Overview of the CNIL’s deliberations in 2025: when sanctions precede recommendations

The key figures of the 2025 report

In 2025, the CNIL’s enforcement activity was marked by a high number of total sanctions and a record amount of fines. In total, 83 sanctions were imposed (16 under the ordinary procedure, 10 of which were published, and 67 under the simplified procedure), 143 compliance orders and 31 reminders of legal obligations.

The cumulative amount of fines amounts to €486,839,500. Although this record number is impressive, it is in fact misleading: 98% of the total fines are concentrated in two decisions against multinational groups in the technology and fashion sectors, published on the same day.¹

Only the ten deliberations made public are covered by this overview. The sixty-seven decisions rendered under the simplified procedure are never published, so the lessons they contain remain out of practitioners’ reach, except to glimpse them, indirectly and in a necessarily filtered manner, through the Data Protection Tables that the CNIL publishes for professionals.

What 2025 reveals beyond the figures

The activity in 2025 reveals several trends within the CNIL.

A two-speed enforcement policy can be observed: while the authority handles a few emblematic cases with record amounts, it applies a continuous and massive flow of low-visibility simplified sanctions targeting smaller actors such as very small businesses and liberal professions.

Most of the sanctions imposed illustrate the consolidation of an existing, well-established doctrine for the authority. The CNIL is not discovering new violations in 2025; it is deepening and systematizing the themes pursued since 2020 regarding cookies, commercial prospecting, and the controller-processor contractual framework.

Besides, inspections targeting international actors are accelerating. These proceedings necessarily involve jurisdictional issues, which are becoming increasingly sophisticated.

In addition to these jurisdictional questions concerning cross-border processing, there is the interplay between the GDPR and the ePrivacy Directive. The topic of cookies continues its course in line with the CNIL’s recommendations. Compliance with consent requirements, both for cookies and for commercial prospecting, also reappears in the decisions published in 2025. In parallel, classic GDPR topics such as the application of the various principles or the relationships between controller and processor retain their place.

Five years after the guidelines: zero tolerance

In 2020, the CNIL set out and clarified the regulatory framework for cookies in its recommendation of 17 September 2020. In this regard, the CNIL considers that these recommendations and the penalties enforcing them are known to all operators and thus justifies the severity of the penalties imposed.

Therefore, a company previously penalized regarding cookies was more strictly sanctioned by the CNIL in a new decision.² In the latter, the CNIL revisits the penalties previously imposed on the same actor in 2020, and considers, as in criminal matters, that repeat offenses constitute an aggravating factor in determining penalties on this same subject of cookies.

In parallel, partial compliance occurring during the proceedings should not lead to an exemption from penalty. Thus, the company targeted by Deliberation SAN-2025-0103 had acknowledged the breach related to a misconfiguration of a cookie and had disabled it quickly.

The CNIL took “note of the corrections that the company states it has made” but still noted the infringements that remained for the past.⁴ This cooperation is duly taken into account by the CNIL to mitigate the penalty, without making it disappear.

In 2025, there were 21 penalties imposed concerning cookies across all procedures. Despite the large number of decisions already issued on the subject, it remains a priority theme for the authority.

This proactive approach regarding cookies is not unrelated to the particular jurisdictional configuration of this litigation.

By relying on Article 82 of the French Data Protection Act (Loi Informatique et Libertés, “LIL”), transposing the ePrivacy directive, the Restricted Committee (the CNIL body responsible for issuing sanctions) retains exclusive jurisdiction that allows it to act autonomously, without resorting to the GDPR’s one-stop-shop mechanism: by characterizing the main grievance as a violation of Article 82 of the LIL, the CNIL hopes to free itself from the cooperation system that would have required it to involve other data protection authorities.

This choice of legal basis is not neutral, and it is not surprising that the CNIL cultivates it.

The placement of cookies without consent and their persistence after its withdrawal

When browsing a website, the user is first presented with a cookie banner. This banner allows the user to give or withhold consent to the placement and reading of cookies on their device. The purposes of the processing are also specified by this banner.

