12
September
2022
Commercial prospecting and data protection: French data protection authority (CNIL) fines ACCOR 600,000 euros
Author:
jcnicollet
In a decision dated August 3, 2022, the CNIL’s restricted section ordered ACCOR SA to pay a fine of 600,000 euros and to publish the decision on the CNIL’s website and on Légifrance for non-compliance in prospecting.
The forbidden combo: consent box pre-checked by default, commercial offers from partners, impossibility to exercise the right to object.
ACCOR is a hotel group that processes data across borders.
The company is accused of processing prospecting data. Indeed, when a person made a reservation with the hotel staff or via the website of one of the ACCOR group’s brands, the box relating to consent to receive the newsletter was pre-checked by default and the person automatically received a newsletter containing commercial offers from partners.
It is also accused of technical anomalies, which recurred over several weeks, making it impossible for a significant number of people to effectively oppose the receipt of prospecting messages.
As is often the case, complaints from dissatisfied consumers are the reason for the CNIL’s inspection.
The CNIL has received complaints, has taken the lead and has collected the complaints received by the supervisory authorities that have come forward under the procedure provided for this purpose by the GDPR.
The CNIL then began its inspection of ACCOR in February 2019 with exchanges of letters, followed by an on-site inspection, and then by a report detailing the failures to be corrected.
The failures detected are related to the rules of consent, information and exercise of rights in the context of prospecting.
The CNIL found ACCOR in breach of the following obligations:
the obligation to obtain the consent of the person concerned to process his or her data for commercial prospecting purposes (Article L. 34-5 of the French Post and Electronic Communications Code).
the obligation to inform the person (Art. 12 and 13 of the GDPR): the company did not inform the persons concerned in an accessible way of the information required when creating a customer account or when joining the ACCOR group’s loyalty program. The company also did not mention the consent as the legal basis for the treatment, for the prospecting to promote the products or services of third parties.
the obligation to respect the right of access of individuals to data concerning them (art. 12 and 15 of the GDPR), as the company did not respond to a complainant’s requests in a timely manner.
the obligation to respect the right of opposition of the persons concerned (art. 12 and 21 of the GDPR), as the company did not take into account the complainant’s requests that no more commercial prospecting messages be sent to them, due to malfunctions.
the obligation to ensure the security of personal data (art. 32 of the GDPR), as the company allowed the use of insufficiently robust passwords. The CNIL also criticizes the company for inviting a person to transmit his or her identity document by e-mail, without the data in question being encrypted.
How to avoid this?
=> Apply 2 rules for commercial prospecting and be aware of the scope of the exception to rule 1.
1. Prior information of the persons concerned
Information on the processing and on the rights of the person
Simple way to object (unsubscribe link – contact)
2. Prior consent of the persons concerned
Free, specific, informed and unambiguous consent
Prohibition of pre-checked boxes by default: a positive action by the person concerned is required (unchecked)
Exception if the situation meets 2 cumulative conditions:
The prospect is already a client* of the company
+
The prospecting concerns similar products/services provided by the same company
* Please note that this exception only applies if a sale or service has been made. Thus the creation of an account is not considered as a sale or a service.
=> Implement a well-understood and applicable law enforcement procedure in the organization
2 things to know:
Consumers are over-solicited and annoyed by the prospecting and use of their data
Most of the CNIL’s controls are prompted by complaints from individuals.
With this in mind, the importance of allowing people to exercise their rights in a timely and clear manner cannot be overstated, allowing them to be heard and respected and to immediately defuse any conflict.
This presupposes that an internal procedure for responding to requests from data subjects is clear, well understood and applied.
So… make your teams aware!
The TAoMA Data protection team
Contact-us to comply or to organize training or awareness workshops.
To read the CNIL’s decision (in French), click here.
20
June
2019
The CNIL confirms its power to impose sanctions without formal notice: SERGIC sentenced to 400,000 euros for serious breach of their security obligation
At the end of April, the Conseil d’État (the French administrative supreme court) confirmed the CNIL’s (the French data protection control authority) ability to sanction violations of personal data security rules without necessarily resorting to a prior formal notice intended to leave the offender the possibility of correcting his behaviour (note: link to our news on the OPTICAL CENTER case).
In its decision of 28 May 2019, the supervisory authority confirmed its willingness to exercise this power.
The targeted company is SERGIC, a company specialising in the real estate sector that had been the subject of a complaint by a user, surprised that the simple modification of a number in the URL address of the company’s website allows it to access the files and supporting documents of candidates for rental.
An audit in September 2018 revealed a flagrant breach of data security in terms of the volume of data involved and the duration of the breach. CNIL agents were able to download more than 9,000 documents including “copies of identity cards, health cards, tax notices, death certificates, marriage certificates, social security affiliation certificates, certificates issued by the family allowance fund, disability pension certificates, divorce judgments, account statements, bank statements and rent receipts”.
In addition, despite a previous report, the lack of data protection persisted for a period of more than 6 months before measures were taken to put an end to it.
Finally, the violation is aggravated by the fact that, according to the company’s admission, the data of rental applicants are not deleted once their file has been closed and the application accepted or rejected.
In its decision of May 28, the CNIL therefore found a breach of Article 32(1) of the GDPR, concerning reasonable data protection measures. She insists on the duration of the breach, the large number and the sensitive and intimate nature of the data left unprotected.
In addition, the CNIL finds a violation of the provisions of Article 5-1-e) of the Regulation on the proportionality of data retention periods; for the supervisory authority, the company in question has aggravated its case by keeping well beyond the original purpose the data relating to candidates who did not access the lease, which should have been deleted as soon as their file was closed.
In view of the seriousness of these breaches and the company’s lack of diligence in their management, the CNIL sentences the company to pay a fine of 400,000 euros, and to publish the said sanction, without prior formal notice, and therefore without allowing SERGIC to correct the errors before deciding on the sanction.
On this subject, the CNIL points out in its decision that a formal notice is in no way made mandatory by the provisions of the 1978 Data Protection Act, which governs its action; this decision is thus to be placed in the continuity of the OPTICAL CENTER case.
The CNIL’s message is clear: no catching up for serious violations, the vigilance of data controllers is essential at the highest level.
Read the decision (in French)
14
June
2019
French Supervisory authority sanctions: no obligation of prior formal notice confirmed by the Administrative Supreme Court
In a decision of April 17 2019, the French supreme administrative authority refused to overturn the sanctions imposed by the CNIL (the French data protection authority) on the OPTICAL CENTER company on the grounds that they were not preceded by a formal notice allowing the company to correct the problems.
In 2017, a CNIL investigation initiated following several complaints about OPTICAL CENTER revealed that simply entering URLs in a browser allowed access to many invoices and purchase orders from the company’s customers because due to access not being restricted by connecting to a personal space.
The CNIL then took the decision to impose a fine of 250,000 euros for this serious security breach, which violated Article 34 of the French Data Protection Act [1], without any sort of formal notice allowing the company to correct the errors and even though the company had already taken the necessary measures to correct the problem.
This decision was referred to the Conseil d’Etat which, in its judgment of April 17 2019, confirmed the decision and reminded that the formal notice is not a mandatory step before imposing sanctions, and that Article 45 of the law of 6 January 1978 provides that “Where the breach found cannot be brought into conformity in the context of a formal notice, the restricted formation may pronounce, without prior notice and after a contradictory procedure, the sanctions provided for”.
The Conseil d’Etat concludes from this that the CNIL may overlook the formal notice stage when it is clearly unnecessary; either when the breach cannot be remedied or, as in the present case, when it has already been remedied.
However, the Conseil d’État reduced OPTICAL CENTER’s penalty, ruling that the CNIL, not taking into account the company’s promptness to react to its requests, imposed a disproportionate penalty; the latter will therefore be reduced to 200,000 euros.
Read the full decision here (in French)
[1] Loi n° 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés
09
May
2019
Google negative reviews: Free Speech vs Data Protection
Author:
teamtaomanews
On April 12th, 2019, a court order from the judge of summary proceedings in Paris rejected a request to delete a dentist’s “Google myBusiness” page and the negative reviews that patients had published there. These pages are available through Google maps to users who search for any entity registered on it, varying from museums and stores to legal firms and fitness gyms.
The dentist argued that the webpage and its content were akin to an illegal processing of her personal data and a manifestly unlawful disturbance.
Although the judge first answered by confirming that the data used to identify a liberal professional was indeed personal, he ruled against ordering the removing of the webpage. He also highlighted that the only liable company in this case was Google LLC, as opposed to Google France which is not in charge of the “MyBusiness” service and as such cannot be considered as the data controller, according to the provisions of the European General Data Protection Regulation (GDPR).
This solution seems to contradict a previous court order delivered by the same jurisdiction, which ruled to delete the “MyBusiness” sheet of another dentist for the sole reason that he expressed his will to have it removed and thus withdrew his consent[1]. It indeed seems questionable that a professional’s personal data could be freely processed by a third party with no other justification than their availability on business directories.
Regarding patients’ reviews on the dentist’s services, the Court ruled that “the consumer’s legitimate interest to be informed” allowed Google to link comments to a doctor’s identity and that the potential abuse of free speech should have been based on different legal grounds than the ones invoked by the claimant; specifically, the Press Act of 1881 (“loi du 29 juillet 1881 sur la presse”) in cases of defamation or insult[2] and Section 1240 of the French Civil Code regarding disparaging speech.
The plain and simple removal of the webpage where the comments were published, on the grounds of the 1978 “Digital Freedom” Act (“Loi Informatique et Libertés du 6 janvier 1978”) would represent a disproportionate breach of freedom of speech, at least when delivered by a judge of summary proceedings.
[1]TGI de Paris, summary proceeding order of April 6, 2018
[2]Further readings (in French)