GDPR sanction to a major hotel group

The group was sanctioned (i) for having carried out commercial prospecting without the consent of the individuals concerned, (ii) for not having respected the rights of customers and prospects and (iii) for having carried out such commercial prospecting in many countries in the EU. 

The CNIL especially took account of:

• the number of alleged breaches by the company, 
• the fact that these breaches concerned several fundamental principles of personal data protection and that they constituted a substantial infringement of individuals' rights, 
• the number of individuals concerned and;
• the financial situation of the company.

Considering the fact that the group had brought itself into compliance on several points, the CNIL submitted a draft decision to the foreign data protection authorities concerned, before issuing its final decision. As one of these authorities disagreed with the draft decision, the matter was referred to the European Data Protection Board (EDPB). The Board has ordered the CNIL to reconsider and increase the amount of the fine, so that the measure taken would be more dissuasive.

This is the first time that a cooperated sanction across every EU Data Protection authority has been implemented.