French regulator fines Israeli marketing platform €1M for processor violations

The French data protection authority imposed a €1 million administrative fine on December 11, 2025, against Israeli marketing technology company Optimove for violations of data processor obligations under the General Data Protection Regulation. The enforcement action addresses systematic failures in data handling practices that enabled a massive breach affecting 46.9 million Deezer users worldwide, including 9.8 million in France.

France's Commission Nationale de l'Informatique et des Libertés announced the penalty against Mobius Solutions Ltd., operating under the trade name Optimove, following an investigation that began in 2023. According to the decision published December 19, 2025, on Légifrance, the restricted committee found violations of Articles 28, 29, and 30 of the GDPR during Optimove's provision of marketing personalization services to French music streaming platform Deezer between 2016 and 2020.

The case represents a significant enforcement action against a data processor established outside the European Union. Optimove, headquartered in Tel Aviv at Adgar 360 Tower on Hashlosha Street, provides marketing automation software that enables clients to execute personalized campaigns by analyzing customer data. The company reported revenues of approximately $30-40 million in 2023 and 2024, with 238 employees as of 2023.

CNIL received notification of a personal data breach on November 10, 2022, from Deezer, which identified Optimove as the probable source of the security incident. Deezer confirmed on January 31, 2023, that analysis traced the breach to Optimove's systems. The investigation revealed that Optimove had copied non-anonymized personal data of Deezer users from a production environment to a non-production environment in April 2019, storing the information until October 1, 2023.

The restricted committee determined that the processing fell within GDPR territorial scope under Article 3(2)(b), which applies to processors not established in the European Union when their activities relate to monitoring behavior of individuals within the Union. According to the decision, Optimove's creation of user segments based on socio-demographic criteria and Deezer service usage constituted behavioral profiling linked to the behavior of individuals within the Union.

Philippe-Pierre Cabourdin presided over the restricted committee session on November 27, 2025, which included Vice-President Vincent Lesclous, members Laurence Franceschini and Isabelle Latournarie-Willems, and member Didier Kling. The committee heard oral observations from rapporteur Claude Castelluccia and Optimove representatives during the proceedings.

The enforcement action documented three distinct GDPR violations. Article 28(3)(g) requires processors to delete or return personal data at the end of service provision unless law requires retention. The committee found that Optimove retained data relating to Deezer users after their contractual relationship terminated on December 1, 2020. The breach occurred through an unauthorized copy made by Optimove employees to a non-production environment, which the company claimed it discovered only after Deezer reported the breach in November 2022.

Optimove argued that employees made the copy without management knowledge to improve service performance. The committee rejected this defense, stating that the company remained responsible for verifying operations carried out by employees under its supervision. According to the decision, Optimove could not invoke lack of control over its tools or oversight of employee activities to evade responsibility, as it was incumbent upon the company to ensure proper data processing conditions.

The Article 29 violation concerned processing personal data without instructions from the controller. The contract between Deezer and Optimove specified that Optimove offered its platform to analyze data provided by clients and recommend marketing actions. Article 6 of the contract emphasized data protection, stating that Optimove had "no rights to this data" and that Deezer "remained the sole owner of the data." The contract prohibited Optimove from using data for any purpose other than providing stipulated services.

The committee found that copying non-anonymized personal data from more than 9 million Deezer users in France and transferring it to a non-production environment constituted processing outside Deezer's instructions. According to the decision, Optimove processed this data for internal use to improve service performance, whether or not those services were intended for Deezer. The fact that copying occurred within the contractual period did not bring it within the scope of Deezer's instructions.

The Article 30 violation addressed the requirement for processors to maintain records of processing activities. Article 30(2) requires processors to keep records including names and contact details of sub-processors and controllers, categories of processing carried out, transfers to third countries where applicable, and general descriptions of technical and organizational security measures. Optimove presented various documents including the contract and data processing addendum but had not kept a formal register of processing activities as a subcontractor.

The committee noted that while documents contained some information required under Article 30, the company had not maintained a proper register, with information about the controller's data protection officer notably missing. According to the decision, this constituted a formal breach of Article 30, even though Optimove employed fewer than 250 people, because the processing was not occasional and involved risks to individuals' rights and freedoms.

The breach exposed substantial personal data to unauthorized access. According to data breach notifications, the compromised information included user identifiers, country, language, gender, application identifiers, dates of birth, newsletter subscription status, account creation dates, session creation dates, number of track listens per day, saved playlists, listened playlists, first payment dates, total payments made, average daily track listens, lifecycle indicators, daily listening time, favorite artists, created playlists, pause clicks, and "loved" clicks.

