Alert: : UK Data Processor fined €1 million by French DPA for GDPR failures

On 11 December 2025 the CNIL, the French Data Protection Authority, imposed a fine of €1 million on UK based Mobius Solutions Ltd for data protection breaches. It’s an interesting case as it reinforces the message that data processors can face investigation for data breaches as well as data controllers. It also has important lessons for those involved in training AI.

There are some data protection terms used in this note which are explained in our GDPR Glossary.

What was this about?

Mobius Solutions in this case was a subcontractor and data processor to French music streaming app Deezer. Deezer is one of the world’s top ten music streaming services with currently around 9.5 million total global subscribers. Deezer, the data controller, was using Mobius for personalised advertising services.

Mobius told CNIL that this data had been copied by three of its employees without its knowledge.

Why was Mobius Solutions fined?

CNIL fined Mobius Solutions for failing to comply with several GDPR obligations as a processor:

1. Article 28(3)(g): obligation for processors to delete controller’s data at the end of the contractual relationship. Mobius Solutions retained a copy of the data of more than 46 million Deezer users after the end of the contractual relationship.
2. Article 29: obligation to comply with instructions from the controller. Mobius copied and used Deezer’s data without Deezer’s instructions, and there was no contractual clause between the two parties authorising Mobius to do so.
3. Article 30: obligation to keep a record of processing activities. Mobius failed to keep records of their processing activities in its capacity as a processor.

The amount of the fine was based on considerations of the seriousness of the breach, the number people affected by the breach (in this case, Deezer users), and the turnover of Mobius.

Mobius said that it had copied and used some of Deezer’s data without any instructions from Deezer to improve the performance of its own services. It’s an argument we’re likely to see more frequently as data processors use all of the data they have, regardless of the contract it relates to, to train their AI systems. CNIL’s fine shows that data processors will need to be extremely cautious if they are adopting this approach.

What are some practical points to consider?

1. If you are a data controller, make sure you have the right contracts in place. If you have a standard data processing agreement in place that’s used with vendors, it may be worth reviewing.
2. If you are a data controller, consider including or adding data protection questions in your vendor due diligence process, for example questions regarding data minimisation protocols and record keeping procedures.
3. If you are a data processor, make sure you follow instructions in the contract, particularly regarding data deletion instructions.
4. Make sure that employees are properly trained so that they can understand their legal obligations and your contractual obligations too.  Having technology in place to police your rules might also be a good idea too – in this case for example data loss prevention (DLP) software may have stopped the three employees taking the data.
5. Many organisations are implementing AI tools and systems into their workplace. Consider if that AI tool will be processing data on your behalf, and if you might need to undergo a Data Protection Impact Assessment, and or AI Impact Assessment.  Remember your AI literacy and transparency obligations too – there’s more detail on that at What are the AI Literacy Obligations from the EU AI Act?.
6. EU GDPR can still apply to UK companies after Brexit.  GDPR has wide extra territorial reach.  In this case CNIL determined that the processing carried out by Mobius consisting of the analysis, segmentation and hosting of Deezer’s user data, should be classified as monitoring of individuals’ behaviour.  One-stop-shop under GDPR didn’t apply as Mobius was based in the UK which gave CNIL jurisdiction to investigate.

For more information:

See our Data Protection Glossary.

Read our Overview of the EU Data Act.

Read our Overview of the EU AI Act.

CNIL’s decision can be viewed at Data breach: MOBIUS SOLUTIONS LTD fined €1 million.

We are data protection & privacy lawyers

Learn more about our regulatory compliance work at Data Protection & Privacy Services or Contact Us to speak with an expert.