricted committee to the Commission to impose an administrative fine on the company and that this decision is made public but no longer allows the company to be identified by name the expiration of a period of two years from its publication. 13. Also attached to the report was a summons to the Restricted Committee meeting of 28 January 2021 indicating to the company that it had a period of one month to communicate its written observations pursuant to the provisions of Article 40 of Decree No. 2019-536 of May 29, 2019. 314. ACCOR responded to the sanction report with written observations dated 22 December 2020. 15. The company and the rapporteur presented oral observations during the training session restraint. II. Reasons for decision A. On the European cooperation procedure 16. According to Article 56, paragraph 1, of the Regulation “the supervisory authority of the main establishment or the sole establishment of the controller or of the sub- controller is competent to act as lead supervisory authority in relation to the cross-border processing carried out by this controller or processor, in accordance with the procedure provided for in Article 60”. 17. In the present case, the Restricted Committee notes, first, that the registered office of the company is located in France since the creation of the company in 1983 and that the company is registered in the register commerce and companies in France from the outset. 18. The Restricted Committee then notes that the first hotels of the ACCOR group were established in France, the company having launched its activity abroad only in a second time. 19. Finally, to date, although the hotels of the ACCOR group are established in 110 countries across worldwide, more than half of the hotels operated under the “AccorHotels” brand in Europe located in France (1,657 hotels out of the 3,051 present in the European Union). 20. All of these elements combine to consider that the main establishment of the company is located in France and that the CNIL is competent to act as the chief supervisory authority leader regarding the cross-border processing carried out by this company, in accordance with Rule 56(1) of the Rules. 21. The Restricted Committee notes that on the date of this draft decision the supervisory authorities of the following countries were involved in this proceeding: Germany, Austria, Belgium, Bulgaria, Croatia, Denmark, Spain, Estonia, Greece, Ireland, Italy, Latvia, Lithuania, Luxembourg, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Sweden and Czech Republic. 4 22. Following an adversarial procedure, a draft decision was adopted by the formation restricted and has been transmitted to the other European supervisory authorities concerned in application of Article 60(3) of the GDPR. 23. On May 28, 2021, the Polish data protection authority raised three objections, in accordance with Article 60(4) of the GDPR. 24. By deliberation no. SAN-2022-001 of January 13, 2022, the Restricted Committee set out its point of view on the objections of the Polish authority and explained the reasons for which it decided not to follow these objections. 25. On 15 June 2022, the European Data Protection Board (hereinafter “EDPS”) adopted decision 01/2022 concerning the dispute relating to the draft decision of the supervisory authority French concerning Accor SA pursuant to Article 65, paragraph 1, point a), of the GDPR. By this decision, the EDPS ruled on the dispute relating to the draft decision which did not concern more than a single objection from the Polish authorities, concerning the amount of the fine set in the draft decision. B. On the breach relating to the obligation to obtain the consent of the person concerned by a direct marketing operation by means of a automated electronic communications system pursuant to article L. 34-5 of the CPCE 1. On the lack of consent of persons to receive messages of commercial prospecting for ACCOR 26. Article L. 34-5 of the CPCE provides: “Direct prospecting by means of a system is prohibited. automated electronic communications within the meaning of 6° of Article L. 32, a fax machine or e-mails using the contact details of a natural person, subscriber or user, who has not previously expressed his consent to receive prospecting direct by this means. For the purposes of this article, consent means any manifestation of free, specific and informed will by which a person accepts that data to personal character concerning it are used for the purpose of direct prospecting. Constitutes direct marketing the sending of any message intended to promote, directly or indirectly, goods, services or the image of a person selling goods or providing services. For the purposes of this article, calls and messages having intended to encourage the user or subscriber to call a premium rate number or to send a surcharged text messages also fall under direct prospecting. However, direct prospecting by e-mail is authorized if the contact details of the recipient were collected from him, in compliance with the provisions of Law No. 78- 17 of January 6, 1978 relating to data processing, files and freedoms, on the occasion of a sale or provision of services, if