Processor liability: CNIL fines Mobius Solutions Ltd, former SaaS solutions provider for Deezer, €1,000,000

On 11 December 2025, the CNIL imposed a fine of €1,000,000 on Mobius Solutions Ltd, former processor of Deezer, for several serious breaches of the GDPR, particularly with regard to data retention and compliance with contractual instructions.

‍

The decision was made public, signaling the authority's desire to strengthen the deterrent effect of its supervisory policy.

‍

• A personal data breach reported by Deezer led to the proceedings

‍

The proceedings stem from Deezer's notification of a data breach in November 2022 involving information relating to tens of millions of users.

‍

During its investigations, the CNIL established that Mobius Solutions Ltd, the SaaS provider of the Optimove solution enabling its customers to create and execute personalized marketing campaigns, had retained a copy of the data processed on behalf of Deezer beyond the end of the contract (dated 1^st December 2020), and that this data had been stored in its own technical environment without explicit instructions from the data controller.

‍

• Breaches found against Deezer's processor – strict application of the obligations of Article 28 GDPR

‍

The CNIL found several breaches attributable to the processor:

- Retention of data after expiry of the contract / Art. 28(3)(g) / Obligation to delete or return data at the end of the service.

- Processing outside of instructions / Art. 29 / Prohibition on the processor to use the data for its own purposes (internal development, testing, etc.).

- Absence of a compliant register of processing activities / Art. 30(2) / Obligation applicable even to processors operating outside the EU when they process data belonging to European residents.

‍

• Arguments raised by Mobius Solutions Ltd – and rejected by the CNIL

‍

Firstly, Mobius Solutions Ltd contests the jurisdiction of the CNIL and considers that it is only indirectly subject to certain obligations under Article 28(3) of the GDPR, which were imposed by Deezer. On this issue, the CNIL notes that Mobius Solutions Ltd processes the personal data of Deezer services’ users located within the European Union, particularly in France, on behalf of Deezer (the number of users in Europe affected by the data breach amounts to 21,574,775, including 9,849,354 in France). Therefore, the GDPR is fully applicable to the processing activities of Mobius Solutions Ltd.

‍

Secondly, the company argues that the data affected by the data breach originated from an unauthorized copy of non-anonymized Deezer user data, made by three of its employees. The CNIL firmly rejects this argument, pointing out that it has no bearing on its obligations as a processor "since it was responsible for verifying the operations carried out by the employees under its responsibility. The company cannot invoke a lack of control over its tools or a lack of supervision and management of its employees' activities to evade its responsibility, when it was incumbent upon it to ensure the conditions of the processing it carried out."

‍

• Criteria used to set the fine at €1,000,000  

‍

The CNIL imposed a substantial fine on Mobius Solutions Ltd, explaining in detail each factor taken into account in setting the fine, namely:

- the scale of the breach ("more than 200 million people worldwide were reportedly affected, with data concerning DEEZER users and other MOBIUS customers");

- the proven risk of exposure ("the company's irregular copying of data was harmful to the individuals concerned, insofar as a large amount of data was disclosed on the darknet concerning not only their identity (surname, first name, age) and contact details (email address) but also their listening habits on the DEEZER platform");

- the negligence of the company Mobius.

‍

The CNIL also considers that the publicity surrounding the sanction is justified "given the significant impact of the data breach in question, the seriousness of the breaches committed, and the number of individuals concerned, who must be informed."

‍

• Practical lessons for data processors and controllers

‍

With this decision, the CNIL is sending a clear reminder to SaaS solution providers and, more generally, to personal data processors of their obligations under the GDPR, in particular:

- The GDPR applies in full to processors not established in the EU when they process data relating to individuals located in the Union.

- End-of-contract and reversibility clauses are not incidental: they are now a priority area for scrutiny by the authorities.

- The processor's internal governance (access logs, test environment management, prohibition of local copies) must be documented and audited.

- When a processor is required to retain data for internal technical purposes, it must be expressly provided for.

‍

And because Deezer is not seeking liability, it highlights the fundamental importance for data controllers to conclude and negotiate Data Processing Agreements (DPAs), in particular clauses relating to:

- data deletion/return,

- prohibition of data reuse or secondary purposes,

- and compliance audits of the processor after the end of the contract.

If you have any questions or need assistance, please do not hesitate to contact our IT/Data team!  

‍

‍

Jeannie Mongouachon, Partner and Juliette Lobstein, associate at Squair