France CNIL Breaks New Ground: First Standalone Sanctions Against Data Processors

by Aurélie Banck//

In December 2025, CNIL issued two significant penalties against data processors for GDPR violations, marking a watershed moment in European enforcement. For the first time, the French supervisory authority sanctioned processors independently, without simultaneously pursuing the data controllers. These decisions signal a fundamental shift in accountability and carry important implications for DPOs.

The Cases at a Glance

On December 11, 2025, the CNIL fined MOBIUS SOLUTIONS LTD¹ €1 million following a data breach affecting 46 million Deezer users (21 million in Europe, 9 million in France). The breach occurred in 2022—two years after Deezer terminated its contract with MOBIUS, which had provided marketing optimization services.

On December 22, the CNIL imposed a €1.7 million penalty on NEXPUBLICA France² following a breach notification from its client, the MDPH³ of Nord department. NEXPUBLICA develops CRM, a platform for disability compensation applications processing extensive personal data including health information, social security numbers, and financial details. The November 2022 breach resulted from misconfiguration allowing users to access third-party data.

Both companies were prosecuted primarily for violations of Article 32 GDPR.

Key Takeaways for DPOs

1. Territorial Reach: Non-EU Processors Are Not Beyond Reach

The MOBIUS case confirms that processors established outside the European Union can face enforcement action from EU supervisory authorities under Article 3(2) GDPR. This extraterritorial application means DPOs must ensure even non-EU processors understand and comply with their GDPR obligations. Geographic location provides no safe harbor from enforcement.

2. Active Security Role: Processors Cannot Be Passive

The NEXPUBLICA decision strongly emphasizes that processors must play an active role in implementing security measures, not merely execute controller instructions. The CNIL’s restricted committee stated that “independently of the obligations incumbent upon the controller, it is the processor’s responsibility to propose and implement appropriate technical and organizational solutions for processing security.”

This represents a critical reminder: processors must proactively suggest security measures and, where necessary, document any refusal by the controller to implement recommended safeguards. DPOs should ensure processor contracts clearly define this obligation and establish mechanisms for processors to escalate security concerns.

3. Contracts and Technical Specifications: The Governance Foundation

Both decisions highlight the critical importance of contractual documentation in defining the processor-controller relationship. The contract (in MOBIUS) and the technical specifications document (CCTP in NEXPUBLICA) determine each party’s responsibilities and set the “golden rules” to be respected.

In MOBIUS, the contract’s prohibition on using data for service improvement purposes rendered such use illegal. In NEXPUBLICA, the CCTP⁴ granted the processor “significant latitude to ensure security,” including obligations to provide “counsel, warnings and recommendations regarding security and state of the art implementation” and to “implement necessary measures to respect declared processing operations.”

The CNIL’s emphasis on contractual terms as governance tools comes at a time when GDPR-related contract provisions are often subject to intense negotiation. DPOs should recognize that these clauses are not mere formalities but establish enforceable obligations that supervisory authorities will scrutinize.

4. Sub-Processor Liability: Not Automatic

The NEXPUBLICA case involved a sub-processor (a health data hosting provider certified for processing health data), yet neither this entity nor the controller was party to the proceedings. This demonstrates that liability does not automatically cascade through the processing chain. Each relationship must be evaluated on its own merits, with responsibility assigned based on actual roles and failures.

5. State of the Art: Defined by ANSSI Guidance

The NEXPUBLICA decision defines “state of the art” security by reference to France’s ANSSI⁵ guidance. Failure to meet these standards constituted not only a violation of Article 32 GDPR but also an aggravating factor in determining the penalty amount. DPOs should ensure processors are familiar with relevant technical guidance from national cybersecurity authorities and incorporate such standards into their security practices.

6. Data Deletion: A Result-Based Obligation

MOBIUS retained Deezer user data beyond the contractual relationship’s termination, violating contractual obligations. Although retention resulted from individual employees’ initiatives rather than company policy, the CNIL held MOBIUS accountable, finding that “the company unjustifiably retained data relating to DEEZER users after the end of their contractual relationship, when such data should have been deleted.”

This underscores that data deletion is a result-based obligation. Processors cannot excuse retention through internal failures. DPOs must implement robust deletion verification procedures and maintain evidence of deletion completion.

Strategic Implications

By sanctioning processors independently, the CNIL confirms that processor status neither shields from penalties nor excuses security obligations. Processors cannot hide behind controller instructions—they bear an active duty of counsel and must implement appropriate security measures.

The CNIL’s willingness to pursue processors independently signals a maturing enforcement landscape where each actor bears direct accountability. DPOs must ensure organizations and processors are prepared for this heightened scrutiny.

Aurélie Banck, Directeur de la conformité et DPO, PAPREC GROUP