Free – €15,000,000 Fine (France, 2026)

Free is a landline telephone operator (the controller) in France. A data breach took place in 2024 affecting two companies – Free Mobile, a mobile phone operator from the same group, and the controller. The data breach affected over 7 million among the controller’s subscribers. Following the breach, the controller notified the DPA and informed the affected subscribers of the incident. Subsequently, the DPA launched an investigation into the controller. Firstly, the DPA found that the controller failed to put in place sufficient security measures for the authentication of users to its Virtual Private Network (VPN), thus allowing a malicious actor to connect to it. Moreover, the DPA noted that the mechanism in place for detecting abnormal activity in the system was inadequate. Therefore, the DPA found a violation of Article 32 GDPR. Secondly, the DPA found that the controller violated Article 34 GDPR by failing to provide all the necessary information regarding the breach to the data subjects. Therefore, the DPA fined the controller €15,000,000 for breaches of Article 32 GDPR and Article 34 GDPR. In addition, the DPA issued an order for the controller to bring its activities into compliance with the GDPR at the risk of a penalty payment of €25,000 per day if failing to comply with the order.