It is forbidden to automatically sign someone up to a newsletter with commercial offers. The French DPA (CNIL) highlighted it on August 17 2022 by imposing a penalty of 600 000 euros on the hotel group Accor.
Indeed, the hotel group Accor was condemned for carrying out commercial prospecting without the consent of the persons concerned. The investigation revealed that when a person booked a hotel room directly with Accor staff or on the website, they were automatically registered to receive the firm’s newsletter, including partner offers.
Articles 12 and 13 of the GDPR require the data controller to inform individuals about the collection and processing of their personal data.
Since then, the group has complied with all the breaches identified, which concerned several European countries.
The CNIL also noted other breaches such as the failure to respect the right to object and the right of access to personal data. In addition, the process of unsubscribing to the newsletter had several dysfunctions.
According to the regulator, these problems lasted long enough and « are likely to have prevented a significant number of people from effectively objecting to receiving marketing messages ».
In assessing the amount of the fine, the French regulator says:
« Having taken into account the number of breaches of which the company is accused, the fact that these breaches relate to several fundamental principles of personal data protection and constitute a substantial infringement of the rights of individuals, as well as the number of individuals affected and the financial situation of the company. »
The initial amount of the fine envisaged by the CNIL was much lower, €100,000. Following objections in the framework of the European cooperation held for this case, the European Data Protection Committee (EDPS) asked the CNIL to reassess this amount so that it would have a real dissuasive effect, in accordance with Article 83 of the RGPD.
By Mélissa Walehiane