the direct prospecting concerns products or similar services provided by the same natural or legal person, and if the recipient 5 sees offering, in an express and unambiguous manner, the possibility of opposing, free of charge, apart from those related to the transmission of the refusal, and in a simple way, to the use of its contact information at the time it is collected and each time an email from prospecting is sent to him in case he has not refused such exploitation from the outset. […]”. According to paragraph 6 of the same article, "The National Commission for Computing and liberties watch, with regard to direct prospecting using the contact details of a subscriber or a natural person, to compliance with the provisions of this article by using the powers recognized by law n° 78-17 of January 6, 1978 mentioned above. At this end, it may in particular receive, by any means, complaints relating to breaches of provisions of this article […]”. 27. It appears from the investigations carried out by the CNIL that, when a person reserves a hotel room directly from the staff of a hotel of one of the hotel brands of the ACCOR group (on site or by telephone) or on the site of one of the hotel brands of the group (Ibis, Novotel, Mercure, Fairmont, Sofitel, Adagio etc.), it was made the recipient e-mails from the company containing the newsletter “All – Accor Live Limitless”, the relevant box consent to receive the newsletter being pre-checked by default. 28. The rapporteur considers that, in these cases, the consent of the recipients emails from the company containing the “All – Accor Live Limitless” newsletter was not validly collected. It notes in particular in this respect that the commercial offers and promotions present in the “All – Accor Live Limitless” newsletter do not bear only on services provided by the company but also relate to the services of “partner” companies – such as, for example, airlines or companies parking lot managers. 29. Under these conditions, the rapporteur considers that the company cannot rely on the exception provided for in Article L. 34-5 paragraph 4 of the CPCE, which provides that an organization may send commercial prospecting messages by e-mail without collecting the prior consent of the persons concerned when the data has been collected with these persons on the occasion of a sale or provision of services and that the commercial prospecting concerns similar products or services provided by the same moral or physical person. 30. The company maintains that it is indeed the company that collects the data from the persons concerned because, on the one hand, it publishes and manages all the reservation sites of all the group brands and, on the other hand, even when used by hotel staff of the group at the request of customers, the tools for booking and joining the program of loyalty are managed by it alone and come to feed its own database. 31. The Restricted Committee takes note that the company is the holder of the reservation sites of all the brands of the group (Ibis, Novotel, etc.). The restricted formation nevertheless falls under that the commercial prospecting messages sent by the company do not carry exclusively on similar products or services provided by this company but that they are 6 likely to contain, for example, promotional offers from partners, such as airlines or car park management companies. 32. Under these conditions, the Restricted Committee considers that the company was required to collect the prior, free, specific and informed consent of persons to receive messages from direct prospecting by e-mail, in accordance with paragraph 1 of article L. 34-5 of the CPCE, which did not allow the existence, in this case, of a box relating to the consent to receive the newsletter pre-ticked by default. The Restricted Committee recalls that in its Planet49 judgment of 1 October 2019 (case C-673/19), the Court of Justice of the European Union indicated that a consent collected by means of a pre-ticked box cannot be considered validly given by the user. 33. As part of the procedure, the company justified having taken measures to implement compliance all of its tools for collecting the consent of the persons concerned to receive commercial prospecting messages by e-mail, so that for each of the reservation and membership paths to the program this consent is no longer collected by default. 34. The Restricted Committee therefore considers that the breach of Article L. 34-5 of the CPCE is incorporated, but the company has complied by the closing date of instruction. 2. On the lack of consent of the people creating a customer space, at the reception commercial prospecting messages 35. As part of the investigation, the CNIL delegation of control noted that, during the creation of a customer space, the company did not collect the consent of the people for the processing of their personal data for commercial prospecting purposes by emails. Indeed, it has been found that the personal data used by the company for commercial prospecting purposes could be collected from a form for creating a customer area, independently of a reservation, on which there was a "pre-ticked" box by default relating to the consent to receive business development. 36. The Restricted Committee considers that the company is required to obtain the consent prior, free, specific and informed of persons creating a customer area on its website, to receive direct prospecting messages by e-mail, in accordance with paragraph 1 of article L. 34-5 of the CPCE. Indeed, insofar as the creation of a space customer can intervene without prior reservation, the exemption from the collection of the consent provided in Article L. 34-5 when similar services are offered cannot be mobilized in this case in point. 737. In response, the company justified having modified its form for creating a customer area, in order to that the consent of the persons concerned to receive prospecting messages is not no longer collected by default. 38. Under these conditions, the Restricted Committee considers that the breach of Article L. 34-5 of the CPCE is incorporated, but the company has complied by the closing date of instruction. C. On the breach relating to the obligation to inform the persons in application of Articles 12 and 13 of the GDPR 39. According to paragraph 1 of Article 12 of the GDPR: “The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 as well as to carry out any communication under Articles 15 to 22 and Article 34 with regard to concerns processing to the data subject in a concise, transparent, understandable and easily accessible, in clear and simple terms […]”. 40. Article 13 of the GDPR requires the data controller to provide, at the time when the data are collected, information relating to his identity and contact details, the purposes of the processing and its legal basis, the recipients or the categories of recipients of the data of a personal nature, where applicable the transfers of personal data, the duration of retention of personal data, the rights enjoyed by individuals as well as the right to lodge a complaint with a supervisory authority. 41. Firstly, with regard to the accessible nature of the information, the delegation noted during the online check of February 24, 2020 that the forms allowing the creation of a customer account or membership of the ACCOR group loyalty program did not include the information required by article 13 of the GDPR. to take any steps to take cognizance of the information provided to the under Article 13 of the GDPR, for example by accessing via a hypertext link to the the company's "personal data protection charter". 42. The Restricted Committee recalls that in order to consider that a data controller satisfies its obligation of transparency, it is necessary in particular that the information provided be “easily accessible” for data subjects within the meaning of Article 12 of the Regulation. 43. It points out, in this regard, that this provision must be interpreted in the light of recital 61 of the Regulation, according to which: “information on the processing of data to personal character relating to the data subject should be provided to him at the time where these data are collected from it”. In this sense, it shares the position of the G29 presented in the guidelines on transparency within the meaning of the Regulation, adopted in their version revised on April 11, 2018 and endorsed on May 25, 2018 by the European Committee for 8 data protection (EDPS) which recalls that “the data subject should not have looking for the information but should be able to access it immediately”. 44. The Restricted Committee considers that in this case the information notices of the persons concerned were not “easily accessible” for the latter, in that, during the creation of an account, access to the “personal data protection charter” of the company was only organized via a hypertext link available at the bottom of the pages of the site internet, which required the user to scroll through the entire page and search information, in breach of Article 12 of the GDPR. 45. As part of the investigation, the company indicated that it had made corrections, in order to deliver information that complies with the requirements of the GDPR. Through an informal check, it has in fact been found that the mentions of information relating to the processing of personal data personal information had been completed on the account creation and membership forms loyalty program and that the “customer personal data protection charter” was now directly accessible from a link inserted on these forms. 46. Secondly, the delegation of control noted that the “data protection charter personal information of customers" of the company specifies that the legal basis for the processing of personal data personal in connection with the sending of commercial prospecting is the "legitimate interest" or “performance of a contract”. 47. However, the rapporteur maintains that, in the cases mentioned above, for the sending prospecting messages relating to the products or services of third parties, the company cannot dispense with obtaining the consent of the persons concerned to receive messages from business development. 