Consent is indeed required by Article 82 of the LIL to place and read cookies, unless an exemption can be relied upon. The methods for collecting consent follow the regime of Article 4 GDPR.

Breaches of the requirement for user consent prior to any placement of cookies are illustrated differently by the various decisions rendered in 2025.

At the stage of a user’s first visit, the CNIL recalls that cookies cannot be placed before the user has had the opportunity to express consent. In this respect, a company is principally fined for placing 10 trackers before the cookie banner appeared.⁵ Two other actors are sanctioned for this infringement. ⁶

In parallel, the information provided by the cookie banner was deemed incomplete, as it merely stated that the user experience was improved.

To be valid, consent must be freely given and informed. This requires a clear level of information, free of any element likely to mislead the user as to the decision being made.

In Deliberation SAN-2025-004, biased navigation paths were criticized. The “without cookies” path was less attractive than the “with cookies” path, thus pushing the user, according to the CNIL, to turn toward accepting cookies: the default choice would not constitute freely given consent within the meaning of the GDPR.

Since 2025, the CNIL now focuses on the consequences of a user’s withdrawal of consent. Indeed, a user may accept the placement of cookies at first, then withdraw their consent at a later stage.

In these circumstances, the controller is required to respect the data subject’s decision by deactivating the cookies in question.

However, the CNIL goes further and considers that keeping cookies on a user’s device despite the latter’s withdrawal of consent thus constitutes a breach of Article 82 of the LIL. This is particularly the case for cookies used for marketing purposes.⁷

In its Deliberation SAN-2025-011, the Restricted Committee reiterates the principle established as early as 2023: the data subject has the right to withdraw consent, and the controller must give effect to that withdrawal.⁸

This principle, whose scope seemed well established, has proven more complex to implement than expected, on two distinct levels.

First, at the technical level. Making the withdrawal of consent effective is not limited to interrupting new reading operations; it must also put an end to the placement of cookies. No longer reading a cookie is no longer sufficient; the CNIL now requires that it be deleted from the user’s device.

The Restricted Committee clarified this requirement in the context of an injunction procedure concerning a telecommunications operator, the closure of which was pronounced in September 2025.⁹ The compliance validated by the CNIL consisted, for the company’s first-party cookies, in extending the deletion script to all cookies subject to consent, and not merely to their deactivation.

For third-party cookies, the Restricted Committee held that the publisher’s responsibility was limited to interrupting requests from its site, due to a lack of technical control over partner servers.

Second, with respect to the data processed. The question arises as to what happens to the data already collected from these cookies. The Restricted Committee held that the withdrawal of consent prevents any further use of these data, including for distinct purposes — in this case, the improvement of targeting algorithms. The reasoning is based on the combined reading of Articles 7(3) and 17(1) of the GDPR: when consent constitutes the only possible lawful basis and it is withdrawn, there is no longer any legal basis allowing the retention of the personal data thus collected.

This position was confirmed by the Conseil d’État (France's supreme administrative court, which reviews CNIL decisions) in March 2026, which expressly dismissed the argument of legitimate interest as an alternative basis, since the data at issue could initially be collected only on the legal basis of consent.¹⁰

It is nevertheless appropriate to circumscribe the scope of this doctrine. The withdrawal of consent on a cookie banner does not mechanically constitute a request for erasure within the meaning of Article 17 GDPR, which requires an active step by the data subject. What is at stake in the Conseil d’État’s case law is the impossibility for the controller to continue to actively use data lacking a legal basis after withdrawal, and not an obligation of instantaneous erasure triggered by any click on “reject”.

This solution calls for a caveat that the Restricted Committee itself acknowledges without resolving. In its Closing Deliberation SAN-2025-007, it notes that in the absence of deletion of third-party cookies, the user’s browsing tracking may continue on partner sites despite the withdrawal of consent, before indicating that this situation exceeds the publisher’s responsibility for lack of technical control.