The committee considered several factors when determining penalty appropriateness. Article 83 of the GDPR requires supervisory authorities to ensure that administrative fines are effective, proportionate, and dissuasive in each case. The committee evaluated the nature, seriousness and duration of the infringement, the scope or purpose of processing concerned, the number of data subjects affected, measures taken to mitigate damage, whether the infringement was committed negligently, the degree of cooperation with the supervisory authority, and categories of data concerned.

According to the decision, more than 200 million people worldwide were affected by the data breach, with 46.9 million Deezer users impacted globally. The committee noted that between 12.7 and 21.6 million users within the European Union were affected, including 9.8 million in France. The compromised data posted on the darknet included identity information, contact details, and listening habits on the Deezer platform, exposing individuals to personalized phishing attacks.

The committee found that Optimove demonstrated clear negligence by copying non-anonymized data from millions of users outside the contractual framework with Deezer and failing to delete it upon contract termination. Even assuming employees made the copy without management instructions, Optimove remained responsible for employee actions and should have maintained vigilance regarding data storage. The committee emphasized that Optimove's observations suggesting the copying could fall within normal contract performance indicated the company may have deliberately committed the Article 29 violation.

Optimove initially contested responsibility before acknowledging it was responsible for unauthorized copying, thus not facilitating Deezer's data breach notification. The committee considered this when evaluating the company's cooperation. According to the decision, Optimove deleted the data from unauthorized copying only on October 1, 2023, nearly a year after Deezer notified CNIL of the breach on November 10, 2022. This late removal did not prevent the sale of data concerning more than 46 million Deezer users on the darknet.

The financial penalty calculation considered Optimove's business activity and financial situation. The company demonstrated revenues of approximately $30-40 million for 2024, with 2023 revenues at similar levels showing steady increases. According to Article 20-IV-7° of the French Data Protection Act, administrative fines may not exceed €10 million or, for companies, 2 percent of total worldwide annual turnover for the preceding financial year, whichever is higher.

Optimove argued that it recorded net financial losses amounting to substantial sums in 2024 and contested the proportionality of the proposed fine. The committee determined that an administrative fine of €1 million appeared justified in view of breaches of Articles 28, 29, and 30 of the GDPR, considering the company's responsibility, financial capabilities, and relevant Article 83 criteria.

The decision includes publication requirements. The restricted committee ordered that its decision be made public on the CNIL website and Légifrance website. The publication will no longer identify the company by name after a period of two years from publication. Optimove argued that publicity was not justified, but the committee considered the measure appropriate given the significant impact of the data breach, seriousness of breaches committed, and number of people concerned who must be informed.

The case demonstrates growing regulatory focus on processor accountability under GDPR. European authorities have imposed approximately €4.2 billion in fines since GDPR implementation in 2018, with processor liability cases becoming more prominent in enforcement actions. The McDonald's Poland case in July 2025 resulted in €3.89 million in fines for processor oversight failures, with the processor 24/7 Communication receiving €42,000 in penalties for its role in exposing employee personal data.

The enforcement action followed established investigative procedures. On October 23, 2023, a CNIL inspection team sent a questionnaire to Optimove to verify compliance with French Data Protection Act and GDPR regarding processing carried out by the company or on its behalf. The company responded January 12, 2024. Additional questions followed January 29, 2024, with Optimove responding February 8, 2024.

CNIL President appointed Claude Castelluccia as rapporteur on April 30, 2025, for investigating all elements. The rapporteur sent a supplementary request to Optimove on May 15, 2025, pursuant to Article 39 of Decree No. 2019-536 of May 29, 2019, which the company answered June 6, 2025. On June 13, 2025, the rapporteur notified Optimove of a report detailing breaches of Articles 28, 29, and 30, recommending an administrative fine and public decision with anonymization after two years.

Optimove requested an additional period on July 7, 2025, which the restricted panel chairman granted July 10, 2025, under Article 40, paragraph 4, of the May 29, 2019 decree. The company submitted observations in response July 29, 2025. The rapporteur sent his response August 8, 2025, to which Optimove replied with observations dated September 23, 2025. The rapporteur notified the company of investigation closure October 13, 2025.

The company received notification that the case appeared on the restricted session agenda for November 20, 2025. Following Optimove's request for referral October 16, 2025, the chairman informed the company that the case had been placed on the agenda for November 27, 2025. The rapporteur and company presented oral observations during the restricted panel session.

