Company – €3,500,000 Fine (France, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The French DPA has imposed a fine of EUR 3,500,000 on a company. The controller operated a loyalty program in France and 16 other EU countries, using customer data obtained through the program to transfer it to a third party for marketing purposes. The controller had no sufficient legal basis for this transfer and also failed to inform the data subjects. Furthermore, the controller used an inadequate method to store passwords. Finally, the controller failed to conduct a data protection impact assessment, which would have been mandatory given the amount of data being processed and the cross-referencing of data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The French DPA has imposed a fine of EUR 3,500,000 on a company. The controller operated a loyalty program in France and 16 other EU countries, using customer data obtained through the program to transfer it to a third party for marketing purposes. The controller had no sufficient legal basis for this transfer and also failed to inform the data subjects. Furthermore, the controller used an inadequate method to store passwords. Finally, the controller failed to conduct a data protection impact assessment, which would have been mandatory given the amount of data being processed and the cross-referencing of data.
Related Enforcement Actions (1)
Other enforcement actions involving Company in FR
Details
Fine Date
30 December 2025
Authority
Commission Nationale de l'Informatique et des Libertés
Fine Amount
€3,500,000
Enforcement Tracker ID
ETid-2998
About this data
Cite as: Cookie Fines. Company - France (2025). Retrieved from cookiefines.eu
Last updated: