CNIL (France) - SAN-2025-014

=== Holding ====== Holding === Firstly, the DPA found that the processor should have deleted the users' data at the end of the contractual relationship with the controller. Failing to do so, the DPA found a violation of [[Article 28 GDPR#3g|Article 28(3)(g) GDPR]]. Firstly, the DPA found that the processor should have deleted the users' data at the end of the contractual relationship with the controller. Failing to do so, even if the data were retained as a result of an unauthorised copy created by its employees, the DPA found a violation of [[Article 28 GDPR#3g|Article 28(3)(g) GDPR]]. Secondly, the DPA found that the processor used the data for the development and testing of its own system, contrary to the contract stipulations between the processor and the controller. Therefore, the DPA found that the processing fell outside the limits of the contract, constituting a breach of [[Article 29 GDPR]]. Secondly, the DPA found that the processor used the data for the development