CNIL (France) - SAN-2025-014

}}}} The DPA fined a company €1 million for failing to delete the personal data of users, processing it for purposes contrary to contract stipulations and for failing to keep a record of its processing activities.The DPA fined a subcontractor €1 million for failing to delete the personal data of users, processing it for purposes contrary to contract stipulations and for failing to keep a record of its processing activities. == English Summary ==== English Summary == === Facts ====== Facts === DEEZER (the controller) notified the French DPA (CNIL) of a data breach affecting 21,574,775 users, out of which 9,849,354 users located in France. The controller identified Mobius Solutions Ltd (the processor) as the source of the data breach. DEEZER (the controller) notified the French DPA (CNIL) of a data breach affecting 21,574,775 users, out of which 9,849,354 users located in France. The controller identified Mobius Solutions Ltd (the processor) as the likely source of the data breach. The D