The Restricted Committee thus refers to the partners an obligation that it simultaneously acknowledges cannot be enforced by the publisher. This doctrinal impasse is even more concerning as the compliance orders addressed to organizations regarding cookies do not always distinguish between first-party cookies and third-party cookies.

Data controllers now find themselves, through these formal notices, facing a requirement that the CNIL itself acknowledged, in Closing Decision SAN-2025-007, to be only partially attainable. There is no doubt that the extension to third-party cookies of an obligation of erasure following the withdrawal of consent will emerge in the coming months.

Specific practices sanctioned: cookie wall and dark patterns

The guidelines of the European Data Protection Board (EDPB) on consent¹¹ and on dark patterns¹² have gradually entered into the reasoning of the Restricted Committee. In 2025, two decisions rely on them explicitly.

Deliberation SAN-2025-004¹³ is the most developed case. The proposed browsing path featured a clear asymmetry: the option “with cookies” was presented in a simple and attractive manner, while the alternative path “without cookies” required several additional clicks and was accompanied by a less favorable presentation.

The CNIL characterizes this design as a dark pattern and considers that it deprives consent of its freely given nature. This analysis is in line with the first decisions on biased interfaces issued by the authority as early as 2021.

Deliberation SAN-2025-005¹⁴ identifies two deficient tracker management interfaces. The main banner did not allow the user to easily access all purposes and recipients. The preference management panel was structured in a way that made global refusal difficult.

The CNIL distinguishes these design flaws from the notion of a cookie wall in the strict sense, which consists of conditioning access to a service on consent to the placement of cookies. The cookie wall is not, as such, illegal (the Conseil d’État reminded the CNIL of this position in a decision dated 19 June 2020, No. 434684), but it must be accompanied by a real alternative to access the service, and the consent thus obtained must be freely given, which presupposes that the alternative is neither illusory nor excessively degraded.

These are concepts for which professionals still lack, to this day, concrete cases officially recognized by the regulator.

It should be noted that the CNIL sanctions behaviors likely to fall under the notion of a cookie wall without ever having published, in a formal recommendation, the positive criteria enabling an operator to design such a mechanism in a compliant manner.

The Restricted Committee reasons by analogy with the EDPB’s guidelines, whose normative scope in domestic law is indirect, without these orientations having been transposed into a binding positive law text.

As a result, operators face the risk of sanctions whose contours only become apparent after the fact, at the mercy of the Restricted Committee’s case law.

The doctrine of data brokers: a coherent but isolated line of case law

Starting in 2023, the CNIL began to shape its approach on data brokers. Earlier decisions had gradually sketched out a coherent analytical framework for assigning responsibility across the commercial data ecosystem. The deliberations of May 2025 follow this trajectory and carry it forward.¹⁵

The factual pattern is identical in both cases: a company collects personal data via sweepstakes forms hosted on third-party sites, then transmits this data to commercial partners who use it for electronic prospecting.

The CNIL has identified this model as structurally problematic with regard to the requirements of the regulation, and it returns to it with a regularity that signals a desire to close the doctrinal debate on this point.

The authority's position is clear: the controller who outsources data collection to partners or brokers cannot shift onto them the obligation to ensure the lawfulness of that collection. A partner's contractual commitment to comply with the GDPR, even if robustly drafted, is not sufficient. The controller must verify for itself that the data it receives were collected with valid consent. Everything nevertheless depends on the qualification of the initial collector: is it a processor, an autonomous controller of the collection, or a joint controller with the data broker?

The CNIL derives this requirement that each actor in an ecosystem prove consent from Article 7 of the GDPR and the principle of accountability, interpreted in a broad way. However, the exact level of diligence required remains undetermined: neither the deliberation nor the available guidelines specify the expected depth of verification. The only published certainty to date is that the requirements designed by the Restricted Committee are not met.

This uncertainty undermines the predictability of the rules and calls into question the viability of data buying, renting, or sharing models within ecosystems composed of independent controllers or joint controllers, since the CNIL has not clearly pinned down the nature of their respective roles.

