Company – €3,500,000 Fine (France, 2025)

€3,500,000Commission Nationale de l'Informatique et des Libertés30 December 2025France
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

A company was fined EUR 3,500,000 for mishandling customer data in a loyalty program across multiple countries. This is significant because it emphasizes the need for clear consent and proper data management in marketing.

What happened

The company used customer data from a loyalty program to transfer it to a third party without a valid legal basis.

Who was affected

Customers who participated in the loyalty program and had their data improperly shared.

What the authority found

The French DPA ruled that the company lacked a sufficient legal basis for data transfers and failed to inform users about how their data was used.

Why this matters

This ruling serves as a warning to businesses about the importance of obtaining proper consent and conducting data protection assessments. Companies must be transparent about data usage to avoid hefty fines.

GDPR Articles Cited

AI-verified

Art. 13(GDPR)
Art. 32(GDPR)
Art. 35(GDPR)
Art. 6(1)(a) GDPR
View original scraped data
Art. 6(1)(a) GDPR
Art. 13 GDPR
Art. 32 GDPR
Art. 35 GDPR

Original data from scraper before AI verification against source document.

Source verified 5 March 2026
date discrepancy
France enforcementCommission Nationale de l'Informatique et des Libertés actionsAll Company actions
Full Legal Summary
Detailed

The French DPA has imposed a fine of EUR 3,500,000 on a company. The controller operated a loyalty program in France and 16 other EU countries, using customer data obtained through the program to transfer it to a third party for marketing purposes. The controller had no sufficient legal basis for this transfer and also failed to inform the data subjects. Furthermore, the controller used an inadequate method to store passwords. Finally, the controller failed to conduct a data protection impact assessment, which would have been mandatory given the amount of data being processed and the cross-referencing of data.

Related Enforcement Actions (2)

Other enforcement actions involving Company in FR

Fine
Dec 2023· Commission Nationale de l'Informatique et des Libertés

The French DPA has imposed a fine on a company. The controller had collected data from applicants, even though the processing of the specific data was...

Fine
Jun 2024· Commission Nationale de l'Informatique et des Libertés

The French DPA has imposed a fine on a company operating a call center. The controller had systematically recorded all incoming and outgoing calls for...

Current
Dec 2025

Fine

€3.5M

Details

Fine Date

30 December 2025

Authority

Commission Nationale de l'Informatique et des Libertés

Fine Amount

€3,500,000

Enforcement Tracker ID

ETid-2998

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Company - France (2025). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: