Deezer’s marketing partner hit with €1 million in processor violations

France’s Fee Nationale de l’Informatique et des Libertés imposed a €1 million administrative wonderful on December 11, 2025, against Israeli marketing technology company Optimove for violations of knowledge processor obligations below the Normal Information Safety Regulation. The enforcement motion addresses systematic failures in knowledge dealing with practices that enabled a large breach affecting 46.9 million Deezer customers worldwide, together with 9.8 million in France.

The penalty targets Mobius Options Ltd., working below the commerce title Optimove, following an investigation that started in 2023. The choice revealed December 19, 2025, on Légifrance discovered violations of Articles 28, 29, and 30 of the GDPR throughout Optimove’s provision of promoting personalization companies to French music streaming platform Deezer between 2016 and 2020.

Optimove, headquartered in Tel Aviv at Adgar 360 Tower on Hashlosha Avenue, offers advertising automation software program that permits shoppers to execute personalised campaigns by analyzing buyer knowledge. The corporate reported revenues of roughly $30-40 million in 2023 and 2024, with 238 workers as of 2023.

CNIL obtained notification of a private knowledge breach on November 10, 2022, from Deezer, which recognized Optimove because the possible supply of the safety incident. Deezer confirmed on January 31, 2023, that evaluation traced the breach to Optimove’s methods. The investigation revealed that Optimove had copied non-anonymized private knowledge of Deezer customers from a manufacturing atmosphere to a non-production atmosphere in April 2019, storing the data till October 1, 2023.

Processor turns into controller with out authorization

The restricted committee decided that the processing fell inside GDPR territorial scope below Article 3(2)(b), which applies to processors not established within the European Union when their actions relate to monitoring habits of people inside the Union. Optimove’s creation of consumer segments primarily based on socio-demographic standards and Deezer service utilization constituted behavioral profiling linked to the habits of people inside the Union.

Philippe-Pierre Cabourdin presided over the restricted committee session on November 27, 2025, which included Vice-President Vincent Lesclous, members Laurence Franceschini and Isabelle Latournarie-Willems, and member Didier Kling. The committee heard oral observations from rapporteur Claude Castelluccia and Optimove representatives in the course of the proceedings.

The enforcement motion documented three distinct GDPR violations. Article 28(3)(g) requires processors to delete or return private knowledge on the finish of service provision until regulation requires retention. The committee discovered that Optimove retained knowledge regarding Deezer customers after their contractual relationship terminated on December 1, 2020. The breach occurred via an unauthorized copy made by Optimove workers to a non-production atmosphere, which the corporate claimed it found solely after Deezer reported the breach in November 2022.

Optimove argued that workers made the copy with out administration information to enhance service efficiency. The committee rejected this protection. “The corporate remained chargeable for verifying operations carried out by workers below its supervision,” the choice states. Optimove couldn’t invoke lack of management over its instruments or oversight of worker actions to evade accountability, because it was incumbent upon the corporate to make sure correct knowledge processing circumstances.

Contract prohibited processor’s unbiased knowledge use

The Article 29 violation involved processing private knowledge with out directions from the controller. The contract between Deezer and Optimove specified that Optimove supplied its platform to research knowledge offered by shoppers and suggest advertising actions. Article 6 of the contract emphasised knowledge safety, stating that Optimove had “no rights to this knowledge” and that Deezer “remained the only real proprietor of the information.” The contract prohibited Optimove from utilizing knowledge for any function aside from offering stipulated companies.

The committee discovered that copying non-anonymized private knowledge from greater than 9 million Deezer customers in France and transferring it to a non-production atmosphere constituted processing outdoors Deezer’s directions. “Optimove processed this knowledge for inside use to enhance service efficiency, whether or not or not these companies have been meant for Deezer,” the choice states. The truth that copying occurred inside the contractual interval didn’t carry it inside the scope of Deezer’s directions.

This discovering displays steerage issued by CNIL on January 11, 2022, clarifying that processors can’t reuse private knowledge for their very own functions with out express authorization from the controller. A processor who makes use of knowledge by itself behalf turns into the controller of that processing and could also be sanctioned for not following the unique controller’s directions. The controller could allow the processor to reuse private knowledge below particular circumstances; in such instances, the processor turns into the information controller for that processing.