48. In response, the company indicates that, even if the consent of the persons concerned must be collected under the provisions of Article L. 34-5 of the CPCE, the processing carried out for the purposes of commercial prospecting have legitimate interest as their legal basis. 49. As previously explained, the Restricted Committee considers that in certain hypotheses the company is required to obtain the prior, free, specific and informed of the persons concerned to receive direct prospecting messages by mail electronically, in accordance with the provisions of paragraph 1 of Article L. 34-5 of the CPCE. 50. The Restricted Committee considers that when obtaining the consent of the data subject is required for the processing of his personal data for a specific purpose (and not only for a given operation), the legal basis of the processing thus implemented is consent. 51. Consequently, the Restricted Committee notes that by not mentioning the consent as a legal basis for processing, for prospecting to promote the products or third-party services, the company has breached its obligation under Article 13 of the GDPR. 952. The Restricted Committee therefore considers that all of these facts constitute breaches of Articles 12 and 13 of the GDPR. D. On the breach relating to the obligation to respect the right of access of individuals pursuant to Article 15 of the GDPR 53. Article 15.1 of the GDPR provides the data subject with a right of access to his or her data personal character terms: “The data subject has the right to obtain responsible of processing the confirmation that personal data concerning him are or are not are not processed and, when they are, access to said personal data (…)”. 54. Article 12.3 of the GDPR further specifies that “the controller shall provide the data subject information on the measures taken following a request made pursuant to Articles 15 to 22, as soon as possible and in any event within a one month from receipt of the request. 55. During the investigation of complaint no. […] received by the CNIL, it appeared that the company failed in its obligation to provide the complainant, within the time limit set by the GDPR, with a copy of its personal data that it held in its database. 56. The rapporteur notes that the author of the complaint made a request for a right of access on August 1, 2019, the date on which his client account had been suspended following fraudulent connection detection. However, while the complainant had justified his identity on January 10, 2020, thus allowing the reopening of his customer account by the company, no response had yet been provided to its request for right of access on the date of control by the CNIL delegation, on February 11, 2020. The company granted the request for the complainant on February 24, 2020. 57. The Restricted Committee considers that, in the event that a client's account has been subject to detection of a fraudulent connection, the company may certainly have a reasonable doubt about the identity of the applicant wishing to exercise his right of access, justifying that an identity document be requested from the person concerned. 58. The Restricted Committee considers, however, that once the doubt is removed as to the identity of the person, the right of access request must be honored by the controller. 59. Under these conditions, the Restricted Committee considers that the breach of Article 15 of the GDPR is made with regard to complaint no. […], although it does not appear from the file that any beyond this one-off complaint, the failure had a structural character. 10 E. On the breach relating to the obligation to respect the right of opposition of persons pursuant to Article 21 of the GDPR 60. According to Article 21.2 of the GDPR: “when the personal data are processed for prospecting purposes, the data subject has the right to object at any time the processing of personal data concerning him for such prospecting purposes, including profiling insofar as it is linked to such prospecting”. 61. Firstly, the rapporteur noted that the author of complaint no. […] opposed the receipt of prospecting messages from the company on its two mailing addresses email, December 11, 2018. 62. The rapporteur considered that the company had not responded satisfactorily to the complainant's opposition request, since his opposition request has not been taken into account only on January 11, 2020 and for only one of the two email addresses concerned. 63. In response, the company indicated that it had found no trace of this opposition request in its systems. It also indicates that it has not found in its database either the first e-mail address referred to by the complainant in his request and specifies, with regard to the second email address, that it is the author of the complaint himself who has unsubscribed newsletters on January 11, 2020. 64. The Restricted Committee considers that, with regard to this first complaint, the elements of the debate do not lead to the conclusion of a breach committed by the company. 65. Secondly, the investigation of complaints no. […] received by the CNIL revealed the existence of malfunctions of the unsubscribe link at the bottom of prospecting emails addressed by the company, resulting from two types of technical problems affecting one or another step in the unsubscribe process. 