CNIL (France) - SAN-2022-017

From GDPRhub
CNIL - SAN-2022-017
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 12(1) GDPR
Article 12(3) GDPR
Article 13 GDPR
Article 15(1) GDPR
Article 21(2) GDPR
Article 32 GDPR
Article 55(1) GDPR
Article 83(1) GDPR
Article L34-5 CPCE
Type: Investigation
Outcome: Violation Found
Started: 12.12.2018
Decided: 03.08.2022
Published: 17.08.2022
Fine: 600,000 EUR
Parties: Accor
National Case Number/Name: SAN-2022-017
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): French
Original Source: CNIL (in FR)
Initial Contributor: MW

Following the EDPB's binding decision under Article 65(1)(a) GDPR, the French DPA increased its fine to Accor hotels from €100,000 to €600,000, notably for direct marketing without valid consent, not respecting GDPR rights of its customers and using weak passwords, in violation of Articles 12, 13, 15, 21 and 32 GDPR.

English Summary

Facts

The controller, Accor, is a large, multinational chain that operates hotels in 110 countries. Between December 2018 and September 2019, the French DPA (CNIL) received several complaints concerning the controller's various potential violations of the GDPR.

On 24 Feburary 2020, the CNIL conducted an investigation of the controller's website. Users supplied their contact information, including email address, when they registered an account with the controller. The registration process featured a pre-ticked box indicating consent to receive promotional materials. Data subjects subsequently started receiving these promotional materials in their inboxes. They were unable to unsubscribe from direct marketing emails, as various technical glitches prevented the emails' "unsubscribe" button from working. Several million people received these emails at valid addresses, though the CNIL's published decision redacted the exact amount.

Additionally, the website did not provide data subjects with information about the controller's contact details, the purposes of processing for the data collected, the legal basis for processing, the period for which the data would be retained, potential transfers, or the right to lodge a complaint under the GDPR, and there was no link to a privacy policy that might contain this information.

The CNIL also received one complaint regarding difficulties encountered exercising the right of access to personal banking data processed by the controller. The controller had failed to respond to an access request after locking a data subject's account for suspected fraudulent activity even after data subject verified their identity.

Finally, for the controller to access the "Adobe Campaign" account responsible for managing these email communications, a weak password consisting of seven capital letters and one special character was required, although access was only possible from a terminal connected to the ACCOR network.

Ten other supervisory authorities declared themselves to be concerned supervisory authorities, and the CNIL was also notified of five additional complaints by the supervisory authorities of Saarland, Spain, Ireland, Poland, and Lower Saxony. The controller's main establishment was determined to be in France, where more than half of its hotels were located. As such, the CNIL was the lead supervisory authority per Article 56(1) GDPR.

Holding

The CNIL found that the controller had committed a "substantial" infringement on data subjects' rights. By using a pre-ticked box indicating consent to receive direct marketing emails, the controller had failed to obtain a "free, specific, and informed" expression of consent before sending such marketing in violation of France's implementation of the ePrivacy Directive (Article L34-5 CPCE).

The CNIL held that the controller had also violated Articles 12 and 13 GDPR by failing to provide information about the details of processing or even a link to a privacy policy with such information when it collected customers' personal data. It had also violated Articles 12 and 15 for not responding to data subjects' access requests within one month after the receipt of those requests.

Further, the CNIL held that the controller had violated Articles 12 and 21 for not removing data subjects who had unsubscribed from its mailing list.

Finally, the CNIL held that the controller had violated Article 32 by protecting a massive volume of personal data with an eight-character password with only two different kinds of characters, thus not ensuring a strong enough password.

In assessing a fine, the CNIL took into account that the controller had suffered a 54% decline in turnover from 2019 to 2020 as a result of the COVID-19 pandemic. The controller had also cooperated fully with the CNIL, rectifying infringements throughout the course of the investigation, and the CNIL considered that some of the violations "were not of a structural nature." Thus, the CNIL held a fine of €100,000 was sufficient.

However, the Polish DPA (UODO) objected to the CNIL's draft decision, arguing that the amount of the fine, which was roughly 0.02% of the controller's estimated turnover in 2020, was too low to effectively deter other controllers from committing similar violations. The UODO wanted further information on the controller's turnover included in the draft decision, without which there was insufficient basis on which to calculate a fine. It argued that, with regard to proportionality, the draft decision did not provide evidence that a higher fine would irretrievably jeopardise the controller's viability, and it was required that there be "objective evidence that the imposition of the fine would irretrievably expose the viability of the company concerned and would result in the loss of all the value of its assets."

The CNIL did not implement the UODO's proposed changes, believing the proposed fine to be effective, proportionate, and dissuasive per Article 83(1) GDPR, and so the EDPB adopted a binding resolution in accordance with Article 65 GDPR to settle the dispute. The EDPB instructed the CNIL to take into account only the controller's most recent turnover without taking into account the drop between 2019 to 2020 caused by the COVID-19 pandemic. Additionally, it found that, since the CNIL itself had called the controller's infringements "substantial," a fine representing 0.02% of the controllers estimated turnover was not dissuasive. The lack of a deterrent and dissuasive fine posed risks to the rights and freedoms of data subjects, and accordingly, the EDPB instructed the CNIL to reassess the proposed fine, taking into account the relevant turnover in particular.

