Non EU Data Processors under the radar of GDPR Supervisory authorities for fines

Posted on December 25, 2025 by Vijayashankar Na

It appears that EU GDPR authorities are now on a Global Data Warfare extending the GDPR fines on non-EU data processors.

In a recent  case, CNIL, the French authority has fined a SaaS provider a fine of 1 Million Euros.

Naavi has several times addressed the issue of such fines on Indian data processors and the need for Indian Government to have a protective shield. This  has been ignored by Meity all along. Perhaps this needs to be addressed once again.

In the instant case (See Details here ), On December 11, 2025, CNIL sanctioned Mobius Solutions Ltd, a subcontractor, an  Israeli Company a fine of 1 million Euros for data leak.

The violation was “Failure to delete data at the  end of Contractual relationship”.

MOBIUS SOLUTIONS LTD retained a copy of the data of more than 46 million DEEZER users after the end of their contractual relationship, despite its obligation to delete all such data at the end of the contract. The company was  also found to have used client data to improve its own services. Further the company had failed to maintain a required register of processing activities.

Unfortunately the data leaked  into the Dark Web causing the CNIL to act.

In November 2022, CNIL had been notified about the data breach by the Controller. Data from 12.7 to 21.6 million EU users (including 9.8 million in France)—including names, ages, email addresses, and listening habits—had been posted on the dark web. The platform identified its former subcontractor, which had provided personalized advertising services, as the source of the breach. The CNIL conducted checks in 2023 and 2024, followed by an investigation in 2025, which uncovered multiple GDPR violations by the subcontractor.

In this context, it is important to note that for Indian  data processors of GDPR data processing, FDPPI has released DGPSI-GDPR as a framework of compliance. Hopefully this will assist the Indian Companies to mitigate  the GDPR Risks.

It may however be noted that the EU approach on GDPR Compliance has been predatory and the cross border transfer conditions are legally not amenable with local laws. Hence risk can be mitigated but not fully eliminated. However it would be better than ignoring compliance.

Also Refer: 

Fox Rothshield

 Global Policy Watch  

 

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Privacy. Bookmark the permalink.