Accor SA, which runs various well-known hotel franchises, was sanctioned for GDPR breaches linked to its email marketing practices in France and other EU Member States.
The full text of the decision, now available (in French) on the CNIL’s website, gives companies a number of pointers on GDPR compliance in practice, including in the areas discussed below.
Exemption from consent for existing customers:
Under Article L.34-5 of the French Postal and Electronic Communications Code (CPCE), direct e-mail marketing requires the prior consent of the recipient. However, there is a possible exception for existing customers.
Under this, customers’ prior consent to marketing is not required if (i) their contact details were collected from them at the moment of a sale or provision of service, and (ii) the marketing communications concern similar products or services provided by the same organisation.
In the Accor case, the messages were sent by Accor SA to existing customers but contained promotional offers from third parties, such as airlines and car park providers.
Consequently, the CNIL held that Accor could not rely on the exemption under CPCE Article L.34-5 and had therefore breached the law by not collecting prior consent.
Creation of an online account and pre-checked boxes:
The CNIL found that Accor had breached CPCE Article L.34-5 by sending marketing emails to website users who created an online account without making a booking.
In such cases, the CNIL considered that, since no actual booking had been made, Accor could not rely on the exemption from consent for existing customers.
In addition, the CNIL pointed out that users who created an online account were provided with a marketing consent box which was pre-checked by default, which did not constitute valid consent.
Under GDPR Articles 12 and 13, organisations must provide individuals with information about their data processing “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”.
The CNIL found that this breached the requirement for the information to be “easily accessible”.
Access right and proof of identity:
The CNIL's deliberation also contains clarifications about individuals’ rights of access to their personal data and their right to object to profiling.
In particular, the CNIL held that, where there was a reasonable doubt about the individual’s identity because of a possible fraudulent connection to that person’s online account, an organisation could justify requesting a copy of an identity document.
Nevertheless, the CNIL added that once proof of identity is provided, the organisation had an obligation to honour the request, which was not the case for Accor.
The CNIL further held that Accor had breached GDPR Article 21 because of technical malfunctions with the “unsubscribe” links in marketing emails, which meant that some individuals continued to receive marketing communications despite attempting to opt-out.
This section of the decision underlines the importance for organisations to check regularly that their unsubscribe links are working correctly.
The Accor decision also provides useful insights about the CNIL’s expectations in respect of data security.
The CNIL held that the passwords used by Accor to access its campaign management software were not strong enough, in view of the number of individuals whose data was processed.
In one case, the software could be accessed using a password containing eight characters of only two types (seven uppercase letters and one special character).
The CNIL emphasized that the length and complexity of a password remain basic criteria for assessing its strength, and cited its recommendation of 2017 that passwords contain at least twelve characters - containing at least one uppercase letter, one lowercase letter, one number and one special character - or at least eight characters - containing three of these four categories of characters - if complementary security measures can be put in place (such as automatically blocking an account after a set number of unsuccessful connection attempts).
The CNIL further held that Accor was in breach of GDPR security requirements because it had asked a customer to send an unencrypted copy of his identity document by e-mail.
The regulator stated that this presented a major risk of breach of confidentiality.
Cooperation between European data protection authorities
In the Accor case, six complaints were addressed to the CNIL whereas similar complaints were received by the supervisory authorities of Saarland, Spain, Ireland, Poland and Lower Saxony, before being forwarded to the CNIL as the lead authority.
This decision therefore illustrates the cooperation established between European data protection authorities in cases involving cross-border processing. This may be the case when data processing is carried out by a company with establishments in different EU Member States or where processing significantly affects individuals from at least two Member States.