CNIL (France) - SAN-2025-014

=== Processing ====== Processing === Firstly, the data protection authority (DPA) found that the data processor should have deleted the users' data at the end of the agreement with the data controller. The failure to comply with this requirement was considered by the DPA to be a violation of Article 28(3)(g) of the GDPR. Firstly, the data protection authority (DPA) found that the data processor should have deleted the users' data at the end of the agreement with the data controller. The failure to comply with this requirement, even if the data was retained due to an unauthorized copy made by the processor's employees, was considered by the DPA to be a violation of Article 28(3)(g) of the GDPR. Secondly, the data protection authority (DPA) found that the data processor was using the data for the development and testing of its own system, in violation of the contractual agreements between the processor and the data controller. Therefore, the DPA found that the processing fell outside the scope of the agreement, which constituted a violation of Article 29 of the GDPR. Secondly, the data protection authority (DPA) found that the data processor was using the data for the development...

This content has been automatically translated using machine translation. The original version is available in the source language.

This content was automatically translated using machine translation. The original version is available in the source language.