Personal data watch — October 2025
Each month, we deliver most of the latest data news in the newsletter Data4Coffee. Don't miss out on key information!
To receive it, please fill in This form.
1. FRANCE
1.1. Advertising cookies and sanctions: the CNIL sanctions SHEIN (150 million euros) and Google (325 million euros) for non-compliance with advertising cookie obligations
[September 3rd] The CNIL has imposed a fine of 150 million euros against INFINITE STYLES SERVICES CO. LIMITED, an Irish subsidiary of Shein, for violation of obligations relating to trackers (article 82 of the Data Protection Act). She noted the installation of cookies for advertising purposes as soon as the site was visited, without prior consent, incomplete information banners and mechanisms for refusing and removing ineffective trackers. The penalty takes into account the extent of the treatment (around 12 million users in France each month) and the recurrence of similar breaches that have already been sanctioned.
Source: Cookies deposited without consent: the CNIL sanctions SHEIN with a fine of 150 million euros | CNIL
[September 3rd] The CNIL imposed a fine of 325 million euros against Google (Google LLC and Google Ireland Ltd) for having broadcast advertisements disguised as emails in Gmail without the prior consent of users and for having imposed advertising cookies when creating Gmail accounts without providing clear and adequate information on trackers. The French authority also ordered Google to stop these practices within six months, under penalty of a daily penalty of €100,000 in case of delay. This sanction reflects the increasing rigor of the CNIL on intrusive advertising practices, recalling that free, informed and unconditional consent is an obligation in terms of the protection of personal data.
1.2. AI Act: France opts for shared governance between several authorities
[September 9th] The Minister of the Economy announced that the implementation of the AI Act in France will be based on distributed governance between several administrative authorities. The CNIL will play a central role, especially for high-risk systems processing personal data, while other sectoral authorities will intervene according to their areas of expertise. This model avoids the creation of a new regulator, relying on the coordination of existing actors. While this choice values the expertise of the CNIL, it raises challenges in terms of readability, consistency of decisions and operational monitoring.
Source: AI Act: France chooses fragmented governance
1.3. Commercial prospecting and cookies: end of the injunction pronounced against the company ORANGE for disguised advertising and cookies maintained
[September 11] The injunction, accompanied by a fine of 100,000 euros per day of delay, pronounced by the CNIL against Orange, in addition to its fine of 50 million euros, for disguised advertising and the maintenance of cookies after the withdrawal of consent, was closed by the CNIL on September 11, 2025. The CNIL recognizes that Orange has demonstrated, within the time limit, that it has taken the necessary measures in order to correct its shortcomings. The authority nevertheless observes the absence of the deletion of third-party cookies, but admits that, in the state of the doctrine and case law of the Council of State, these reading operations exceed the responsibility of Orange, which also justifies having contacted its partners so that they could implement the same type of measures. Under these conditions, the CNIL decided not to settle the penalty payment.
Sources:
1.4. Cameras in schools: the CNIL sets the rules to follow
[September 12] In an article on its website, the CNIL recalls that only certain types of cameras can be installed in schools: video protection devices on the surroundings (with prefectural authorization) and indoor video surveillance devices, under strict conditions. Indoors, cameras can film corridors and halls, but must exclude living areas such as classrooms, playgrounds, or fireplaces. Informing students, parents and staff is an obligation that must take the form of a notice in accordance with article 13 of the RGPD and displays visible at the entrance of the establishment. The manager must determine a proportionate retention period and only authorized persons can access the images, in a secure environment. Finally, video surveillance should not replace other less intrusive security measures and an impact assessment (AIPD) associated with the appointment of a DPO is sometimes required.
Source: Video devices in schools | CNIL
1.5. CNIL and digital content: how long for inactive accounts?
[September 18] The CNIL recalls that the RGPD imposes a principle of limited retention of personal data over time. As such, the authority recommends the removal of accounts that have been inactive for two years in digital services. For the audiovisual and video game sectors, longer storage is allowed only for data strictly necessary to access purchased content: name, e-mail, nickname, usage data (backups, history). All other data, including data for commercial or statistical purposes, should be deleted or anonymized according to a detailed schedule. Users must be clearly informed about the retention period and the phases (active, archiving) that occur before deletion. Finally, the CNIL insists on the implementation of appropriate technical and organizational measures to guarantee the security of data stored over a long period of time.
Source: Purchase of digital content: how long should inactive accounts be retained? | CNIL
1.6. Concealment of cameras: 100,000 euros fine for La Samaritaine
[September 18] The CNIL fined La Samaritaine €100,000 for installing cameras disguised as smoke detectors in storerooms, equipped with microphones to record conversations. Although an employer can install hidden cameras in exceptional circumstances and subject to a fair balance between the protection of privacy and the objective pursued, La Samaritaine's devices had not been documented in its processing register and had not been subject to a prior impact assessment. In addition, the company's DPO was only informed of the existence of the cameras several weeks after they were installed. La Samaritaine thus breached the principles of loyalty, minimization and the duty to involve the DPO in data protection issues. This penalty is a reminder of the vigilance that employers must show when installing cameras, especially hidden ones.
