Home » Media Center » Legal Updates » Israeli-based marketing company fined by CNIL with 1€ million under GDPR

Legal Updates News

Israeli-based marketing company fined by CNIL with 1€ million under GDPR

December 2025
Related Practice Areas
Privacy, Data Protection and CyberSecurity
ChatGPT Summarize with ChatGPT

On 11 December 2025, the CNIL fined MOBIUS SOLUTIONS LTD, a former processor of DEEZER, following a data breach affecting more than 46 million users worldwide with more than 9 million EU users. While the breach itself attracted attention, the decision is notable primarily for the governance failures attributed to the processor, rather than for the security incident alone.

 Why this decision matters?

Recent enforcement actions demonstrate that regulatory scrutiny is not confined to data security breaches, but is increasingly directed at the practical implementation and management of compliance obligations by data processors.

The CNIL’s findings underline a regulatory trend that many organizations underestimate that GDPR obligations for processors are operational and enforceable, not merely contractual or derivative of the controller’s duties.

Key findings of the decision

The authority identified three core infringements:

  1. Failure to delete data at the end of the engagement
    Despite a clear contractual obligation, MOBIUS retained copies of Deezer user data long after the contractual relationship had ended, in breach of Article 28(3)(g) GDPR. The CNIL rejected arguments that the data had been copied by employees without management’s knowledge, emphasising that processors remain responsible for internal controls and employee actions. Even relatively basic data, including identification details and historical usage patterns, may be regarded as having the potential to adversely affect the rights of data subjects.
  2. Processing beyond the controller’s instructions
    User data was copied and reused to improve the processor’s own services, without explicit instructions or contractual authorisation from the controller, contrary to Article 29 GDPR. The decision confirms that “product improvement”, testing or optimisation activities fall outside a processor’s remit unless expressly authorised.
  3. Failure to maintain a record of processing activities
    Although the processor relied on contractual documentation and a data processing addendum, the CNIL held that this did not replace the obligation to maintain a formal record of processing activities under Article 30 GDPR.

 Territorial scope: adequacy is not immunity

Of particular relevance to non-EU companies, the CNIL confirmed that the analysis, segmentation and hosting of user data for personalized marketing purposes constituted “monitoring of individuals’ behavior” under Article 3(2)(b) GDPR. As a result, the GDPR applied to the processor despite its lack of establishment in the EU.

The CNIL emphasized that Israel’s adequacy status does not negate the applicability of the GDPR to processing activities relating to EU data subjects, nor does it confer immunity from direct regulatory enforcement.

Implications for Israeli and other non-EU companies

The decision underscores that GDPR compliance for data processors constitutes a regulatory obligation, not merely a contractual or formal requirement. Compliance necessitates the establishment of robust operational frameworks, organizational discipline, effective regulatory oversight, and the implementation of clearly defined policies and procedures.

Non-EU companies providing services such as behavioral advertising, analytics, personalization, SaaS, or data infrastructure to European entities are legally required to review and update their GDPR compliance frameworks, irrespective of their physical presence in Europe or their role as data processors.

Key Takeawys:

  1. Processors cannot rely solely on contractual language or controller oversight; they must implement effective operational controls.
  2. Data deletion at the end of an engagement must cover all environments, including non-production and test systems.
  3. Any use of client data for internal development or service improvement requires explicit, documented authorization.
  4. Records of processing activities are mandatory for processors and must be maintained independently, together with an internal compliance program.
  5. GDPR enforcement applies extraterritorially, particularly in contexts involving profiling, behavioural analytics and personalised marketing.

 Our firm’s Privacy Team is available to provide comprehensive regulatory support, including preparation for supervisory authority oversight, conducting needs assessments, performing compliance gap analyses, and assisting with the adaptation of internal policies and procedures to meet regulatory standards.

Lior Etgar, Partner, Head of the Data Protection, Cyber and IT practice, was interviewed about the topic, on Calcalist 

 

Related Team Members

More Articles in Legal Updates

The article belongs to the category:Legal Updates
You are now looking at the article:

Draft Opinion by the Privacy Protection Authority: Appointment of a Data Protection Officer (DPO)

The article belongs to the category: The article was posted in the year: August 2025

The article belongs to the category:Deals & Cases
You are now looking at the article:

Awager Ltd acquired by Aristocrat Leisure Limited

The article belongs to the category: The article was posted in the year: October 2025

The article belongs to the category:Legal Updates
You are now looking at the article:

Voluntary Disclosure Procedure (Temporary Order) – August 2025

The article belongs to the category: The article was posted in the year: September 2025

EBN - Erdinast, Ben Nathan, Toledano is a premier full-service law firm and one of Israel's most prominent and fastest growing law firms.
Join Newsletter
Ranking & Accolades: