CNIL (France) - SAN-2025-014

Summary

France's CNIL issued a €1,000,000 fine to Mobius Solutions Ltd on December 11, 2025, for violations stemming from a Deezer data breach affecting ~46.9 million users globally. The processor failed to delete user data after contract termination, used retained data for its own system development contrary to contractual terms, and failed to maintain processing records—breaching GDPR Articles 28, 29, and 30.

Full text

Help CNIL (France) - SAN-2025-014: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 12:48, 13 January 2026 view sourceDt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators389 editsmTag: Visual edit← Older edit Latest revision as of 09:31, 29 April 2026 view source Dt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators389 editsmTag: Visual edit Line 61: Line 61: |Appeal_To_Link=|Appeal_To_Link= |Initial_Contributor=|Initial_Contributor=dt || }}}} Latest revision as of 09:31, 29 April 2026 CNIL - SAN-2025-014 Authority: CNIL (France) Jurisdiction: France Relevant Law: Article 28 GDPR Article 29 GDPR Article 30 GDPR Type: Investigation Outcome: Violation Found Started: Decided: 11.12.2025 Published: Fine: 1,000,000 EUR Parties: Mobius Solutions Ltd National Case Number/Name: SAN-2025-014 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): French Original Source: Legifrance (in FR) Initial Contributor: dt The DPA fined a processor €1,000,000 for failing to delete the personal data of users, processing the data for purposes contrary to contract stipulations, and for failing to keep a record of its processing activities. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts DEEZER (the controller) notified the French DPA (CNIL) of a data breach affecting approximately 46,900,000 users worldwide, out if which 21,574,775 users located in the European Union and 9,849,354 users from France. The controller identified Mobius Solutions Ltd (the processor) as the likely source of the data breach. The DPA launched an investigation into the processor. Holding Firstly, the DPA found that the processor should have deleted the users' data at the end of the contractual relationship with the controller. Failing to do so, even if the data were retained as a result of an unauthorised copy created by its employees, the DPA found a violation of Article 28(3)(g) GDPR. Secondly, the DPA found that the processor used the data for the development and testing of its own system, contrary to the contract stipulations between the processor and the controller. Therefore, the DPA found that the processing fell outside the limits of the contract, constituting a breach of Article 29 GDPR. Finally, the DPA found the processor in breach of Article 30 GDPR by failing to keep a record of the processing activities it carried out and for failing to provide the name and contact details of the data protection officer of the controller. Therefore, the DPA fined the processor €1,000,000 for violations of Article 28 GDPR, Article 29 GDPR, and Article 30 GDPR. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the French original. Please refer to the French original for more details. Decision SAN-2025-014 of December 11, 2025 National Commission for Information Technology and Civil Liberties (CNIL) Nature of the decision: Sanction Legal status: In force Date of publication on Légifrance: Friday, December 19, 2025 Decision of the restricted panel No. SAN-2025-014 of December 11, 2025 concerning the company MOBIUS SOLUTIONS LTD The National Commission for Information Technology and Civil Liberties (CNIL), meeting in its restricted panel composed of Mr. Philippe-Pierre CABOURDIN, Chairman, Mr. Vincent LESCLOUS, Vice-Chairman, Ms. Laurence FRANCESCHINI, Ms. Isabelle LATOURNARIE-WILLEMS, and Mr. Didier KLING, Members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data; Having regard to Law No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties, in particular Articles 20 et seq.; Having regard to Decree No. 2019-536 of 29 May 2019 implementing Law No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties; Having regard to Decision No. 2013-175 of 4 July 2013 adopting the Rules of Procedure of the National Commission for Information Technology and Civil Liberties; Having regard to Constitutional Council Decision No. 2025-1154 QPC of August 8, 2025; Having regard to Decision No. 2023-206C of September 25, 2023, by the Chair of the National Commission for Information Technology and Civil Liberties (CNIL) instructing the Secretary General to conduct or have conducted an audit; Having regard to the decision of the Chair of the National Commission for Information Technology and Civil Liberties (CNIL) appointing a rapporteur to the restricted panel on April 30, 2025; Having regard to the report of Mr. Claude CASTELLUCCIA, Rapporteur Commissioner, notified to the company on June 13, 2025; Having regard to the written observations of MOBIUS SOLUTIONS LTD received on July 29, 2025, after the company had been granted an additional fifteen days to respond; Having regard to the rapporteur's response notified to MOBIUS SOLUTIONS LTD on August 8, 2025; Having regard to the written observations of MOBIUS SOLUTIONS LTD received on September 23, 2025; Having regard to the closure of the investigation notified to MOBIUS SOLUTIONS LTD on October 13, 2025; Having regard to the request for postponement of the hearing submitted by the company on October 16, 2025, and the response to this request sent by the chairman of the restricted panel to the company on October 23, 2025; Having regard to the oral observations made during the hearing of the restricted panel on November 27, 2025; Having regard to the other documents in the file, The following were present at the hearing of the restricted panel on November 27, 2025: - Mr. Claude CASTELLUCCIA, Commissioner, who presented his report; - As representatives of MOBIUS SOLUTIONS LTD: - [...] MOBIUS SOLUTIONS LTD, having been informed of its right to remain silent regarding the allegations against it and having been given the last word; After deliberation, the restricted panel adopted the following decision: I. Facts and Procedure 1. Founded in February 2009, MOBIUS SOLUTIONS LTD, trading as "Optimove," is an Israeli company located at Adgar 360 Tower 2, Hashlosha Street, 33rd Floor, Tel Aviv (6706054 – Israel). 2. The company's business is the development of marketing tools. In 2023 and 2024, it reported revenues in US dollars of [...] and [...] dollars respectively, or approximately [...] euros and [...] euros respectively. The company reported employing 238 people in 2023. 3. The company developed and markets the Optimove SaaS system, which allows its clients to create and execute personalized marketing campaigns for their own customers by integrating their data into the system. As part of this service, the company hosts its clients' data. 4. In addition to providing its online Optimove SaaS system, the company analyzes its clients' data, converts it into its own formats, and segments it to enable its clients to optimize their marketing campaigns for their own customers. 5. On November 10, 2022, the French Data Protection Authority (CNIL) received a notification of a personal data breach from Deezer, which reportedly affected several million users of the platform worldwide. 6. This notification identified MOBIUS SOLUTIONS LTD, a former subcontractor of DEEZER that provided its "Optimove" solution, as the likely source of the data breach. 7. On January 31, 2023, DEEZER submitted a supplementary data breach notification to the CNIL, confirming that, according to its analysis, the origin of the data breach most likely lay within the systems of MOBIUS SOLUTIONS LTD. 8. On October 23, 2023, pursuant to Decision No. 2023-206C of the President of the Commission dated September 25,

Entities