The Article 30 violation addressed the requirement for processors to take care of information of processing actions. Article 30(2) requires processors to maintain information together with names and phone particulars of sub-processors and controllers, classes of processing carried out, transfers to 3rd nations the place relevant, and common descriptions of technical and organizational safety measures. Optimove introduced varied paperwork together with the contract and knowledge processing addendum however had not stored a proper register of processing actions as a subcontractor.

The committee famous that whereas paperwork contained some info required below Article 30, the corporate had not maintained a correct register, with details about the controller’s knowledge safety officer notably lacking. This constituted a proper breach of Article 30, despite the fact that Optimove employed fewer than 250 individuals, as a result of the processing was not occasional and concerned dangers to people’ rights and freedoms.

46.9 million customers uncovered to darknet sale

The breach uncovered substantial private knowledge to unauthorized entry. The compromised info included consumer identifiers, nation, language, gender, utility identifiers, dates of delivery, publication subscription standing, account creation dates, session creation dates, variety of observe listens per day, saved playlists, listened playlists, first fee dates, whole funds made, common day by day observe listens, lifecycle indicators, day by day listening time, favourite artists, created playlists, pause clicks, and “cherished” clicks.

The committee thought of a number of components when figuring out penalty appropriateness. Article 83 of the GDPR requires supervisory authorities to make sure that administrative fines are efficient, proportionate, and dissuasive in every case. The committee evaluated the character, seriousness and period of the infringement, the scope or function of processing involved, the variety of knowledge topics affected, measures taken to mitigate harm, whether or not the infringement was dedicated negligently, the diploma of cooperation with the supervisory authority, and classes of knowledge involved.

Greater than 200 million individuals worldwide have been affected by the information breach, with 46.9 million Deezer customers impacted globally. The committee famous that between 12.7 and 21.6 million customers inside the European Union have been affected, together with 9.8 million in France. The compromised knowledge posted on the darknet included id info, contact particulars, and listening habits on the Deezer platform, exposing people to personalised phishing assaults.

The committee discovered that Optimove demonstrated clear negligence by copying non-anonymized knowledge from tens of millions of customers outdoors the contractual framework with Deezer and failing to delete it upon contract termination. Even assuming workers made the copy with out administration directions, Optimove remained chargeable for worker actions and will have maintained vigilance relating to knowledge storage. The committee emphasised that Optimove’s observations suggesting the copying might fall inside regular contract efficiency indicated the corporate could have intentionally dedicated the Article 29 violation.

Delayed deletion compounded breach affect

Optimove initially contested accountability earlier than acknowledging it was chargeable for unauthorized copying, thus not facilitating Deezer’s knowledge breach notification. The committee thought of this when evaluating the corporate’s cooperation. Optimove deleted the information from unauthorized copying solely on October 1, 2023, practically a 12 months after Deezer notified CNIL of the breach on November 10, 2022. This late removing didn’t stop the sale of knowledge regarding greater than 46 million Deezer customers on the darknet.

The monetary penalty calculation thought of Optimove’s enterprise exercise and monetary state of affairs. The corporate demonstrated revenues of roughly $30-40 million for 2024, with 2023 revenues at comparable ranges exhibiting regular will increase. Article 20-IV-7° of the French Information Safety Act offers that administrative fines could not exceed €10 million or, for firms, 2 p.c of whole worldwide annual turnover for the previous monetary 12 months, whichever is greater.

Optimove argued that it recorded internet monetary losses amounting to substantial sums in 2024 and contested the proportionality of the proposed wonderful. The committee decided that an administrative wonderful of €1 million appeared justified in view of breaches of Articles 28, 29, and 30 of the GDPR, contemplating the corporate’s accountability, monetary capabilities, and related Article 83 standards.

The choice consists of publication necessities. The restricted committee ordered that its resolution be made public on the CNIL web site and Légifrance web site. The publication will not determine the corporate by title after a interval of two years from publication. Optimove argued that publicity was not justified, however the committee thought of the measure applicable given the numerous affect of the information breach, seriousness of breaches dedicated, and variety of individuals involved who have to be knowledgeable.