The validity of consent: lessons from sweepstakes forms

The criteria for valid consent are defined in Article 4(11) of the GDPR: free, specific, informed and unambiguous. These four conditions are assessed cumulatively. Sweepstakes forms were used in two cases that were the subject of these deliberations by the Restricted Committee in May 2025.

In the first case, the participation form included a single button “I PARTICIPATE” which amounted both to registration for the contest and agreement to the transmission of data to commercial partners. There was indeed a link allowing participation without accepting prospecting, but it was presented in characters significantly smaller than the main button and blended into the body of the text, to the point of being practically invisible to an ordinary user.

The second case presents the same design flaw, to which is added a separate shortcoming regarding retention periods: the data of inactive prospects were kept in the active database for four years without distinction.

The CNIL challenges the criterion chosen by the company to define an “active” contact: simply opening an email, in the company’s view, was enough to justify extending retention. The CNIL considers this insufficient.

This point should be on the radar of customer relations teams: how you define an active contact is an essential parameter of any retention policy for prospect data, and the criteria you use must be defensible in light of the processing purposes.

The Restricted Committee rejects the “active contact” criterion without positively defining what would constitute a compliant collection of consent in this type of configuration.

This asymmetry—indicating what doesn’t work without laying down a positive frame of reference—leaves operators in ongoing uncertainty about acceptable email collection methods.

Proof of consent and retention periods

Article 7(1) of the GDPR places the burden on the controller to demonstrate that the data subject has validly consented to the processing of their data. This requirement, often treated as a mere formality, is in fact a substantive obligation that demands deliberate technical and organizational design choices.

A company thus found itself unable to produce sufficient evidence of consent collected two years earlier.¹⁶ This grievance is distinct and cumulative with the invalidity of the forms themselves. Even if the forms had been compliant, the lack of proof that each individual had personally expressed consent would, on its own, have justified a separate sanction.

Since 2023, the CNIL has tended to treat these two breaches separately, which mechanically increases the overall level of penalties.

On a practical level, retaining evidence of consent requires, at a minimum, time-stamped logging of the exact content of the form displayed at the moment consent was collected, the action taken by the user, sufficient identification of that user (although undetermined by the CNIL at this stage) and the version of the information notices.

These logs must be kept for the entire period during which the data are used, and for long enough after their deletion to be able to respond to an audit. What retention period should apply to these identification chains that prove an individual’s consent? May they exceed the natural retention period justified by the processing’s original purpose? We may find out in the months ahead.

Article 82 LIL and the one-stop shop: a persistent tension

Two decisions of the Restricted Committee handed down in 2025 perfectly illustrate the jurisdictional issues raised by Article 82 of the LIL, the ePrivacy directive and the GDPR’s one-stop-shop mechanism.¹⁷

In this case, the multinationals challenged the CNIL’s jurisdiction: in their view, personal data and obligations arising from the GDPR are at stake. The GDPR would therefore be applicable, and the Irish authority would have jurisdiction under the GDPR’s one-stop shop system since both companies are established in Ireland.

Under French law, the LIL transposes the ePrivacy Directive in Article 82 of the LIL, which governs the requirement of consent for accessing or storing information on a user’s device (Article 5(3) of the ePrivacy Directive).

Under the ePrivacy Directive, each Member State retains jurisdiction to apply its own transposition law. These rules are independent of the GDPR regime, which provides for the application of the one-stop shop mechanism in the event of cross-border data processing. In such case, the competent authority, known as the lead authority, is that of the Member State of the main establishment. This mechanism specific to the GDPR does not extend to elements of the ePrivacy Directive.

Yet, in these cases, the CNIL seems to claim jurisdiction by applying Article 82 of the LIL and the ePrivacy Directive regime. The one-stop shop is therefore not applicable. The designation of another lead authority is not conceivable either.