Sources:
1.7. Cyberattacks and health: the Clarins group and the medical analysis laboratory Inovie Labosud have suffered attacks resulting in data leaks from their patients and customers.
[September 18] The Clarins Group has confirmed that a third party has illegally downloaded files containing contact data from some of its customers, following a cyberattack claimed by the Everest Ransomware group. Several hundred thousand customers could be affected. However, Clarins assures that customer banking details and passwords have not been compromised. Some files would already be published on the darknet, raising an additional threat of disclosure. Clarins claims to have controlled the incident and informed the competent authorities.
Source: Clarins victim of a cyberattack, customers' personal data exposed
[September 26th] The Inovie Labosud laboratory has experienced unauthorized access that compromised personal data — identity, contact details, social security number — and, for some patients, health data related to exams. No bank data, password or analysis results (e.g. patient account) would have been affected. As soon as it was discovered, the incident was declared to the CNIL, ARS and ANSSI and a complaint was filed with the competent authorities. The laboratory indicates that it has taken measures to block access and contain the attack.
Source: Medical data exposed after a security incident at Inovie Labosud
2. EUROPEAN UNION
2.1. Data Privacy Framework: the EU Court validates the mechanism
[September 4] The General Court of the European Union rejected the appeal of a French citizen, Philippe Latombe, to cancel the Data Privacy Framework (DPF), considering that this device ensures an adequate level of protection for transfers of personal data between the EU and the United States in its current form. In particular, the applicant contested the independence of the American mechanism for reviewing complaints from European citizens and the lack of guarantees offered in the face of massive data collections by American intelligence services. The Tribunal considers that the United States provides the required guarantees, including control. a posteriori and that the complaint review mechanism cannot be considered to be subject to inappropriate executive influence. However, this decision could be brought before the Court of Justice of the European Union.
Source: European justice maintains the Data Privacy Framework | LeMagit
2.2. Preventive actions & RGPD: the CJEU authorizes competitors to stop unlawful treatment and recognizes compensation for moral damage.
[September 4] The Court of Justice of the European Union has ruled that, in certain data protection cases, third parties, in particular competitors, may obtain a preventive injunction to stop unlawful processing immediately, even before material damage is proved. It also recalls that moral or psychological damage linked to a violation of the GDPR may give rise to compensation, regardless of any financial loss. The decision thus reinforces the legal arsenal available for data subjects and third parties wishing to claim a violation of data protection regulations.
Source: CJEU — Case C-655/23 (IP v Quirin Privatbank AG)
2.3. When pseudonymized data becomes “personal”: the CJEU refines the criteria
[September 4] In case C413/23 P (EDPS v CRU), the Court of Justice of the European Union recalled that pseudonymisation does not automatically guarantee the non-personal nature of data: this depends on the context and in particular on the recipient's ability to re-identify the persons concerned. The decision specifically concerns a case where anonymized comments were sent to an external service provider without informing the contributors: the CJEU considers that even if the recipient of the anonymized comments cannot identify the persons, the obligation of transparency is still required if the original manager has the means of re-identification.
Sources:
To find out more, check out our decision analysis article.
2.4. Insufficient security measures: penalty of 3 million euros against a pharmaceutical wholesaler
[September 5th] Allium UPI, a pharmaceutical wholesaler in Estonia responsible for managing the loyalty program of the Apotheka pharmaceutical chain, was the victim of a cyberattack in early 2024 that led to the extraction of data backups relating to the loyalty program. These safeguards concerned members of the program between 2014 and 2020 and included personal data, including detailed information about their pharmaceutical product purchases. The investigation by the Estonian Data Protection Authority revealed that Allium UPI did not implement essential security measures, such as multi-factor authentication and maintaining access logs. Taking into account the sensitivity of the data concerned, the authority imposed a fine of 3 million euros against Allium UPI. This decision reiterates the importance of security measures when processing health data.
Source: AKI (Estonia) — Allium UPI | GDPRhub
To learn more about managing health data, check out our article devoted to their regulation in France and Europe.
2.5. Profiling job seekers using AI: Germany recognizes the legal basis of the system with human supervision.
[September 5th] The German Public Employment Service (SPE), which is responsible for implementing the federal government's labour market policy, has developed an AI system to calculate labour market opportunities for job seekers and to help advisors assess these professional opportunities. This model uses personal data from job seekers (age, gender, education, professional background) to predict their future chances of integrating into the labour market. The German data protection authority, after an investigation, decided to suspend this processing activity for lack of legal basis and profiling. After the annulment of this decision by the Federal Administrative Court, the case was brought before the Supreme Administrative Court. The Commission considered that the AI system was not devoid of a legal basis since the SPE was based on national legal provisions and that automated decision-making was not characterized since advisers had a significant role in the decision-making process.