Following the EDPB's decision, the CNIL revised its initial figure and ultimately fined the controller €600,000.

Comment

Share your comments here!

Further Resources

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

  Deliberation of the restricted committee no. SAN-2022-017 of August 3, 2022 concerning the

                                     company ACCOR SA



The National Commission for Computing and Liberties, meeting in its restricted formation
composed of Mr. Alexandre LINDEN, Chairman, Mr. Philippe-Pierre
CABOURDIN, vice-president, Mrs Christine MAUGÜE, Mr Alain DRU and

Mr Bertrand du MARAIS, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to
the protection of personal data and the free movement of such data;

Having regard to Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning
the processing of personal data and the protection of privacy in the sector
electronic communications;

Having regard to the postal and electronic communications code;

Considering the law n 78-17 of January 6, 1978 relating to data processing, files and freedoms,

in particular its articles 20 and following;
              y y
Considering the decree n 2019-536 of May 29, 2019 taken for the application of the law n 78-17 of January 6
1978 relating to data processing, files and freedoms;

Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the
National Commission for Computing and Liberties;

Having regard to referrals No […];

Having regard to decision no. 2019-046C of February 18, 2019 of the President of the National Commission

data processing and liberties to entrust the secretary general with carrying out or having carried out
a mission to verify the processing implemented by ACCOR;

Having regard to the decision of the President of the National Commission for Computing and Liberties
appointing a rapporteur to the restricted committee, dated October 16, 2020;

Having regard to the report of Mrs Sophie LAMBREMON, commissioner rapporteur, notified to the company

ACCOR on November 24, 2020;

Having regard to the written observations submitted by ACCOR on December 22, 2020;

Having regard to the other documents in the file;

Having regard to decision 01/2022 concerning the dispute relating to the draft decision of the supervisory authority
concerning Accor SA pursuant to Article 65, paragraph 1, point a), of the GDPR;

Were present at the restricted training session of January 28, 2021:

    - Mrs. Sophie LAMBREMON, commissioner, heard in her report;

As representatives of ACCOR:


                                     FRENCH REPUBLIC
          3 Place de Fontenoy, TSA 80715 – 75334 PARIS CEDEX 07 – 01 53 73 22 22 – www.cnil.fr

 The personal data necessary for the performance of the CNIL's missions are processed in files intended for its exclusive use.
 CNIL personnel via an online form or by post. For more information: www.cnil.fr/donnees-personnelles. data (DPO) of […]

      ACCOR having spoken last;

      The Restricted Committee adopted the following draft decision:


          I. Facts and procedure

1. ACCOR SA (hereinafter “the company”) is a public limited company with advisory

      board created in 1960, specializing in the hotel sector. Its head office is
      located at 82, rue Henri Farman in Issy-les-Moulineaux (92130).


2. In 2021, the company achieved a turnover of […]. In the summer of 2020, 5,100 hotels, established
      in 110 countries, under 39 different brands, were operated under contracts linking
      their owners to ACCOR (franchise or “management” contracts,

      principally). The company employs around 1,500 people.

3. Between December 2018 and September 2019, the National Commission for Computing and

      freedoms (hereinafter "the CNIL" or "the Commission") was directly seized of five complaints
      (referrals no […]) relating to the failure to take into account the right of opposition to receipt
      by e-mail of commercial prospecting messages (advertising e-mails, e-mails of

      welcome to the loyalty program, newsletters) from the company. On September 22, 2019,
      the CNIL also received a complaint (referral No. […]) relating to the difficulties encountered in the
      framework of the exercise of the right of access in particular to banking data collected by the company

      when booking a hotel room.

4. In accordance with Article 56 of Regulation (EU) 2016/679 of the European Parliament and of the Council

      of April 27, 2016 (hereinafter “the Regulation” or “the GDPR”), in the context of the processing of
      complaints received against the company, the CNIL informed, on December 12, 2018, all
      European supervisory authorities with jurisdiction to act as a supervisory authority

      leader concerning the cross-border processing implemented by the company, competence
      drawn by the CNIL from the fact that the main establishment of the company is in France.


5. Through the exchange platform between European data protection authorities,
      the CNIL has initiated the procedure allowing the supervisory authorities concerned to declare themselves.
      Ten authorities declared themselves concerned by this procedure, within the meaning of Article 4 (22) of the

      GDPR.

6. At the same time, between January 2019 and February 2020, the CNIL was made the recipient, as
      “lead authority”, pursuant to the cooperation mechanisms provided for by the

      Settlement, of five other complaints received respectively by the supervisory authorities of the
      Sarre, Spain, Ireland, Poland and Lower Saxony (referrals No […]). These
      complaints also related to requests to object to data processing

      personal information for the purposes of commercial prospecting by e-mail and the exercise of the right of access
      to data collected by ACCOR.


                                                                                                      2 7. On March 6, 2019, pursuant to decision no. 2019-046C of February 18, 2019 of the President
       from the CNIL, a questionnaire was sent to ACCOR, to which the latter responded
                                                                                       er
       by letter of April 8 then by additional letters of May 22, August 1, October 11
       and December 27, 2019. The purpose of this documentary control mission was to verify compliance
       by the company ACCOR of all the provisions of the GDPR and of the law n° 78-17 of 6 January

       1978 relating to data processing, files and freedoms (hereinafter “the law of January 6, 1978
       amended” or the law “Informatique et Libertés”).