66. First, between November 11, 2018 and January 21, 2019, malfunctions were intervened in the transmission of information relating to unsubscriptions between the tool to manage the sending of newsletters and the customer repository, which records the information whether or not a customer subscribes to newsletters. Thus, during this period, the tool management of newsletters was not informed by the customer repository of the creations or updates day of contacts and unsubscriptions to associated newsletters made every Sunday between midnight and 8 p.m. From then until January 21, 2019, the author of complaint no. to receive commercial prospecting messages from the company, despite its request of unsubscription formulated on Sunday, November 18, 2018 in the afternoon. 67. Next, another anomaly, also affecting the synchronization of unsubscriptions between the customer repository and the tool that manages the sending of newsletters, was identified by the company on February 8, 2019. This anomaly explains why the author of complaint no. […] continued to 11 receive the ACCOR company newsletter between January 2, 2019 and February 8, 2019, despite the deletion of its data from the customer repository as of January 1, 2019. 68. The Restricted Committee considers that these two anomalies, which recurred during several weeks, are likely to have prevented a significant number of people from effectively oppose the receipt of prospecting messages. She notes in this regard that it appears from the documents in the file that in 2019, […] million people received at an address email validates at least one of the ACCOR group newsletters. 69. In response, the company indicates that it has taken measures to improve the management of requests exercise of rights and to prevent anomalies in the consideration of requests of opposition. 70. The Restricted Committee takes note of the compliance measures adopted by the company, but considers that the company has in the past disregarded its obligations under the provisions of article 21.2 of the GDPR, since the aforementioned anomalies have failed to take into account account within a reasonable time of requests to object to receiving messages from commercial prospecting on the part of the persons concerned. F. On the breach of the obligation to ensure the security of data at personal character pursuant to Article 32 of the GDPR 71. Rule 32 of the Rules provides: “1. Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, including the degree of likelihood and severity varies, for the rights and freedoms of natural persons, the responsible for processing and the processor implement the technical measures and appropriate organizational measures to ensure a level of security appropriate to the risk, including including, among others, as needed: a) pseudonymization and encryption of personal data; b) means to ensure confidentiality, integrity, availability and resilience constants of processing systems and services; c) the means to restore the availability of personal data and access to these within appropriate timeframes in the event of a physical or technical incident; d) a procedure to regularly test, analyze and evaluate the effectiveness of the measures technical and organizational measures to ensure the security of the processing […]”. 72. Firstly, the rapporteur notes that, during the on-site inspection of 11 February 2020, the delegation noted that the use of a password consisting of eight characters containing only two character types (seven capital letters and one special character) allowed access the management tool for sending communications to customers. 1273. The rapporteur considers that, taking into account in particular the volume of personal data processed by the “Adobe Campaign” tool, the requirements put in place by the company in terms of strength of the passwords are insufficient and do not ensure the security of the personal data. 74. In response, the company argues that, given the existence of an additional measure security – taking into account that access to the “Adobe Campaign” software is only possible from a terminal connected to the ACCOR network – a single level of complexity (lower case or number) was missing for the password noted by the delegation to meet the recommendations of the CNIL. The company also justifies having reinforced the rules of complexity of the password access to the “Adobe Campaign” software, which must now include a minimum of nine characters and four levels of complexity. 75. The Restricted Committee considers that the length and complexity of a password remain basic criteria to assess its strength. She notes in this regard that the need for a strong password is also highlighted by the National Security Agency information systems. 