In December 2025, the French data protection authority CNIL imposed a fine of €1 million on Mobius Solutions, an IT service provider for the music streaming platform Deezer. The authority based its decision on the unlawful processing of user data, which Deezer as the data controller itself had brought to the attention of the CNIL.
The basis for the fine were the rules for third-party data processing. Under the GDPR, any processing of personal data by a service provider acting as a processor must be based on a clear contractual basis imposed by the controller. The processor’s use of the controller’s data is strictly limited to these clearly defined lawful purposes. In addition, processors are required to properly document their processing activities.
In the case of Mobius, these requirements were violated in several respects: Not only was the data of over 46 million Deezer listeners used for the further development of Mobius’s own services contrary to the limitation agreed with Deezer, but Mobius also failed to delete the user data as required under the contract after its termination. Furthermore, in the opinion of the CNIL, Mobius did not properly comply with its documentation obligations.
The decision once again highlights how important it is for processors to strictly adhere to the principle of purpose limitation when processing customer data. This is also of great importance for their clients as data controllers because they are legally required to monitor the data processing carried out by their processors.
At least under German data protection law, it may therefore be advisable for controllers to actively report data protection violations in this context, as a report may not be used as evidence against the reporting party. A GDPR fine for the reported violation can then only be conducted on the basis of other, independent findings.
(Dr. Lukas Mezger, UNVERZAGT Rechtsanwälte)