 8. Following this first check, the CNIL, taking into account the response provided by the company

       to the instruction letter that had been sent to it and its compliance on several
       points, submitted to its European counterparts on December 23, 2019, pursuant to Article
       60 of the GDPR, a draft decision from its president reminding the company of its obligations,

       in accordance with the provisions of Article 58.2.b) of the GDPR.

 9. This draft decision has been objected to by certain authorities concerned.

       relevant and reasoned within the meaning of Article 60 of the GDPR, requesting that the company does not
       only the subject of a call to order but that it is sanctioned by a fine
       administrative and highlighting, in particular, the number of breaches, the number of complaints and

       the size of the company. In view of these objections and the new complaints received since the
       first inspection, the CNIL decided to resume its investigations with the company.


10. On February 11, 2020, the CNIL delegation carried out an inspection mission to the premises
       of the society. An online check of the company's website (www.all.accor.com) was then
       carried out on February 24, 2020, pursuant to the aforementioned decision no. 2019-046C. Following these

       investigations, the company sent additional information to the CNIL by letter in
       date of February 21, March 10, March 19 and August 7, 2020.


11. For the purposes of examining these elements, the President of the Commission, on October 16, 2020,
       appointed Mrs. Sophie LAMBREMON as rapporteur, on the basis of
       Article 22 of the amended law of January 6, 1978.


12. Following her investigation, the rapporteur notified the company, on November 24, 2020, of a
       report detailing the breaches of the provisions of articles L. 34-5 of the postal code and
       electronic communications (hereinafter the “CPCE”) and 12-1, 12-3, 13, 15-1, 21-2 and 32 of

       GDPR that it considered constituted in this case. This report proposed to the restricted committee to
       the Commission to impose an administrative fine on the company and that this
       decision is made public but no longer allows the company to be identified by name

       the expiration of a period of two years from its publication.

13. Also attached to the report was a summons to the Restricted Committee meeting of 28

       January 2021 indicating to the company that it had a period of one month to communicate
       its written observations pursuant to the provisions of Article 40 of Decree No. 2019-536 of
       May 29, 2019.


                                                                                                        314. ACCOR responded to the sanction report with written observations dated 22
       December 2020.


15. The company and the rapporteur presented oral observations during the training session
       restraint.




           II. Reasons for decision


              A. On the European cooperation procedure


16. According to Article 56, paragraph 1, of the Regulation “the supervisory authority of
       the main establishment or the sole establishment of the controller or of the sub-
       controller is competent to act as lead supervisory authority in relation to the

       cross-border processing carried out by this controller or processor,
       in accordance with the procedure provided for in Article 60”.


17. In the present case, the Restricted Committee notes, first, that the registered office of the company is located
       in France since the creation of the company in 1983 and that the company is registered in the register
       commerce and companies in France from the outset.


18. The Restricted Committee then notes that the first hotels of the ACCOR group were
       established in France, the company having launched its activity abroad only in a second
       time.


19. Finally, to date, although the hotels of the ACCOR group are established in 110 countries across
       worldwide, more than half of the hotels operated under the “AccorHotels” brand in Europe

       located in France (1,657 hotels out of the 3,051 present in the European Union).

20. All of these elements combine to consider that the main establishment of the company

       is located in France and that the CNIL is competent to act as the chief supervisory authority
       leader regarding the cross-border processing carried out by this company, in accordance with
       Rule 56(1) of the Rules.


21. The Restricted Committee notes that on the date of this draft decision the supervisory authorities
       of the following countries were involved in this proceeding: Germany, Austria, Belgium,
       Bulgaria, Croatia, Denmark, Spain, Estonia, Greece, Ireland, Italy, Latvia, Lithuania,

       Luxembourg, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Sweden and
       Czech Republic.






                                                                                                     4 22. Following an adversarial procedure, a draft decision was adopted by the formation
        restricted and has been transmitted to the other European supervisory authorities concerned in
        application of Article 60(3) of the GDPR.


 23. On May 28, 2021, the Polish data protection authority raised three objections,
        in accordance with Article 60(4) of the GDPR.


 24. By deliberation no. SAN-2022-001 of January 13, 2022, the Restricted Committee set out its
        point of view on the objections of the Polish authority and explained the reasons for which it
        decided not to follow these objections.


 25. On 15 June 2022, the European Data Protection Board (hereinafter “EDPS”) adopted
        decision 01/2022 concerning the dispute relating to the draft decision of the supervisory authority

        French concerning Accor SA pursuant to Article 65, paragraph 1, point a), of the GDPR.
        By this decision, the EDPS ruled on the dispute relating to the draft decision which did not concern
        more than a single objection from the Polish authorities, concerning the amount of the fine set

        in the draft decision.



              B. On the breach relating to the obligation to obtain the consent of the
              person concerned by a direct marketing operation by means of a
              automated electronic communications system pursuant to article L.