Rising regulatory give attention to processor accountability

The case demonstrates growing regulatory focus on processor accountability under GDPR. European authorities have imposed roughly €4.2 billion in fines since GDPR implementation in 2018, with processor legal responsibility instances turning into extra distinguished in enforcement actions. The McDonald’s Poland case in July 2025 resulted in €3.89 million in fines for processor oversight failures, with the processor 24/7 Communication receiving €42,000 in penalties for its function in exposing worker private knowledge.

The enforcement motion adopted established investigative procedures. On October 23, 2023, a CNIL inspection staff despatched a questionnaire to Optimove to confirm compliance with French Information Safety Act and GDPR relating to processing carried out by the corporate or on its behalf. The corporate responded January 12, 2024. Further questions adopted January 29, 2024, with Optimove responding February 8, 2024.

CNIL President appointed Claude Castelluccia as rapporteur on April 30, 2025, for investigating all parts. The rapporteur despatched a supplementary request to Optimove on Might 15, 2025, pursuant to Article 39 of Decree No. 2019-536 of Might 29, 2019, which the corporate answered June 6, 2025. On June 13, 2025, the rapporteur notified Optimove of a report detailing breaches of Articles 28, 29, and 30, recommending an administrative wonderful and public resolution with anonymization after two years.

Optimove requested an extra interval on July 7, 2025, which the restricted panel chairman granted July 10, 2025, below Article 40, paragraph 4, of the Might 29, 2019 decree. The corporate submitted observations in response July 29, 2025. The rapporteur despatched his response August 8, 2025, to which Optimove replied with observations dated September 23, 2025. The rapporteur notified the corporate of investigation closure October 13, 2025.

The corporate obtained notification that the case appeared on the restricted session agenda for November 20, 2025. Following Optimove’s request for referral October 16, 2025, the chairman knowledgeable the corporate that the case had been positioned on the agenda for November 27, 2025. The rapporteur and firm introduced oral observations in the course of the restricted panel session.

Jurisdictional questions addressed

The choice addressed a number of authorized arguments raised by Optimove. The corporate disputed CNIL jurisdiction, contemplating itself solely not directly topic to sure Article 28(3) obligations imposed by Deezer. Optimove maintained that paragraphs 1 and a couple of of Article 3 are various, that Article 3(2)(a) applies solely to controllers not processors, and that it didn’t create behavioral profiles of Deezer customers inside the which means of Article 3(2)(b).

The committee decided that since Optimove has no institution within the European Union, paragraphs 1 and a couple of of Article 3 are cumulative on this case. It examined whether or not processing private knowledge on behalf of Deezer associated to “monitoring habits of individuals insofar because it pertains to their habits inside the Union.” Optimove transmitted to Deezer the listing of assorted knowledge regarding customers that it processed and which have been disclosed within the knowledge breach.

The committee famous that processing consisted of making consumer segments primarily based on socio-demographic standards or Deezer service utilization standards. The contract between firms explicitly talked about advertising personalization as its function. Optimove confirmed performing calculations primarily based on varied knowledge regarding Deezer service customers and creating consumer segments, significantly primarily based on listening habits, to allow Deezer to personalize and adapt advertising campaigns to optimize buyer engagement.

Creating these segments concerned analyzing Deezer service customers’ habits relating to these companies to focus on them with behavioral promoting. “The evaluation and segmentation work carried out by Optimove utilizing knowledge transmitted by Deezer have to be categorized as behavioral profiling, linked to people’ habits inside the Union, even when the ensuing profile scope was restricted to listening to music on the Deezer platform,” the choice states.

The committee additionally addressed Optimove’s argument relating to worldwide comity. The corporate argued that being established in Israel, a rustic benefiting from European Fee adequacy resolution No. C(2011)332 of January 31, 2011, CNIL ought to waive jurisdiction in utility of worldwide comity ideas. The committee famous that the adequacy resolution applies solely to transfers of non-public knowledge from the European Union to nations outdoors the Union, figuring out whether or not the switch nation gives ample knowledge safety ensures.

The corporate was not alleged to have dedicated breaches of non-public knowledge transfers, with the rapporteur solely alleging breaches of Articles 28, 29 and 30 of the GDPR. The committee famous that worldwide comity consists of non-binding customs significantly widespread in diplomatic relations between States. The restricted panel recalled that its powers are conferred by the GDPR, whose guidelines are issues of public coverage, and it can’t disregard utility of its powers relating to worldwide comity ideas.