The decision addressed several legal arguments raised by Optimove. The company disputed CNIL jurisdiction, considering itself only indirectly subject to certain Article 28(3) obligations imposed by Deezer. Optimove maintained that paragraphs 1 and 2 of Article 3 are alternative, that Article 3(2)(a) applies only to controllers not processors, and that it did not create behavioral profiles of Deezer users within the meaning of Article 3(2)(b).

The committee determined that since Optimove has no establishment in the European Union, paragraphs 1 and 2 of Article 3 are cumulative in this case. It examined whether processing personal data on behalf of Deezer related to "monitoring behavior of persons insofar as it relates to their behavior within the Union." According to the decision, Optimove transmitted to Deezer the list of various data concerning users that it processed and which were disclosed in the data breach.

The committee noted that processing consisted of creating user segments based on socio-demographic criteria or Deezer service usage criteria. The contract between companies explicitly mentioned marketing personalization as its purpose. Optimove confirmed performing calculations based on various data relating to Deezer service users and creating user segments, particularly based on listening habits, to enable Deezer to personalize and adapt marketing campaigns to optimize customer engagement.

Creating these segments involved analyzing Deezer service users' behavior regarding those services to target them with behavioral advertising. According to the decision, the analysis and segmentation work carried out by Optimove using data transmitted by Deezer must be classified as behavioral profiling, linked to individuals' behavior within the Union, even if the resulting profile scope was limited to listening to music on the Deezer platform.

The committee also addressed Optimove's argument regarding international comity. The company argued that being established in Israel, a country benefiting from European Commission adequacy decision No. C(2011)332 of January 31, 2011, CNIL should waive jurisdiction in application of international comity principles. The committee noted that the adequacy decision applies only to transfers of personal data from the European Union to countries outside the Union, determining whether the transfer country offers sufficient data protection guarantees.

According to the decision, the company was not alleged to have committed breaches of personal data transfers, with the rapporteur only alleging breaches of Articles 28, 29 and 30 of the GDPR. The committee noted that international comity consists of non-binding customs particularly common in diplomatic relations between States. The restricted panel recalled that its powers are conferred by the GDPR, whose rules are matters of public policy, and it cannot disregard application of its powers regarding international comity principles.

The case establishes important precedents for data processor liability. German data protection authorities announced model guidelines on June 16, 2025, establishing standardized procedures for imposing fines under GDPR across German jurisdictions. The Conference of Independent Federal and State Data Protection Supervisory Authorities agreed on comprehensive procedures to achieve consistency in enforcement actions.

The Optimove decision emphasizes that processors bear direct responsibility for GDPR compliance regardless of controller instructions. The committee stated that companies cannot rely solely on processor assurances and must conduct proper due diligence, since ultimately controllers may face regulatory sanctions, but processors face liability for their own violations. The enforcement reflects broader trends in GDPR implementation across Europe, with authorities increasingly holding processors accountable for their role in data protection frameworks.

For marketing technology providers operating as data processors, the case underscores critical compliance requirements. Processors must implement robust systems to track and verify all data processing activities, maintain formal registers of processing activities regardless of company size when processing is not occasional, ensure that all employee activities involving client data occur within contractual scope and controller instructions, and implement technical and organizational measures to prevent unauthorized copying or retention of client data beyond service provision periods.

The decision carries implications for companies providing Software as a Service marketing platforms. Organizations must recognize that processing client data for internal purposes, such as improving service performance or developing new features, falls outside controller instructions unless explicitly permitted by contract. The fact that data processing may benefit the controller does not automatically bring it within the scope of authorized processing activities.

Optimove has the right to appeal the decision to the Council of State within four months of notification. The company did not indicate whether it intends to contest the fine at the time the decision was published. The enforcement action joins other recent GDPR processor cases demonstrating regulators' willingness to impose significant penalties when processors fail to meet their obligations.

The case highlights challenges that arise when processors handle data for multiple clients while also seeking to improve their own services. Marketing automation platforms frequently process large volumes of client data, creating opportunities for unauthorized internal use if proper controls are not maintained. The committee's finding that Optimove remained responsible for employee actions emphasizes that organizational structure and internal processes must support GDPR compliance objectives.

Data protection authorities across Europe continue to scrutinize processor-controller relationships. The Dutch regulator reduced AS Watson's fine to €50,000 on May 27, 2025, following the company's successful appeal of an earlier enforcement action for cookie violations. The authority considered the extended procedural timeline, company cooperation in acknowledging violations, and relatively minor nature of the breach when determining the reduced penalty.

