CNIL (France) - SAN-2025-015

=== Holding ====== Holding === The dispute related to the processor’s responsibility for implementing adequate security measures, under article 32 GDPR. The dispute related to the processor’s responsibility for implementing adequate security measures, under Article 32 GDPR. '''On the fairness of the procedure:''' '''On the fairness of the procedure:''' '''About responsibilities:''' '''About responsibilities:''' On a second time, the DPA defined the responsibility of the processor. The DPA jointly appreciated [[Article 4 GDPR|article 4(8) GDPR,]] [[Article 28 GDPR|article 28 (3)(a) GDPR]] and [[article 32 GDPR]]. The DPA noted that the contract bounding the processor and the controller, as well as the processor’s expertise as a software consulting company, show that the processor was responsible for ensuring data security.The DPA jointly appreciated [[Article 4 GDPR|ar