Voyageurs du Monde breaking the law "to better serve its customers"? What a CRM can store, and for how long

Publié le 12 juin 2026 à 15:00 par Magazine En-Contact

Can a company use its CRM to retain customer data longer than the law allows? France's data protection authority (CNIL) says no, and is threatening Jean-François Rial's company with a fine that could reach 1.8 million euros. The travel company's management argues, among other things, that retaining the memory of commercial relationships is useful to them. Quite a topic.

Voyageurs Journal by Voyageurs du Monde © Voyageurs du Monde

Trips averaging $18,500 per passenger

The well-known travel agency, positioned in the premium and personalized travel segment, allegedly violated the law on customer data retention periods in order to better personalize its offers and quotes, according to Alain Capestan, co-founder and CEO. Given the low frequency of travel purchases, it's understandable that the company wants to retain customer data for as long as possible.

On Thursday, June 4, the rapporteur for France's National Commission on Informatics and Liberty (CNIL) requested a 1.8 million euro fine against travel company Voyageurs du Monde for several violations of customer data protection rules. ALVDM stock dropped 8%, and is down 17% since the start of 2026.

The CNIL investigation was triggered following the disclosure of a 2023 data breach affecting 8,000 Voyageurs du Monde customers.

Five violations, one contested

"During the inspection, five violations were identified," the CNIL rapporteur stated during a hearing before the restricted committee. "While the company complied with recommendations for four of them, it is contesting one," the rapporteur explained, referring to the data retention period.

"Customer return rates are critical to our profitability," argues Alain Capestan, CEO of Voyageurs du Monde. Hence the need to retain customer data longer than the five years required by the CNIL, according to representatives of the bespoke travel specialist.

According to Jean-François Rial, contacted by our team, the law is not very clear on this retention period, which must be "reasonable." "The CNIL proposes three years, and we propose seven, with different durations depending on the type of trip purchased. That's what's currently under discussion and may be accepted."

What the regulations and GDPR say

The CNIL recommends that personal data of customers and prospects not be retained for more than three years. This timeframe stems from the simplified standard NS-056, which is no longer technically valid since GDPR came into effect, but whose retention periods are still recommended by the CNIL.

GDPR, for its part, does not provide a clear-cut answer on data retention and processing periods, but offers recommendations based on specific situations.

Voyageurs du Monde wants to keep the data

"Our customers pay an average of $18,500 for our personalized trips. They expect us to remember their profiles when they return, even several years later," argues Alain Capestan. According to the rapporteur, "the reasons given are not sufficient" to justify a ten-year retention period, which has "never been accepted for any customer file data."

The CNIL's decision is expected to be issued at an unspecified later date.

Numerous cyberattacks in the travel industry

Last year, the CNIL recorded 6,167 data breach notifications, a 9.5% increase from 2024 and its highest level ever, according to its 2025 report.

Several tourism groups, including Pierre & Vacances and Belambra, have been victims of cyberattacks in recent weeks. According to cybersecurity experts, the travel and hospitality sector is particularly attractive to cybercriminals, notably due to the growing number of partners and booking systems involved.