              34-5 of the CPCE

                 1. On the lack of consent of persons to receive messages of
                    commercial prospecting for ACCOR


26. Article L. 34-5 of the CPCE provides: “Direct prospecting by means of a system is prohibited.
        automated electronic communications within the meaning of 6° of Article L. 32, a fax machine

        or e-mails using the contact details of a natural person, subscriber or
        user, who has not previously expressed his consent to receive prospecting
        direct by this means.

        For the purposes of this article, consent means any manifestation of
        free, specific and informed will by which a person accepts that data to
        personal character concerning it are used for the purpose of direct prospecting.
        Constitutes direct marketing the sending of any message intended to promote, directly

        or indirectly, goods, services or the image of a person selling goods or
        providing services. For the purposes of this article, calls and messages having
        intended to encourage the user or subscriber to call a premium rate number or to send a
        surcharged text messages also fall under direct prospecting.

        However, direct prospecting by e-mail is authorized if the contact details of the
        recipient were collected from him, in compliance with the provisions of Law No. 78-
        17 of January 6, 1978 relating to data processing, files and freedoms, on the occasion of a
        sale or provision of services, if the direct prospecting concerns products or
        similar services provided by the same natural or legal person, and if the recipient


                                                                                                      5 sees offering, in an express and unambiguous manner, the possibility of opposing, free of charge,
        apart from those related to the transmission of the refusal, and in a simple way, to the use of its
        contact information at the time it is collected and each time an email from
        prospecting is sent to him in case he has not refused such exploitation from the outset.

        […]”.

        According to paragraph 6 of the same article, "The National Commission for Computing and

        liberties watch, with regard to direct prospecting using the contact details of a
        subscriber or a natural person, to compliance with the provisions of this article by using
        the powers recognized by law n° 78-17 of January 6, 1978 mentioned above. At this
        end, it may in particular receive, by any means, complaints relating to breaches of
        provisions of this article […]”.

27. It appears from the investigations carried out by the CNIL that, when a person reserves a

        hotel room directly from the staff of a hotel of one of the hotel brands of the
        ACCOR group (on site or by telephone) or on the site of one of the hotel brands of the
        group (Ibis, Novotel, Mercure, Fairmont, Sofitel, Adagio etc.), it was made the recipient
        e-mails from the company containing the newsletter “All – Accor Live Limitless”, the relevant box
        consent to receive the newsletter being pre-checked by default.

28. The rapporteur considers that, in these cases, the consent of the recipients

        emails from the company containing the “All – Accor Live Limitless” newsletter
        was not validly collected. It notes in particular in this respect that the commercial offers
        and promotions present in the “All – Accor Live Limitless” newsletter do not bear
        only on services provided by the company but also relate to the services of
        “partner” companies – such as, for example, airlines or companies
        parking lot managers.


29. Under these conditions, the rapporteur considers that the company cannot rely on
        the exception provided for in Article L. 34-5 paragraph 4 of the CPCE, which provides that an organization may
        send commercial prospecting messages by e-mail without collecting

        the prior consent of the persons concerned when the data has been collected
        with these persons on the occasion of a sale or provision of services and that the
        commercial prospecting concerns similar products or services provided by the same

        moral or physical person.

30. The company maintains that it is indeed the company that collects the data from the

        persons concerned because, on the one hand, it publishes and manages all the reservation sites of all the
        group brands and, on the other hand, even when used by hotel staff
        of the group at the request of customers, the tools for booking and joining the program of

        loyalty are managed by it alone and come to feed its own database.

31. The Restricted Committee takes note that the company is the holder of the reservation sites of
        all the brands of the group (Ibis, Novotel, etc.). The restricted formation nevertheless falls under

        that the commercial prospecting messages sent by the company do not carry
        exclusively on similar products or services provided by this company but that they are



                                                                                                      6 likely to contain, for example, promotional offers from partners, such as
        airlines or car park management companies.


32. Under these conditions, the Restricted Committee considers that the company was required to collect the
        prior, free, specific and informed consent of persons to receive messages from
        direct prospecting by e-mail, in accordance with paragraph 1 of article L. 34-5

        of the CPCE, which did not allow the existence, in this case, of a box relating to the consent
        to receive the newsletter pre-ticked by default. The Restricted Committee recalls that in its
        Planet49 judgment of 1 October 2019 (case C-673/19), the Court of Justice of the European Union

        indicated that a consent collected by means of a pre-ticked box cannot be
        considered validly given by the user.

33. As part of the procedure, the company justified having taken measures to implement

        compliance all of its tools for collecting the consent of the persons concerned to
        receive commercial prospecting messages by e-mail, so that for
        each of the reservation and membership paths to the program this consent is no longer

        collected by default.

34. The Restricted Committee therefore considers that the breach of Article L. 34-5 of the

        CPCE is incorporated, but the company has complied by the closing date of
        instruction.


                 2. On the lack of consent of the people creating a customer space, at the reception
                    commercial prospecting messages

35. As part of the investigation, the CNIL delegation of control noted that, during the

        creation of a customer space, the company did not collect the consent of the people for the
        processing of their personal data for commercial prospecting purposes by
        emails. Indeed, it has been found that the personal data used

        by the company for commercial prospecting purposes could be collected from a
        form for creating a customer area, independently of a reservation, on which
        there was a "pre-ticked" box by default relating to the consent to receive
        business development.