Source: BvWG — W256 2235360-1 | GDPRhub
To find out how to bring your AI tools into compliance with GDPR requirements, see our article and how to use the legal basis of legitimate interest to train your AI, see our article.
2.6. Data breach and liability: 500,000 euros fine against a bank
[September 16] The bank details, identification and contact information of more than 100,000 customers of a Spanish bank have been made accessible on the dark web following a cyberattack. The breach was notified to the Spanish Data Protection Authority (AEPD) by two subcontractors of the bank that was the target of this cyberattack. At the end of its investigation, the AEPD rejected the bank's argument that it was not the data controller since it was not the target of the attack, considering that the bank was indeed responsible for processing the personal data of its customers and that the negligence of its subcontractors did not exempt it from its responsibility. In particular, the AEDP found that the bank gave insufficient instructions to its subcontractors and that its customers' IBANs were kept without being pseudonymized, which was a high risk that the data would be consulted and misused by third parties. This decision recalls the importance of security measures, in order to avoid such data breaches, as well as the role and responsibility of the data controller even when using subcontractors.
Source: AEPD (Spain) — EXP202402612 | GDPRhub
2.7. Request for the right of access: assessment of its abusive nature before the CJEU to come
[September 18] Thirteen days after registering for a newsletter, an Austrian citizen sent a request for access, which was rejected on time by the data controller who considered it abusive. Refusing to abandon his request, the applicant accompanied his initial request with a request for compensation in the amount of 1,000 euros. The Ansberg District Court, hearing the case, asked the Court of Justice of the European Union (CJEU) preliminary questions on the assessment of the abusive nature of an initial right request and on the assessment of articles 12 (5) and 82 of the GDPR. The Advocate General, Mr Maciej Szpunar, concludes that an initial request may be described as excessive depending on the circumstances and the abusive intention of the person concerned, but that the mere fact that the person concerned has exercised his right to compensation in many cases against a data controller is insufficient to qualify such a request as excessive. It also concludes that Article 82 of the GDPR must be interpreted as meaning that the damage suffered by the person concerned as a result of a violation of the GDPR is likely to give rise to compensation, even if this damage was not caused by the processing of his data. The decision of the CJEU is to be followed.
3. INTERNATIONAL
3.1. Cloud: NATO migrates critical workloads to Oracle Cloud Infrastructure
[September 11] The NATO Communications and Information Agency (NCIA) has announced to migrate its critical systems on site (On Premise) to Oracle Cloud Infrastructure, in order to benefit from sovereign cloud solutions, high performance, availability, AI innovation, and enterprise-grade security. This migration is part of a process of securely modernizing NCIA infrastructure, and aims to help NCIA provide NATO with secure, cloud-based, and interoperable communications and information systems and services. Red Reply and Shield Reply, partners of Oracle, will support NCIA to ensure a smooth, secure and sustainable transition of critical workloads. With this solution, NCIA intends to meet its strict requirements for data sovereignty, operational control, and the location of critical information.
Sources:
3.2. Data governance and AI: an international commitment to privacy-protective AI
[September 23rd] On the occasion of the 47th edition of the Global Privacy Assembly, which took place in Seoul from September 15 to 19, 2025, twenty data protection authorities signed a joint declaration aimed at building a reliable governance framework for trusted AI. This statement, which was originally signed by a handful of authorities at the AI Action Summit held in Paris last February, highlights the risks and concerns associated with AI (data and privacy protection, discrimination and bias, misinformation and hallucinations). With this statement, data protection authorities around the world undertake to clarify the legal bases for data processing in AI, to establish appropriate security measures, to monitor the technical and societal impacts of AI, to encourage its innovation by reducing legal uncertainties and to strengthen their cooperation with other competent authorities (consumer protection, competition, intellectual property).
Sources:
3.3. Data leak: a subcontractor of the car manufacturer Stellantis affected and personal data made accessible.
[September 24] Stellantis reported a personal data leak involving North American customers, caused by the hacking of a customer relationship provider. The manufacturer's internal systems have not been compromised, but information such as names, addresses, or telephone numbers may have been exfiltrated. The company notified the persons concerned and referred the matter to the competent authorities. If highly personal data (passwords, bank details) would not be concerned, the incident once again raises the question of the effective control of subcontractors under the GDPR.
Source: Stellantis reports a personal data leak (l'Usine Digitale)
Caroline Chancé, Jeannie Mongouachon, Clémentine Beaussier, Victoire Grosjean and Juliette Lobstein
.png)