76. By way of clarification, the Restricted Committee recalls that to ensure a level of security sufficient and meet the strength requirements of passwords, when an authentication is based solely on an identifier and a password, the CNIL recommends, in its deliberation n° 2017-012 of January 19, 2017, that the password contains at least twelve characters - containing at least one uppercase letter, one lowercase letter, one number and one special character - or else has at least eight characters - containing three of these four character categories - if accompanied by an additional measure such as, for example, example, the delay in accessing the account after several failures (temporary suspension of access, the duration of which increases as attempts are made), the establishment of a mechanism to protect against automated and intensive submissions of attempts (like a “captcha”) and/or blocking of the account after several authentication attempts unsuccessful. 77. In the present case, the Restricted Committee considers that, with regard to the rules governing their composition, the robustness of the passwords accepted by the company for access to the software "Adobe Campaign" was too weak, leading to a risk of data compromise at personal character it contains. 78. The Restricted Committee notes, however, that the company justifies having increased the level of complexity of passwords for connecting to the “Adobe Campaign” software. 79. Consequently, the Restricted Committee considers that the breach relating to the obligation to ensure the security of personal data is constituted, but that the company has compliance on this point before the close of the investigation. 1380. Secondly, the rapporteur indicated that when a client's account is suspended in reason of a suspicion of fraudulent connection, the customer service invites the person concerned to send a copy of his identity document as an email attachment. 81. The rapporteur notes that the conditions under which the copy of the identity document of customers whose account has been suspended is transmitted, do not allow to protect themselves against its interception by a third party. 82. The Restricted Committee considers that the practice consisting in the transmission of data not encrypted by e-mail generates a significant risk for the confidentiality of the transmitted data. 83. In this regard, the Restricted Committee recalls that, in its guide on “data security personal information", the CNIL recommends as an elementary security precaution the encryption data before being recorded on a physical medium or transmitted by email. It also recommends ensuring the confidentiality of the password. decryption pass by transmitting it through another channel. 84. In view of all of these elements, the Restricted Committee considers that the aforementioned facts constitute a breach of Article 32 of the GDPR. III. On corrective measures and their publicity 85. Under the terms of III of article 20 of the amended law of 6 January 1978: “When the data controller or its processor fails to comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law, the Chairman of the National Commission for Computing and Liberties may also, if necessary after it have sent the warning provided for in I of this article or, where applicable, in addition of a formal notice provided for in II, seize the restricted formation of the committee with a view to pronouncement, after contradictory procedure, of one or more of the following measures: […] 7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of turnover annual total for the previous financial year, whichever is greater. In the assumptions mentioned in 5 and 6 of article 83 of regulation (EU) 2016/679 of April 27, 2016, these ceilings are increased to 20 million euros and 4% of said turnover respectively. The Restricted Committee takes into account, in determining the amount of the fine, the criteria specified in the same article 83”. 86. Article 83 of the GDPR provides that “Each supervisory authority shall ensure that fines administrative measures imposed under this article for violations of this regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and 14 deterrents”, before specifying the elements to be taken into account to decide whether there is instead of imposing an administrative fine and to decide on the amount of this fine. 87. In defence, the company argues that a penalty is not necessary given all of the of the measures it has taken to remedy the shortcomings noted and considers, in all case, that the amount of the administrative fine proposed by the rapporteur is disproportionate in view, in particular, of the low seriousness of the breaches, of the measures taken to remedy this, to its cooperation with the services of the CNIL and to its financial situation, significantly degraded due to the current health crisis. The company also supports that the publicity of the sanction decision of the restricted training would have for it manifestly disproportionate consequences. 88. As regards the nature and seriousness of the breach, the Restricted Committee first notes the number of breaches alleged against the company: carrying out prospecting campaigns massive by e-mail without consent of the persons, absence of information easily accessible and complete on the processing carried out, difficulties encountered in the context of the exercise of their rights by complainants and data security deficiencies. She stresses that these shortcomings relate to several fundamental principles of the legislation applicable to the protection of personal data and that they constitute a substantial interference with the rights of data subjects. 