Implications for advertising know-how sector

The case establishes vital precedents for knowledge processor legal responsibility. German data protection authorities announced model guidelines on June 16, 2025, establishing standardized procedures for imposing fines below GDPR throughout German jurisdictions. The Convention of Unbiased Federal and State Information Safety Supervisory Authorities agreed on complete procedures to realize consistency in enforcement actions.

The Optimove resolution emphasizes that processors bear direct accountability for GDPR compliance no matter controller directions. The committee acknowledged that firms can’t rely solely on processor assurances and should conduct correct due diligence, since in the end controllers could face regulatory sanctions, however processors face legal responsibility for their very own violations. The enforcement displays broader developments in GDPR implementation throughout Europe, with authorities more and more holding processors accountable for his or her function in knowledge safety frameworks.

For advertising know-how suppliers working as knowledge processors, the case underscores vital compliance necessities. Processors should implement strong methods to trace and confirm all knowledge processing actions, preserve formal registers of processing actions no matter firm measurement when processing isn’t occasional, be sure that all worker actions involving consumer knowledge happen inside contractual scope and controller directions, and implement technical and organizational measures to forestall unauthorized copying or retention of consumer knowledge past service provision intervals.

The choice carries implications for firms offering Software program as a Service advertising platforms. Organizations should acknowledge that processing consumer knowledge for inside functions, comparable to bettering service efficiency or creating new options, falls outdoors controller directions until explicitly permitted by contract. The truth that knowledge processing could profit the controller doesn’t robotically carry it inside the scope of licensed processing actions.

Optimove has the suitable to attraction the choice to the Council of State inside 4 months of notification. The corporate didn’t point out whether or not it intends to contest the wonderful on the time the choice was revealed. The enforcement motion joins different latest GDPR processor cases demonstrating regulators’ willingness to impose significant penalties when processors fail to satisfy their obligations.

The case highlights challenges that come up when processors deal with knowledge for a number of shoppers whereas additionally searching for to enhance their very own companies. Advertising automation platforms steadily course of giant volumes of consumer knowledge, creating alternatives for unauthorized inside use if correct controls will not be maintained. The committee’s discovering that Optimove remained chargeable for worker actions emphasizes that organizational construction and inside processes should help GDPR compliance aims.

Broader enforcement context

Information safety authorities throughout Europe proceed to scrutinize processor-controller relationships. The Dutch regulator lowered AS Watson’s wonderful to €50,000 on Might 27, 2025, following the corporate’s profitable attraction of an earlier enforcement motion for cookie violations. The authority thought of the prolonged procedural timeline, firm cooperation in acknowledging violations, and comparatively minor nature of the breach when figuring out the lowered penalty.

The Optimove enforcement demonstrates that knowledge minimization ideas apply all through the information lifecycle, together with after contractual relationships terminate. Processors should implement technical measures to make sure full knowledge deletion happens in response to contractual timelines. The committee rejected Optimove’s argument that worker actions with out administration information excused retention failures, establishing that processors bear organizational accountability for making certain all methods and personnel adjust to knowledge safety necessities.

Advertising professionals ought to acknowledge that GDPR processor obligations lengthen past technical safety measures to embody basic knowledge dealing with practices. The case illustrates how failures in fundamental compliance areas—sustaining processing information, working inside controller directions, deleting knowledge after service provision ends—may end up in substantial penalties when mixed with knowledge breach incidents.

The €1 million wonderful represents lower than the utmost penalties obtainable below GDPR however displays consideration of the corporate’s measurement and monetary state of affairs alongside the seriousness of violations. The committee decided that the quantity ensures compliance with EU Constitution of Basic Rights necessities and French administrative regulation ideas stopping disproportionate outcomes whereas sustaining the wonderful’s deterrent impact.

CNIL has intensified enforcement across multiple digital marketing areas, together with cookie consent violations, email tracking practices, and mobile application privacy. The authority published recommendations for AI system developmentin July 2025, establishing concrete compliance necessities affecting programmatic promoting platforms using machine studying for viewers focusing on.

The enforcement panorama demonstrates coordinated regulatory approaches throughout European jurisdictions. German courts have ruled on cookie consent requirements affecting tag management practices, whereas privacy advocates have filed GDPR complaints against major Chinese technology platforms for violating knowledge entry rights.

