France
Company
3,500,000 €
GDPR enforcement action by French Data Protection Authority (CNIL) on 2025-12-30.
Rank · Sector
#14
of 597 in Industry and Commerce
Rank · France
#16
of 74
Rank · All fines
#94
of 3,050
Case details
- Authority
- French Data Protection Authority (CNIL)
- Date
- 2025-12-30
- Controller / Processor
- Company
- Sector
- Industry and Commerce
- Quoted Articles
- Art. 6 (1) a) GDPR, Art. 13 GDPR, Art. 32 GDPR, Art. 35 GDPR
- Type of violation
- Non-compliance with general data processing principles
Summary
The French DPA has imposed a fine of EUR 3,500,000 on a company. The controller operated a loyalty program in France and 16 other EU countries, using customer data obtained through the program to transfer it to a third party for marketing purposes. The controller had no sufficient legal basis for this transfer and also failed to inform the data subjects. Furthermore, the controller used an inadequate method to store passwords. Finally, the controller failed to conduct a data protection impact assessment, which would have been mandatory given the amount of data being processed and the cross-referencing of data.
Open original source
Links to the regulator's original publication or another source.
Related fines
France
2025-09-01
200,000,000 €
ETid-2862
GOOGLE LLC
Media, Telecoms and Broadcasting
France
2025-09-01
150,000,000 €
ETid-2864
INFINITE STYLES SERVICES CO. LIMITED
Industry and Commerce
France
2025-09-01
125,000,000 €
ETid-2863
GOOGLE IRELAND LIMITED
Media, Telecoms and Broadcasting
France
2021-12-31
90,000,000 €
ETid-978
Google LLC
Media, Telecoms and Broadcasting
France
2021-12-31
60,000,000 €
ETid-979
Google Ireland Ltd.
Media, Telecoms and Broadcasting
France
2021-12-31
60,000,000 €
ETid-980
Facebook Ireland Ltd.
Media, Telecoms and Broadcasting