89. The Restricted Committee then noted the particularly large number of people concerned by these shortcomings, since in 2019, […] million people received on a valid email address at least one of the ACCOR group newsletters. 90. The Restricted Committee holds, finally, that these breaches had direct consequences for the persons concerned, as evidenced in particular by the fact that the CNIL was seized eleven complaints relating in particular to the right to object to receiving messages from business development. 91. Consequently, the Restricted Committee considers that an administrative fine should be imposed with regard to the established breaches. 92. With regard to the amount of the fine for breaches of the GDPR, the training Restricted recalls that paragraph 3 of Rule 83 of the Rules provides that in the event of multiple violations, as is the case here, the total amount of the fine cannot exceed the amount set for the most serious breach. Insofar as it is alleged that the company a breach of sections 12.1, 12.3, 13, 15.1, 21.2 and 32 of the Regulations, the amount maximum fine that can be withheld is 20 million euros or 4% of the turnover worldwide annual revenue, whichever is higher. 93. The Restricted Committee notes that the company's turnover amounted to […] euros in 2021. 15 94. With regard to the amount of the fine relating to the breach of Article L.34-5 of the CPCE, the restricted training is called only with regard to breaches of the provisions finding their origin in texts other than the GDPR, as is the case with article L.34-5 of the CPCE which transposes the “ePrivacy” directive into domestic law, Article 20, paragraph III, of the law "Informatique et Libertés" gives it jurisdiction to pronounce various sanctions, in particular an administrative fine, the maximum amount of which may be equivalent to 2% of the total worldwide annual turnover for the previous financial year achieved by the head of treatment. In addition, the determination of the amount of this fine is also assessed on the basis of with regard to the criteria specified in Article 83 of the GDPR. 95. To assess the proportionality of the fine, the Restricted Committee took into account that the company has complied with all of the shortcomings identified and with what some of them, in connection with the exercise of the rights of individuals, did not have a structural character. It further notes that the company cooperated fully with the CNIL. 96. The restricted committee also takes into account, in determining the amount of the fine pronounced, of the financial situation of the company. In this regard, the company reports a decrease of its turnover in 2020 and 2021 compared to 2019. Indeed, the turnover of the company amounted to […] in 2019, […] in 2020 and […] in 2021. 97. Finally, the Restricted Committee takes note of EDPS Decision No. 01/2022 concerning the dispute relating to the draft decision of the French supervisory authority concerning Accor SA in application of Article 65(1)(a) GDPR. In particular, she notes that the EDPS instructed the CNIL to re-examine the elements on which it relied to calculate the amount of the fine, in order to ensure that the fine meets the deterrent effect test provided for in Article 83(1) of the GDPR. 98. Therefore, in view of the economic context caused by the Covid-19 health crisis, its consequences on the financial situation of the company and the relevant criteria of Article 83, paragraph 2 of the GDPR mentioned above, the Restricted Committee considers that the pronouncement an administrative fine of 600,000 euros appears justified. 99. Finally, the Restricted Committee considers that the publication of its sanction decision for a duration of two years is justified in view of the plurality of breaches noted, their seriousness and the number of people involved. 100. The Restricted Committee specifies that the administrative fine of 600,000 euros against ACCOR is liable for up to 100,000 euros for the breach of the provisions of article L. 34-5 of the CPCE and up to 500,000 euros for breaches by the company the provisions of Articles 12.1, 12.3, 13, 15.1, 21.2 and 32 of the Regulations. 16 FOR THESE REASONS The CNIL Restricted Committee, after having deliberated, decides to: pronounce against ACCOR SA an administrative fine of one amount of €600,000 for all of the shortcomings observed, which breaks down as follows: o 100,000 (one hundred thousand) euros for the breach by the company of Article L. 34- 5 of the Post and Electronic Communications Code; o 500,000 (five hundred thousand) euros for breaches by the company of the Articles 12.1, 12.3, 13, 15.1, 21.2 and 32 of Regulation (EU) 2016/679 of European Parliament and of the Council of 27 April 2016. make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the company by name at the end of a period of two years from of its publication. President Alexander LINDEN This decision may be subject to appeal before the Council of State in a two months from its notification. 17