France
FREE
15,000,000 €
GDPR enforcement action by French Data Protection Authority (CNIL) on 2026-01-08.
Rank · Sector
#25
of 369 in Media, Telecoms and Broadcasting
Rank · France
#12
of 74
Rank · All fines
#39
of 3,050
Case details
- Authority
- French Data Protection Authority (CNIL)
- Date
- 2026-01-08
- Controller / Processor
- FREE
- Sector
- Media, Telecoms and Broadcasting
- Quoted Articles
- Art. 32 GDPR, Art. 34 GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The French DPA has imposed a fine of EUR 15,000,000 on FREE. The controller suffered a data breach due to insufficient technical and organisational measures. This was caused by using an inadequate authentication procedure to connect to their VPN for remote working. Additionally, the controller failed to adequately inform the affected data subjects due to necessary information being missing from the information email.
Open original source
Links to the regulator's original publication or another source.
Related fines
France
2025-09-01
200,000,000 €
ETid-2862
GOOGLE LLC
Media, Telecoms and Broadcasting
France
2025-09-01
150,000,000 €
ETid-2864
INFINITE STYLES SERVICES CO. LIMITED
Industry and Commerce
France
2025-09-01
125,000,000 €
ETid-2863
GOOGLE IRELAND LIMITED
Media, Telecoms and Broadcasting
France
2021-12-31
90,000,000 €
ETid-978
Google LLC
Media, Telecoms and Broadcasting
France
2021-12-31
60,000,000 €
ETid-979
Google Ireland Ltd.
Media, Telecoms and Broadcasting
France
2021-12-31
60,000,000 €
ETid-980
Facebook Ireland Ltd.
Media, Telecoms and Broadcasting