GDPR sanction to a major hotel group

The CNIL (the French Data Protection Authority), has issued a fine of 600,000 euros to a major hotel group.

The group was sanctioned (i) for having carried out commercial prospecting without the consent of the individuals concerned, (ii) for not having respected the rights of customers and prospects and (iii) for having carried out such commercial prospecting in many countries in the EU. 

The CNIL especially took account of:

  • the number of alleged breaches by the company, 
  • the fact that these breaches concerned several fundamental principles of personal data protection and that they constituted a substantial infringement of individuals' rights, 
  • the number of individuals concerned and;
  • the financial situation of the company.

Considering the fact that the group had brought itself into compliance on several points, the CNIL submitted a draft decision to the foreign data protection authorities concerned, before issuing its final decision. As one of these authorities disagreed with the draft decision, the matter was referred to the European Data Protection Board (EDPB). The Board has ordered the CNIL to reconsider and increase the amount of the fine, so that the measure taken would be more dissuasive.

This is the first time that a cooperated sanction across every EU Data Protection authority has been implemented.

Latest insights

More Insights
multicoloured curiosity line on blue background

Clarifying the law on pre-action production in Singapore under the new Rules of Court: Gillingham James Ian v Fearless Legends Pte Ltd and others [2023] SGHCR 13

Sep 22 2023

Read More
Selfie Stick

Polish regulator zeros in on influencers – 2022-2023 developments in a nutshell

Sep 22 2023

Read More

Prohibition of the use of the green dot in France has been cancelled

Sep 22 2023

Read More

Related capabilities