36. The Restricted Committee considers that the company is required to obtain the consent
        prior, free, specific and informed of persons creating a customer area on its website, to

        receive direct prospecting messages by e-mail, in accordance with
        paragraph 1 of article L. 34-5 of the CPCE. Indeed, insofar as the creation of a space
        customer can intervene without prior reservation, the exemption from the collection of the consent provided

        in Article L. 34-5 when similar services are offered cannot be mobilized in this
        case in point.






                                                                                                      737. In response, the company justified having modified its form for creating a customer area, in order to
        that the consent of the persons concerned to receive prospecting messages is not
        no longer collected by default.


38. Under these conditions, the Restricted Committee considers that the breach of Article L. 34-5 of the
        CPCE is incorporated, but the company has complied by the closing date of

        instruction.


           C. On the breach relating to the obligation to inform the persons in application
           of Articles 12 and 13 of the GDPR


39. According to paragraph 1 of Article 12 of the GDPR: “The controller shall take
        appropriate measures to provide any information referred to in Articles 13 and 14 as well as to
        carry out any communication under Articles 15 to 22 and Article 34 with regard to

        concerns processing to the data subject in a concise, transparent,
        understandable and easily accessible, in clear and simple terms […]”.


40. Article 13 of the GDPR requires the data controller to provide, at the time when the
        data are collected, information relating to his identity and contact details, the purposes
        of the processing and its legal basis, the recipients or the categories of recipients of the data

        of a personal nature, where applicable the transfers of personal data, the duration of
        retention of personal data, the rights enjoyed by individuals as well
        as the right to lodge a complaint with a supervisory authority.


41. Firstly, with regard to the accessible nature of the information, the delegation noted
        during the online check of February 24, 2020 that the forms allowing the creation of a

        customer account or membership of the ACCOR group loyalty program did not include
        the information required by article 13 of the GDPR.
        to take any steps to take cognizance of the information provided to the

        under Article 13 of the GDPR, for example by accessing via a hypertext link to the
        the company's "personal data protection charter".


42. The Restricted Committee recalls that in order to consider that a data controller satisfies
        its obligation of transparency, it is necessary in particular that the information provided be “easily
        accessible” for data subjects within the meaning of Article 12 of the Regulation.


43. It points out, in this regard, that this provision must be interpreted in the light of recital
        61 of the Regulation, according to which: “information on the processing of data to
        personal character relating to the data subject should be provided to him at the time

        where these data are collected from it”. In this sense, it shares the position of the G29
        presented in the guidelines on transparency within the meaning of the Regulation, adopted in
        their version revised on April 11, 2018 and endorsed on May 25, 2018 by the European Committee for




                                                                                                      8 data protection (EDPS) which recalls that “the data subject should not have
        looking for the information but should be able to access it immediately”.


44. The Restricted Committee considers that in this case the information notices of the persons
        concerned were not “easily accessible” for the latter, in that, during the
        creation of an account, access to the “personal data protection charter” of the

        company was only organized via a hypertext link available at the bottom of the pages of the site
        internet, which required the user to scroll through the entire page and search
        information, in breach of Article 12 of the GDPR.


45. As part of the investigation, the company indicated that it had made corrections, in order to
        deliver information that complies with the requirements of the GDPR. Through an informal check, it
        has in fact been found that the mentions of information relating to the processing of personal data

        personal information had been completed on the account creation and membership forms
        loyalty program and that the “customer personal data protection charter”
        was now directly accessible from a link inserted on these forms.


46. Secondly, the delegation of control noted that the “data protection charter
        personal information of customers" of the company specifies that the legal basis for the processing of personal data

        personal in connection with the sending of commercial prospecting is the "legitimate interest" or
        “performance of a contract”.

47. However, the rapporteur maintains that, in the cases mentioned above, for the sending

        prospecting messages relating to the products or services of third parties, the company cannot
        dispense with obtaining the consent of the persons concerned to receive messages from
        business development.


48. In response, the company indicates that, even if the consent of the persons concerned must be
        collected under the provisions of Article L. 34-5 of the CPCE, the processing carried out

        for the purposes of commercial prospecting have legitimate interest as their legal basis.

49. As previously explained, the Restricted Committee considers that in certain
        hypotheses the company is required to obtain the prior, free, specific and

        informed of the persons concerned to receive direct prospecting messages by mail
        electronically, in accordance with the provisions of paragraph 1 of Article L. 34-5 of the CPCE.


50. The Restricted Committee considers that when obtaining the consent of the data subject
        is required for the processing of his personal data for a specific purpose
        (and not only for a given operation), the legal basis of the processing thus implemented

        is consent.

51. Consequently, the Restricted Committee notes that by not mentioning the consent
        as a legal basis for processing, for prospecting to promote the products or

        third-party services, the company has breached its obligation under Article 13 of the GDPR.


                                                                                                      952. The Restricted Committee therefore considers that all of these facts constitute
        breaches of Articles 12 and 13 of the GDPR.




            D. On the breach relating to the obligation to respect the right of access of individuals
            pursuant to Article 15 of the GDPR

53. Article 15.1 of the GDPR provides the data subject with a right of access to his or her data

        personal character terms: “The data subject has the right to obtain responsible
        of processing the confirmation that personal data concerning him are or are not
        are not processed and, when they are, access to said personal data (…)”.