The intersection of knowledge safety and competitors regulation continues evolving, with French regulators ruling Apple’s App Tracking Transparency framework created unfair competition via uneven consent mechanisms. Competition authorities have ordered Meta to pay €479 million for GDPR promoting violations that created unfair aggressive benefits.

Timeline

• February 2009: Optimove (initially Mobius Options) based in Israel by Pini Yakuel and Shachar Cohen
• December 1, 2016: Contract between Deezer and Optimove takes impact for advertising personalization companies
• April 2019: Optimove workers copy non-anonymized Deezer consumer knowledge to non-production atmosphere
• December 1, 2020: Contract between Deezer and Optimove terminates; Optimove ought to have deleted all consumer knowledge
• October 31-November 5, 2022: Information breach happens affecting 46.9 million Deezer customers worldwide
• November 10, 2022: Deezer notifies CNIL of non-public knowledge breach figuring out Optimove as possible supply
• January 31, 2023: Deezer sends supplementary notification confirming breach originated from Optimove methods
• October 1, 2023: Optimove deletes unauthorized copy of Deezer knowledge per Deezer directions
• October 23, 2023: CNIL inspection staff sends compliance questionnaire to Optimove
• January 12, 2024: Optimove responds to preliminary CNIL questionnaire
• April 30, 2025: CNIL President appoints Claude Castelluccia as rapporteur
• June 13, 2025: Rapporteur notifies Optimove of report detailing GDPR breaches
• July 21, 2025: Polish Data Protection Authority announces €3.89M fine against McDonald’s Poland for processor oversight failures
• October 13, 2025: Rapporteur notifies Optimove of investigation closure
• November 27, 2025: Restricted committee session with oral observations from rapporteur and Optimove
• December 11, 2025: CNIL restricted committee imposes €1 million wonderful on Optimove
• December 19, 2025: Determination revealed on Légifrance

Abstract

Who: France’s Fee Nationale de l’Informatique et des Libertés imposed penalties on Mobius Options Ltd. (working as Optimove), an Israeli advertising know-how firm headquartered in Tel Aviv. The corporate offers advertising automation software program to shoppers together with Deezer, the French music streaming platform. The restricted committee included President Philippe-Pierre Cabourdin, Vice-President Vincent Lesclous, and members Laurence Franceschini, Isabelle Latournarie-Willems, and Didier Kling. Rapporteur Claude Castelluccia carried out the investigation.

What: CNIL imposed a €1 million administrative wonderful for violations of GDPR Articles 28, 29, and 30 regarding knowledge processor obligations. The violations included failing to delete consumer knowledge after contract termination, processing private knowledge with out controller directions, and never sustaining correct information of processing actions. The breaches enabled an information breach affecting 46.9 million Deezer customers worldwide, together with 9.8 million in France. Uncovered knowledge included consumer identifiers, contact info, listening habits, fee info, and behavioral knowledge from the streaming platform.

When: The violations occurred between April 2019 when Optimove copied consumer knowledge and October 1, 2023 when the corporate lastly deleted the unauthorized copy. The contract between Optimove and Deezer ran from December 1, 2016, to December 1, 2020. The information breach occurred between October 31 and November 5, 2022. CNIL introduced the choice on December 11, 2025, with publication on Légifrance following on December 19, 2025.

The place: The enforcement motion occurred in France below CNIL jurisdiction, although Optimove is established in Israel at Adgar 360 Tower in Tel Aviv. The processing affected customers all through the European Union, with explicit affect on French customers of Deezer’s streaming service. The choice establishes that GDPR Article 3(2)(b) applies to processors not established within the EU when their actions relate to monitoring habits of people inside the Union.

Why: The enforcement addresses systematic failures in knowledge processor compliance that created circumstances for a large knowledge breach. Optimove did not implement satisfactory controls over worker knowledge dealing with, retained consumer knowledge past contractual authorization, processed knowledge for inside functions with out controller directions, and didn’t preserve required processing exercise information. The penalty goals to make sure efficient, proportionate, and dissuasive enforcement whereas defending basic rights of knowledge topics and holding processors accountable for GDPR obligations no matter their geographic location.