In doing so, two elements of analysis are still missing at this stage. First, the CNIL dismisses the potential jurisdiction of third-party authorities to designate itself as competent under the ePrivacy framework, including for cross-border processing carried out by companies established in Ireland. Second, it is not enough to repeat the case law of the Court of Justice of the European Union (CJEU) to exhaust the applicable legal framework. Indeed, the transposition of the GDPR into French law, to which the LIL refers by reference, did not isolate Article 82 on cookies from the rest of the LIL. On the contrary, by granting the CNIL investigative, monitoring and sanctioning powers for “the provisions of this law”, the LIL subjects the CNIL to the cooperation and one-stop shop mechanism, whatever the article or obligation whose compliance the CNIL monitors - including Article 82. Thus, the question has not yet been raised as to what French law provides that was not devised by the GDPR and the ePrivacy Directive, these two instruments having been adopted 14 years apart.

Consequently, the CNIL’s articulation - both material and geographical - of the two texts, the GDPR and the ePrivacy Directive, is open to question. Indeed, although it considers that the collection of cookies depends exclusively on the ePrivacy directive, it does not hesitate to apply the provisions of the GDPR for consent modalities, processing related to cookies (subsequent data analysis for example) and the sanction regime.

Now, if the issue rests on the consent modalities derived from the GDPR, the one-stop-shop mechanism could readily apply. One of the sanctioned companies has already announced an appeal before the Conseil d’État as well as a possible preliminary reference to the CJEU on this point.

The notion of establishment “in the context of the activities”: CJEU doctrine

The other aspect underlying the CNIL’s geographic jurisdiction is that of the main establishment of the company concerned. The jurisdiction of the lead supervisory authority is determined according to the location of the organization’s main establishment.

The CJEU has adopted a broad conception of the main establishment. On the occasion of the Google Spain judgment of 13 May 2014¹⁸, the CJEU clarified that the qualification of main establishment does not depend on the legal form adopted by that establishment. It is rather appropriate to look at “the effective and real exercise of activity through stable arrangements”. The reality of the establishment is therefore assessed in concreto. The establishment will be qualified as main according to the means conferred on it and its real activity, regardless of whether it is of great importance.

The CNIL regularly invokes this doctrine to explain its jurisdiction and the presence of an establishment on French territory. Thus, the company of the international group established in France, responsible for promotion and advertising sales in France, does indeed constitute an establishment “in the context of the activities” within which cookie processing is carried out.¹⁹

The decision also notes the relations between the group’s parent company and the French company. The two entities have in fact entered into a service agreement that appears to restrict the activity of the French establishment to simple marketing in France and contact with the French authorities. The checks carried out by the CNIL, however, demonstrate the contact link between the foreign establishments and the French one, which are involved in the products deployed in the European area. The activities of the French company were not completely distinct from the group’s activities. They were even interdependent, since the French subsidiary also served as a bridge between advertiser and parent company.

In practice, this reveals that a matrix organizational structure does not preclude the CNIL’s jurisdiction. The argument of the isolated subsidiary is inoperative despite the corporate form, the bylaws, and the distinct presentation of activities.

The extraterritorial jurisdiction of the CNIL over a non-EU processor

Deliberation SAN-2025-014 explores a distinct configuration: a company established in Israel, without an establishment in the European Union, subject to the CNIL’s jurisdiction on the basis of Article 3(2)(b) GDPR.²⁰ This provision extends the scope of application of the Regulation to processing that is linked to the monitoring of the behavior of persons located in the territory of a Member State.

The company in question was a subcontractor of a company established in France. Following a data breach that occurred in November 2022, it appeared that the Israeli company had retained the data of more than 46 million users well after the expiration of its contract with the controller, and that employees of the company had copied this data into a non-production environment without instruction from the latter.

The CNIL declared itself competent to directly sanction this subcontractor established outside the Union, on the grounds that the processing in question was linked to the monitoring of the behavior of users located in France.

This Deliberation confirms that there is no free zone for service providers established in third countries who participate in processing activities concerning persons located in the European Union.

The principle of minimization: collect only what is necessary

Article 5(1)(c) of the GDPR requires that the data collected be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This principle of minimization is one of the oldest in personal data law and one that the CNIL has applied with the greatest regularity for several years.

In 2025, two Decisions illustrate this in a particularly striking way.

In the case giving rise to Decision SAN-2025-011²¹ the Restricted Committee notes that the company systematically recorded all telephone conversations with its customers from the end of the legal information notices, including hold periods. Of approximately 1.2 million calls handled in 2022, half were recorded without the declared purposes (team training, quality control, handling complaints) justifying such extensive recording.

Decision SAN-2025-008 presents a case in which hidden cameras and microphones had been installed in the stock areas of a department store.²² The permanent capture of images and sounds in spaces reserved for employees goes far beyond what a premises security objective could justify. The principle of minimization applies not only to the content of the data collected but also to the methods and scope of their capture.

Employee video surveillance: a rapidly increasing volume of litigation

Employee video surveillance has been identified as a priority control theme by the CNIL since 2024. In 2025, sixteen organizations were sanctioned on this basis across all procedures combined, a notable increase compared with nine sanctions in 2024 and four in 2023 on this subject.

The aforementioned Deliberation SAN-2025-008 is the public reference for this exercise. Permanent employee monitoring is contrary to the regulation except in duly proportionate exceptional circumstances. Hidden cameras, which deprive employees of any possibility to exercise their rights to information, access and objection, are subject to a particularly rigorous justification requirement that the authority is unlikely to recognize in ordinary cases.

For human resources managers and DPOs of large companies, employee monitoring systems (video surveillance, geolocation, communications monitoring) are under increased CNIL scrutiny. An impact assessment should be systematically carried out before any deployment of this type of system.

Data security: Article 32 GDPR in practice

Article 32 of the GDPR requires the implementation of appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The CNIL has progressively built, through its decisions and practical guides, a body of reference standards that operators are invited to follow. Any deviation from these standards must be justified by alternative measures of equivalent effect.

Deliberation SAN-2025-015 is particularly instructive in this regard.²³ This company published software for managing the files of the departmental residences for people with disabilities, thus processing data relating to disability falling under special categories within the meaning of Article 9 of the GDPR.

The CNIL notes cumulative failures: use of the SHA-1 algorithm for digital signatures, a technology abandoned by ANSSI (the French cybersecurity agency), since 2017, password encryption by SHA-256, a generic function unsuited for secure storage, for which dedicated functions such as bcrypt or Argon2 are recommended, and unpatched vulnerabilities in a system processing some of the most sensitive data.

Deliberation SAN-2025-017²⁴ illustrates a recurring shortcoming in security: a password policy with an entropy of 26 bits instead of the minimum required 50 bits, and storage by SHA-256 hashing considered insufficient in view of its execution speed for an attacker.

The Restricted Committee upholds these failures explicitly on the basis of its own 2022 recommendations and ANSSI’s guides. It should nevertheless be noted that the company was not without argument: it maintained that ANSSI’s recommendations themselves described SHA-2 as a solution “seemingly at first glance” suitable, before qualifying it, a wording that the CNIL acknowledged while dismissing it on the grounds that the definitive meaning of the recommendation was sufficiently clear.

This is precisely the argument that the principle of the legality of offenses and penalties should prohibit: imposing a sanction on the basis of a soft law standard whose interpretation is itself debated in the invoked reference text.

The CNIL has not adopted, by regulation, an express obligation to use a slow hashing function. It created, by a non-binding recommendation, an enforceable de facto standard, then sanctioned its disregard by treating this standard as if it had the force of law.

The company raised this argument, and the Restricted Committee unfortunately did not examine it seriously.

The impact assessment: an obligation still too often ignored

Article 35 of the GDPR requires a data protection impact assessment (DPIA) to be carried out before any processing likely to result in a high risk to the rights and freedoms of data subjects. The EDPB has published its guidelines on the targeting of social media users²⁵, which precisely identify this type of processing as falling under this obligation.

