Accor – €600,000 Fine (France, 2022)

The controller, Accor, is a large, multinational chain that operates hotels in 110 countries. Between December 2018 and September 2019, the French DPA (CNIL) received several complaints concerning the controller's various potential violations of the GDPR. On 24 Feburary 2020, the CNIL conducted an investigation of the controller's website. Users supplied their contact information, including email address, when they registered an account with the controller. The registration process featured a pre-ticked box indicating consent to receive promotional materials. Data subjects subsequently started receiving these promotional materials in their inboxes. They were unable to unsubscribe from direct marketing emails, as various technical glitches prevented the emails' "unsubscribe" button from working. Several million people received these emails at valid addresses, though the CNIL's published decision redacted the exact amount. Additionally, the website did not provide data subjects with information about the controller's contact details, the purposes of processing for the data collected, the legal basis for processing, the period for which the data would be retained, potential transfers, or the right to lodge a complaint under the GDPR, and there was no link to a privacy policy that might contain this information. The CNIL also received one complaint regarding difficulties encountered exercising the right of access to personal banking data processed by the controller. The controller had failed to respond to an access request after locking a data subject's account for suspected fraudulent activity even after data subject verified their identity. Finally, for the controller to access the "Adobe Campaign" account responsible for managing these email communications, a weak password consisting of seven capital letters and one special character was required, although access was only possible from a terminal connected to the ACCOR network. Ten other supervisory author