FREE MOBILE – €27,000,000 Fine (France, 2026)

The company FREE MOBILE (the “controller”), a subsidiary of the company ILIAD, operates as a mobile telephone operator and had, as of 31 December 2024, approximately 15.5 million mobile subscribers. In 2024, ILIAD's turnover was around €10 billion for a net profit of €367 million. In September 2024, an attacker managed to infiltrate the controller's information system and accessed personal data relating to 24 million subscriber contracts, including IBAN details, which the controller became aware in October 2024. The controller notified the DPA and informed the data subjects via email. Following a large number of complaints (more than 2,500) from individuals affected by this data breach, the DPA carried out an investigation to check the controller’s compliance with the GDPR and the French Data Protection Act. The DPA’s investigation revealed breaches of several obligations under the GDPR. Failure to adhere to the principle of storage limitation (Article 5(1)(e) GDPR) The DPA found that, at the time of the investigation, the controller had not implemented measures to separate the data of former subscribers, retain only what was required for accounting purposes, and delete the rest once it was no longer needed. Under Article 5(1)(e) GDPR, personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. The DPA reminded the controller that it must review its retained data periodically and ensure that the data is deleted at the end of its retention period. Based on the investigation and the controller’s own statements, the DPA concluded that the controller had kept millions of subscriber data without justification for an excessive period of time. During the proceedings, the controller began sorting the data in order to retain for ten years only the data necessary to comply with its accounting obligations and deleted some of the data that had been retai