Accor fined $600K under GDPR after EDPB intervention


French hotel chain Accor had its initial fine for cross-border data privacy violations increased sixfold after one data regulator involved in the decision-making process complained an original penalty of 100,000 euros (U.S. $99,900) was too low.

The company, which owns hotel chains Novotel, Ibis, and Mercure, now faces a fine of €600,000 (U.S. $599,000) after the European Data Protection Board (EDPB), the European Union’s overarching regulator for infringements of the General Data Protection Regulation (GDPR), was forced to intervene following a lack of agreement between France’s CNIL and the Polish data protection authority (DPA).

The ruling, published Aug. 17, marks the second time the EDPB has substantially increased a fine in a cross-border case. In December 2020, the regulator played part in raising the Irish Data Protection Commission’s original suggested GDPR fine against Twitter from between €135,000 and €275,000 to €450,000 (then-U.S. $547,000).

lock iconTHIS IS MEMBERS-ONLY CONTENT. To continue reading, choose one of the options below.