On December 11, 2025, the CNIL fined an Israeli company €1 million for failing to comply with its GDPR obligations after providing personalized advertising services to an EU music-streaming platform. The service helped the platform to personalize and optimize marketing campaigns to promote its streaming services.

The CNIL held that the GDPR applied to the non-EU processor under Article 3(2), on the basis that it had monitored the behavior of EU users by creating audience segments based on demographics and listening habits, on behalf of the controller.

Why It Matters

This decision reinforces GDPR’s global reach and confirms that non-EU processors can face significant penalties when handling EU personal data. It highlights that merely assisting in behavioral profiling may trigger GDPR applicability under Article 3(2).

Relevant Facts

In November 2022, an EU-based platform notified the CNIL of a major data breach. Data from 12.7 to 21.6 million EU users (including 9.8 million in France)—including names, ages, email addresses, and listening habits—had been posted on the dark web.

The platform identified its former subcontractor, which had provided personalized advertising services, as the source of the breach. The CNIL conducted checks in 2023 and 2024, followed by an investigation in 2025, which uncovered multiple GDPR violations by the subcontractor.

Key GDPR Violations Identified by the CNIL

  • Failed to delete data after contract termination. The Israeli company was found to have retained user data after the contract ended, violating Article 28(3)(g) GDPR. The company claimed the data was copied without management’s knowledge, but the CNIL rejected this defense. The data was stored in an insecure environment and only deleted on October 1, 2023—almost three years after contract termination and 11 months after the CNIL was notified of the breach. The CNIL treated this as an aggravating factor under Article 83 GDPR.
  • Processed data beyond controller instructions. The company was found to have used client data to improve its own services—outside the controller’s mandate—contravening Article 29 GDPR.
  • Lacked records of processing activities. The company failed to maintain a required register of processing activities under Article 30 GDPR. It argued that its data processing addendum contained all the necessary information, but the CNIL rejected this defense. While the contract and addendum included some details, the company admitted it did not maintain a formal register, and key information—such as the controller’s DPO contact details—was missing.

Enforcement

The CNIL decided that the company had been “very negligent”. Based on factors, such as the amount of data involved and the tardiness of the data deletion, it imposed a sanction of €1 million. The CNIL also took into consideration the company’s financial capacity, although it is not clear how (while the company’s turnover had been consistently rising over the years, it also claimed to consistently run a deficit). The decision is also silent on the enforcement mechanics and does not explain how the €1 million fine will be enforced against a company with no EU presence.

*            *            *

Covington’s Data Privacy and Cybersecurity team closely monitors enforcement trends across jurisdictions and is available to advise on any questions.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Read more about Dan CooperEmail
Show more Show less
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van QuathemEmail
Show more Show less
Photo of Anna Sophia Oberschelp de Meneses Anna Sophia Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is special counsel in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is special counsel in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Read more about Anna Sophia Oberschelp de MenesesEmailAnna Sophia's Linkedin Profile
Show more Show less