Deliberation SAN-2025-017 notes the absence of such an assessment for the advertising targeting processing via the platform.²⁶ This processing involved large-scale data, a cross-referencing with social network data and a situation of joint controllership with the platform. These three elements, taken together, unambiguously triggered the obligation to carry out an impact assessment.

The Restricted Committee finds the absence of a DPIA as an autonomous breach, on the grounds that the processing met two of the nine criteria identified by the EDPB (large-scale processing and data cross-referencing) which, according to the 2017 WP29 guidelines, justifies “in most cases” carrying out a DPIA.

More fundamentally, Article 35 of the GDPR makes the DPIA the instrument for determining whether processing actually presents a high risk. It is an assessment tool, not the conclusion of that assessment. Considering its absence as a breach presupposes that the high risk was already established independently of it, which the deliberation does not demonstrate other than through the mechanical application of quantitative criteria.

Finally, the requirement that joint controllers conduct the DPIA collectively, set out by the EDPB guidelines, encounters an operational limit that the Restricted Committee ignores: the partner platform generally does not disclose to the advertiser the technical parameters of its own processing.

Ordering advertisers to conduct a joint DPIA covering processing whose modalities they do not control amounts to imposing on them an obligation whose performance depends on the good will of a third party over whom they have no contractual leverage.

The controller’s liability towards its data brokers

In a data processing chain, the issue of upstream consent liability arises acutely.

The Restricted Committee holds that the controller cannot offload onto its data suppliers the obligation to ensure the lawfulness of the collection, neither by contractual statement nor by warranty clause²⁷.

This position is based on an expansive reading of the accountability principle set out in Article 5(2) of the GDPR: the text does not expressly require the controller to verify the collection methods at a partner who is themselves an autonomous controller.

The CNIL constructs this obligation by inference, without specifying the required level of diligence. Operators are thus informed of what is not sufficient (i.e., a contractual clause, a supplier’s statement) without a positive framework to determine what would be considered sufficient.

Deliberation SAN-2025-001 further illustrates a paradox to which the deliberation does not respond. The Restricted Committee finds the company’s negligence to be an aggravating factor, on the grounds that it “was well aware” of the defects in its partners’ forms. This knowledge had been precisely established by the company’s own compliance checks carried out on them. The CNIL therefore penalizes a company more severely for having formalized its supplier audits, since it is this formalization that made its knowledge of the shortcomings enforceable.

An organization that had not conducted these audits could not have been blamed for ignoring the results. The incentive created by this doctrine is, at the very least, ambiguous.

The subcontractor’s own obligations

Deliberation SAN-2025-014²⁸ sheds light on the scope of the obligations directly weighing on subcontractors.

In this case the data controller was the victim of a data breach in November 2022, with the data of more than 46 million users put up for sale on the darknet. The data controller identified its subcontractor established abroad as being at the origin of the incident.

The processor is brought before the CNIL following this data breach and its involvement. First, due to its failure to comply with Article 28(3)(g) of the GDPR: the processor kept, after the end of the contract with the controller, a copy of the data of more than 46 million users. Yet the contract binding the parties had ended on 1 December 2020, and the processor claimed to have deleted all the data. The breach of the obligation to delete data at the end of a contractual relationship is established: the processor had no reason to retain, until 2023, data arising from a contract that had ended.

In violation of Article 29 of the GDPR, the Commission noted processing outside the controller’s instructions. Indeed, the processor’s employees had copied data into a non‑production environment in order to carry out tests and improvements to their system. For the CNIL, this operation has a possible deliberate nature, the processor having maintained that the copy could "fall within the normal performance of the contract". This argument is dismissed, all the more so as the processing benefited both the processor and the controller.

Finally, the processor is criticized for failing to comply with the obligation to establish a processing register within the meaning of Article 30 of the GDPR. The processor must indeed keep a record of processing activities in its capacity as a processor, separate from that of the controller. The various contracts and documents are not sufficient to list the information necessary to monitor the data processed in the context of the relationship with the controller.

