Mobius Solutions Ltd – €1,000,000 Fine (France, 2025)

DEEZER (the controller) notified the French DPA (CNIL) of a data breach affecting approximately 46,900,000 users worldwide, out if which 21,574,775 users located in the European Union and 9,849,354 users from France. The controller identified Mobius Solutions Ltd (the processor) as the likely source of the data breach. The DPA launched an investigation into the processor. Firstly, the DPA found that the processor should have deleted the users' data at the end of the contractual relationship with the controller. Failing to do so, even if the data were retained as a result of an unauthorised copy created by its employees, the DPA found a violation of Article 28(3)(g) GDPR. Secondly, the DPA found that the processor used the data for the development and testing of its own system, contrary to the contract stipulations between the processor and the controller. Therefore, the DPA found that the processing fell outside the limits of the contract, constituting a breach of Article 29 GDPR. Finally, the DPA found the processor in breach of Article 30 GDPR by failing to keep a record of the processing activities it carried out and for failing to provide the name and contact details of the data protection officer of the controller. Therefore, the DPA fined the processor €1,000,000 for violations of Article 28 GDPR, Article 29 GDPR, and Article 30 GDPR.