54. Article 12.3 of the GDPR further specifies that “the controller shall provide the
        data subject information on the measures taken following a request made

        pursuant to Articles 15 to 22, as soon as possible and in any event within a
        one month from receipt of the request.


55. During the investigation of complaint no. […] received by the CNIL, it appeared that the company
        failed in its obligation to provide the complainant, within the time limit set by the GDPR, with a copy
        of its personal data that it held in its database.


56. The rapporteur notes that the author of the complaint made a request for a right of access
        on August 1, 2019, the date on which his client account had been suspended following
        fraudulent connection detection. However, while the complainant had justified

        his identity on January 10, 2020, thus allowing the reopening of his customer account by the
        company, no response had yet been provided to its request for right of access on the date of
        control by the CNIL delegation, on February 11, 2020. The company granted the request for

        the complainant on February 24, 2020.

57. The Restricted Committee considers that, in the event that a client's account has been subject to

        detection of a fraudulent connection, the company may certainly have a reasonable doubt about
        the identity of the applicant wishing to exercise his right of access, justifying that an identity document
        be requested from the person concerned.


58. The Restricted Committee considers, however, that once the doubt is removed as to the identity of the
        person, the right of access request must be honored by the controller.


59. Under these conditions, the Restricted Committee considers that the breach of Article 15 of the
        GDPR is made with regard to complaint no. […], although it does not appear from the file that any
        beyond this one-off complaint, the failure had a structural character.






                                                                                                     10 E. On the breach relating to the obligation to respect the right of opposition of
              persons pursuant to Article 21 of the GDPR


60. According to Article 21.2 of the GDPR: “when the personal data are
        processed for prospecting purposes, the data subject has the right to object at any time

        the processing of personal data concerning him for such prospecting purposes,
        including profiling insofar as it is linked to such prospecting”.


61. Firstly, the rapporteur noted that the author of complaint no. […] opposed the
        receipt of prospecting messages from the company on its two mailing addresses
        email, December 11, 2018.


62. The rapporteur considered that the company had not responded satisfactorily to the
        complainant's opposition request, since his opposition request has not been taken into
        account only on January 11, 2020 and for only one of the two email addresses concerned.


63. In response, the company indicated that it had found no trace of this opposition request in
        its systems. It also indicates that it has not found in its database either the

        first e-mail address referred to by the complainant in his request and specifies, with regard to
        the second email address, that it is the author of the complaint himself who has unsubscribed
        newsletters on January 11, 2020.


64. The Restricted Committee considers that, with regard to this first complaint, the elements of the
        debate do not lead to the conclusion of a breach committed by the company.


65. Secondly, the investigation of complaints no. […] received by the CNIL revealed the existence of
        malfunctions of the unsubscribe link at the bottom of prospecting emails
        addressed by the company, resulting from two types of technical problems affecting one or

        another step in the unsubscribe process.

66. First, between November 11, 2018 and January 21, 2019, malfunctions were

        intervened in the transmission of information relating to unsubscriptions between the tool
        to manage the sending of newsletters and the customer repository, which records the information
        whether or not a customer subscribes to newsletters. Thus, during this period, the tool

        management of newsletters was not informed by the customer repository of the creations or updates
        day of contacts and unsubscriptions to associated newsletters made every Sunday
        between midnight and 8 p.m. From then until January 21, 2019, the author of complaint no.

        to receive commercial prospecting messages from the company, despite its request
        of unsubscription formulated on Sunday, November 18, 2018 in the afternoon.


67. Next, another anomaly, also affecting the synchronization of unsubscriptions between
        the customer repository and the tool that manages the sending of newsletters, was identified by the company on
        February 8, 2019. This anomaly explains why the author of complaint no. […] continued to



                                                                                                    11 receive the ACCOR company newsletter between January 2, 2019 and February 8, 2019, despite
        the deletion of its data from the customer repository as of January 1, 2019.


68. The Restricted Committee considers that these two anomalies, which recurred during
        several weeks, are likely to have prevented a significant number of people from
        effectively oppose the receipt of prospecting messages. She notes in this regard that

        it appears from the documents in the file that in 2019, […] million people received at an address
        email validates at least one of the ACCOR group newsletters.

69. In response, the company indicates that it has taken measures to improve the management of requests

        exercise of rights and to prevent anomalies in the consideration of requests
        of opposition.


70. The Restricted Committee takes note of the compliance measures adopted by the company,
        but considers that the company has in the past disregarded its obligations under the provisions
        of article 21.2 of the GDPR, since the aforementioned anomalies have failed to take into account

        account within a reasonable time of requests to object to receiving messages from
        commercial prospecting on the part of the persons concerned.


            F. On the breach of the obligation to ensure the security of data at
            personal character pursuant to Article 32 of the GDPR

71. Rule 32 of the Rules provides:


   “1. Taking into account the state of knowledge, the costs of implementation and the nature,
        scope, context and purposes of the processing as well as the risks, including the degree of
        likelihood and severity varies, for the rights and freedoms of natural persons, the

        responsible for processing and the processor implement the technical measures and
        appropriate organizational measures to ensure a level of security appropriate to the risk, including
        including, among others, as needed:

   a) pseudonymization and encryption of personal data;

   b) means to ensure confidentiality, integrity, availability and resilience
        constants of processing systems and services;

   c) the means to restore the availability of personal data and access to
        these within appropriate timeframes in the event of a physical or technical incident;

   d) a procedure to regularly test, analyze and evaluate the effectiveness of the measures
        technical and organizational measures to ensure the security of the processing […]”.

72. Firstly, the rapporteur notes that, during the on-site inspection of 11 February 2020, the
        delegation noted that the use of a password consisting of eight characters containing

        only two character types (seven capital letters and one special character) allowed
        access the management tool for sending communications to customers.




                                                                                                     1273. The rapporteur considers that, taking into account in particular the volume of personal data
        processed by the “Adobe Campaign” tool, the requirements put in place by the company in terms of
        strength of the passwords are insufficient and do not ensure the security of the

        personal data.

74. In response, the company argues that, given the existence of an additional measure

        security – taking into account that access to the “Adobe Campaign” software is only possible from
        a terminal connected to the ACCOR network – a single level of complexity (lower case or number)
        was missing for the password noted by the delegation to meet the recommendations of

        the CNIL. The company also justifies having reinforced the rules of complexity of the password
        access to the “Adobe Campaign” software, which must now include a minimum of nine
        characters and four levels of complexity.


75. The Restricted Committee considers that the length and complexity of a password remain
        basic criteria to assess its strength. She notes in this regard that
        the need for a strong password is also highlighted by the National Security Agency

        information systems.

76. By way of clarification, the Restricted Committee recalls that to ensure a level of security

        sufficient and meet the strength requirements of passwords, when an authentication
        is based solely on an identifier and a password, the CNIL recommends, in its
        deliberation n° 2017-012 of January 19, 2017, that the password contains at least twelve

        characters - containing at least one uppercase letter, one lowercase letter, one number and one
        special character - or else has at least eight characters - containing three of these four
        character categories - if accompanied by an additional measure such as, for example,

        example, the delay in accessing the account after several failures (temporary suspension of
        access, the duration of which increases as attempts are made), the establishment of a mechanism
        to protect against automated and intensive submissions of attempts

        (like a “captcha”) and/or blocking of the account after several authentication attempts
        unsuccessful.

77. In the present case, the Restricted Committee considers that, with regard to the rules governing their

        composition, the robustness of the passwords accepted by the company for access to the software
        "Adobe Campaign" was too weak, leading to a risk of data compromise at
        personal character it contains.


78. The Restricted Committee notes, however, that the company justifies having increased the level of
        complexity of passwords for connecting to the “Adobe Campaign” software.


79. Consequently, the Restricted Committee considers that the breach relating to the obligation
        to ensure the security of personal data is constituted, but that the company has
        compliance on this point before the close of the investigation.





                                                                                                    1380. Secondly, the rapporteur indicated that when a client's account is suspended in
        reason of a suspicion of fraudulent connection, the customer service invites the person concerned
        to send a copy of his identity document as an email attachment.


81. The rapporteur notes that the conditions under which the copy of the identity document of
        customers whose account has been suspended is transmitted, do not allow to protect themselves against

        its interception by a third party.

82. The Restricted Committee considers that the practice consisting in the transmission of data not
        encrypted by e-mail generates a significant risk for the confidentiality of the

        transmitted data.

83. In this regard, the Restricted Committee recalls that, in its guide on “data security

        personal information", the CNIL recommends as an elementary security precaution the encryption
        data before being recorded on a physical medium or transmitted by
        email. It also recommends ensuring the confidentiality of the password.

        decryption pass by transmitting it through another channel.

84. In view of all of these elements, the Restricted Committee considers that the aforementioned facts
        constitute a breach of Article 32 of the GDPR.


           III. On corrective measures and their publicity

85. Under the terms of III of article 20 of the amended law of 6 January 1978:


        “When the data controller or its processor fails to comply with the obligations
        resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law, the Chairman of the

        National Commission for Computing and Liberties may also, if necessary after it
        have sent the warning provided for in I of this article or, where applicable, in addition
        of a formal notice provided for in II, seize the restricted formation of the committee with a view to
        pronouncement, after contradictory procedure, of one or more of the following measures: […]


        7° With the exception of cases where the processing is implemented by the State, an administrative fine
        not exceeding 10 million euros or, in the case of a company, 2% of turnover

        annual total for the previous financial year, whichever is greater. In the
        assumptions mentioned in 5 and 6 of article 83 of regulation (EU) 2016/679 of April 27, 2016,
        these ceilings are increased to 20 million euros and 4% of said turnover respectively.

        The Restricted Committee takes into account, in determining the amount of the fine, the
        criteria specified in the same article 83”.


86. Article 83 of the GDPR provides that “Each supervisory authority shall ensure that fines
        administrative measures imposed under this article for violations of this regulation
        referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and




                                                                                                    14 deterrents”, before specifying the elements to be taken into account to decide whether there is
        instead of imposing an administrative fine and to decide on the amount of this fine.


87. In defence, the company argues that a penalty is not necessary given all of the
        of the measures it has taken to remedy the shortcomings noted and considers, in all
        case, that the amount of the administrative fine proposed by the rapporteur is

        disproportionate in view, in particular, of the low seriousness of the breaches, of the measures taken
        to remedy this, to its cooperation with the services of the CNIL and to its financial situation,
        significantly degraded due to the current health crisis. The company also supports

        that the publicity of the sanction decision of the restricted training would have for it
        manifestly disproportionate consequences.


88. As regards the nature and seriousness of the breach, the Restricted Committee first notes the
        number of breaches alleged against the company: carrying out prospecting campaigns
        massive by e-mail without consent of the persons, absence of information

        easily accessible and complete on the processing carried out, difficulties encountered in the
        context of the exercise of their rights by complainants and data security deficiencies. She
        stresses that these shortcomings relate to several fundamental principles of the legislation

        applicable to the protection of personal data and that they constitute a
        substantial interference with the rights of data subjects.


89. The Restricted Committee then noted the particularly large number of people
        concerned by these shortcomings, since in 2019, […] million people received
        on a valid email address at least one of the ACCOR group newsletters.


90. The Restricted Committee holds, finally, that these breaches had direct consequences
        for the persons concerned, as evidenced in particular by the fact that the CNIL was seized
        eleven complaints relating in particular to the right to object to receiving messages from

        business development.

91. Consequently, the Restricted Committee considers that an administrative fine should be imposed

        with regard to the established breaches.

92. With regard to the amount of the fine for breaches of the GDPR, the training

        Restricted recalls that paragraph 3 of Rule 83 of the Rules provides that in the event of
        multiple violations, as is the case here, the total amount of the fine cannot
        exceed the amount set for the most serious breach. Insofar as it is alleged that the

        company a breach of sections 12.1, 12.3, 13, 15.1, 21.2 and 32 of the Regulations, the amount
        maximum fine that can be withheld is 20 million euros or 4% of the turnover
        worldwide annual revenue, whichever is higher.


93. The Restricted Committee notes that the company's turnover amounted to […] euros in
        2021.



                                                                                                    15 94. With regard to the amount of the fine relating to the breach of Article L.34-5 of the CPCE, the
         restricted training is called only with regard to breaches of the provisions finding
         their origin in texts other than the GDPR, as is the case with article L.34-5 of the CPCE

         which transposes the “ePrivacy” directive into domestic law, Article 20, paragraph III, of the law
         "Informatique et Libertés" gives it jurisdiction to pronounce various sanctions,
         in particular an administrative fine, the maximum amount of which may be equivalent to 2% of the

         total worldwide annual turnover for the previous financial year achieved by the head of
         treatment. In addition, the determination of the amount of this fine is also assessed on the basis of
         with regard to the criteria specified in Article 83 of the GDPR.


 95. To assess the proportionality of the fine, the Restricted Committee took into account that
         the company has complied with all of the shortcomings identified and with what

         some of them, in connection with the exercise of the rights of individuals, did not have a
         structural character. It further notes that the company cooperated fully with the CNIL.

 96. The restricted committee also takes into account, in determining the amount of the fine

         pronounced, of the financial situation of the company. In this regard, the company reports a decrease
         of its turnover in 2020 and 2021 compared to 2019. Indeed, the turnover of the
         company amounted to […] in 2019, […] in 2020 and […] in 2021.


 97. Finally, the Restricted Committee takes note of EDPS Decision No. 01/2022 concerning the dispute
         relating to the draft decision of the French supervisory authority concerning Accor SA in

         application of Article 65(1)(a) GDPR. In particular, she notes that the
         EDPS instructed the CNIL to re-examine the elements on which it relied to calculate
         the amount of the fine, in order to ensure that the fine meets the deterrent effect test

         provided for in Article 83(1) of the GDPR.

 98. Therefore, in view of the economic context caused by the Covid-19 health crisis, its

         consequences on the financial situation of the company and the relevant criteria of Article 83,
         paragraph 2 of the GDPR mentioned above, the Restricted Committee considers that the pronouncement
         an administrative fine of 600,000 euros appears justified.


 99. Finally, the Restricted Committee considers that the publication of its sanction decision for a
         duration of two years is justified in view of the plurality of breaches noted, their seriousness
         and the number of people involved.


100. The Restricted Committee specifies that the administrative fine of 600,000 euros against
         ACCOR is liable for up to 100,000 euros for the breach of the provisions

         of article L. 34-5 of the CPCE and up to 500,000 euros for breaches by the company
         the provisions of Articles 12.1, 12.3, 13, 15.1, 21.2 and 32 of the Regulations.







                                                                                                      16 FOR THESE REASONS

The CNIL Restricted Committee, after having deliberated, decides to:
     pronounce against ACCOR SA an administrative fine of one

       amount of €600,000 for all of the shortcomings observed, which
       breaks down as follows:

           o 100,000 (one hundred thousand) euros for the breach by the company of Article L. 34-
              5 of the Post and Electronic Communications Code;

           o 500,000 (five hundred thousand) euros for breaches by the company of the
              Articles 12.1, 12.3, 13, 15.1, 21.2 and 32 of Regulation (EU) 2016/679 of
              European Parliament and of the Council of 27 April 2016.

     make public, on the CNIL website and on the Légifrance website, its deliberation, which
       will no longer identify the company by name at the end of a period of two years from
       of its publication.





                                                       President






                                                    Alexander LINDEN







 This decision may be subject to appeal before the Council of State in a
 two months from its notification.



















                                                                                      17