It follows from this decision that the defense consisting of invoking isolated acts by employees without the knowledge of management is ineffective. The CNIL recalls that the company is responsible for the actions of its employees and that it is up to it to verify the data processing it implements.

In the presence of a company established outside French territory, the CNIL’s territorial jurisdiction is again challenged. In the absence of a one‑stop shop for the processor, each competent national authority may intervene, which increases multi‑jurisdictional exposure.

The subcontracting contract: a necessary but not sufficient instrument

When it comes to subcontracting, the contract is an instrument necessarily at the heart of the relationship with the controller. Article 28 of the GDPR requires the conclusion of a contract specifying in particular the duration, the purpose of the processing, or the obligation to delete data at the end of the contractual relationship.

In the aforementioned Deliberation²⁹, the contract between the processor and the controller expressly specified that the data had to be deleted at the end of the contractual relationship.

However, as previously noted, the CNIL finds that this clause was not respected in practice.

Under Article 28 of the GDPR, the contract is indeed mandatory, but its existence does not exempt the controller from ensuring effective compliance with contractual obligations through audits, periodic checks, or by implementing end‑of‑contract procedures.

Even in a situation where the processor is undeniably at fault, the controller retains its share of responsibility by ensuring that its instructions are respected by its processor or that its obligations are fulfilled by a joint controller.

The contract is one tool among others to ensure the co-contractor’s compliance, without the controller being able to rely completely on it. As in data broker cases, delegation by contract never relieves the controller of its obligations and ultimate responsibility.

It should nevertheless be noted that, in this same case, the controller was not subject to any proceedings. The CNIL chose to prosecute the processor exclusively, without engaging the liability of the entity whose data had been misused, even though the subcontracting agreement provided for an obligation to delete that the company had, according to its own statements, believed it had complied with.

This selectivity is difficult to reconcile with the doctrine set out in data broker cases, where it is precisely the controller who bears the burden of verification. There is no obvious principle that would justify this burden being lightened when it is the processor, and not a data provider, who is at fault.

The €486 million in fines imposed in 2025 should not obscure the reality of enforcement: 98% of this amount rests on two decisions targeting multinational actors, while 67 simplified confidential sanctions target micro-enterprises, SMEs, and liberal professions.

The question of the quantum remains unresolved. The CNIL’s method for calculating fines remains opaque, and the Conseil d’État’s decision of 4 March 2026 confirmed that no provision requires the Restricted Committee to set out the quantified elements. This strong assertion by a supreme court exercising full appellate jurisdiction is nevertheless perplexing. The Conseil d’État deprives itself of the power of assessment at the heart of its mission, because if the CNIL has nothing to justify, the Conseil d’État has nothing to review.

This case law validates a practice without resolving it: it prevents counsel from assessing ex ante their client’s financial exposure with reasonable precision, which weakens the effectiveness of the rights of defense as much as it complicates risk management advice.

A decision absent from the usual reviews deserves special mention. In its decision QPC No. 2025-1154 of 8 August 2025, the French Constitutional Court declared unconstitutional the lack of notification of the right to remain silent to the person implicated before the Restricted Committee, on the grounds that the administrative fines imposed constitute sanctions having the nature of a punishment within the meaning of Article 9 of the 1789 Declaration of the Rights of Man and of the Citizen.

The unconstitutionality is accompanied by a deferred effect to 1^st October 2026. Sanctions imposed before the publication of the decision cannot be challenged on this basis — the Conseil d’État confirmed this in its decision of 4 March 2026, dismissing the plea based on facts predating the decision. But from that date, the legislator will have to adapt the procedure, failing which the Restricted Committee will be deprived of its legal basis to hear the persons implicated. For data controllers in proceedings since August 2025, the reform brings the guarantees before the CNIL closer to those recognized in criminal matters. Its impact on defense strategies in ongoing proceedings remains to be shaped.