The Optimove enforcement demonstrates that data minimization principles apply throughout the data lifecycle, including after contractual relationships terminate. Processors must implement technical measures to ensure complete data deletion occurs according to contractual timelines. The committee rejected Optimove's argument that employee actions without management knowledge excused retention failures, establishing that processors bear organizational responsibility for ensuring all systems and personnel comply with data protection requirements.

Marketing professionals should recognize that GDPR processor obligations extend beyond technical security measures to encompass fundamental data handling practices. The case illustrates how failures in basic compliance areas—maintaining processing records, operating within controller instructions, deleting data after service provision ends—can result in substantial penalties when combined with data breach incidents.

The €1 million fine represents less than the maximum penalties available under GDPR but reflects consideration of the company's size and financial situation alongside the seriousness of violations. According to the decision, the committee determined that the amount ensures compliance with EU Charter of Fundamental Rights requirements and French administrative law principles preventing disproportionate outcomes while maintaining the fine's deterrent effect.

Timeline

• February 2009: Optimove (initially Mobius Solutions) founded in Israel by Pini Yakuel and Shachar Cohen
• December 1, 2016: Contract between Deezer and Optimove takes effect for marketing personalization services
• April 2019: Optimove employees copy non-anonymized Deezer user data to non-production environment
• December 1, 2020: Contract between Deezer and Optimove terminates; Optimove should have deleted all client data
• October 31-November 5, 2022: Data breach occurs affecting 46.9 million Deezer users worldwide
• November 10, 2022: Deezer notifies CNIL of personal data breach identifying Optimove as probable source
• January 31, 2023: Deezer sends supplementary notification confirming breach originated from Optimove systems
• October 23, 2023: CNIL inspection team sends compliance questionnaire to Optimove
• January 12, 2024: Optimove responds to initial CNIL questionnaire
• April 30, 2025: CNIL President appoints Claude Castelluccia as rapporteur
• June 13, 2025: Rapporteur notifies Optimove of report detailing GDPR breaches
• July 21, 2025: Polish Data Protection Authority announces €3.89M fine against McDonald's Poland for processor oversight failures
• October 1, 2023: Optimove deletes unauthorized copy of Deezer data per Deezer instructions
• October 13, 2025: Rapporteur notifies Optimove of investigation closure
• November 27, 2025: Restricted committee session with oral observations from rapporteur and Optimove
• December 11, 2025: CNIL restricted committee imposes €1 million fine on Optimove
• December 19, 2025: Decision published on Légifrance

Summary

Who: France's Commission Nationale de l'Informatique et des Libertés imposed penalties on Mobius Solutions Ltd. (operating as Optimove), an Israeli marketing technology company headquartered in Tel Aviv. The company provides marketing automation software to clients including Deezer, the French music streaming platform. The restricted committee included President Philippe-Pierre Cabourdin, Vice-President Vincent Lesclous, and members Laurence Franceschini, Isabelle Latournarie-Willems, and Didier Kling. Rapporteur Claude Castelluccia conducted the investigation.

What: CNIL imposed a €1 million administrative fine for violations of GDPR Articles 28, 29, and 30 concerning data processor obligations. The violations included failing to delete client data after contract termination, processing personal data without controller instructions, and not maintaining proper records of processing activities. The breaches enabled a data breach affecting 46.9 million Deezer users worldwide, including 9.8 million in France. Exposed data included user identifiers, contact information, listening habits, payment information, and behavioral data from the streaming platform.

When: The violations occurred between April 2019 when Optimove copied user data and October 1, 2023 when the company finally deleted the unauthorized copy. The contract between Optimove and Deezer ran from December 1, 2016, to December 1, 2020. The data breach occurred between October 31 and November 5, 2022. CNIL announced the decision on December 11, 2025, with publication on Légifrance following on December 19, 2025.

Where: The enforcement action occurred in France under CNIL jurisdiction, though Optimove is established in Israel at Adgar 360 Tower in Tel Aviv. The processing affected users throughout the European Union, with particular impact on French users of Deezer's streaming service. The decision establishes that GDPR Article 3(2)(b) applies to processors not established in the EU when their activities relate to monitoring behavior of individuals within the Union.

Why: The enforcement addresses systematic failures in data processor compliance that created conditions for a massive data breach. Optimove failed to implement adequate controls over employee data handling, retained client data beyond contractual authorization, processed data for internal purposes without controller instructions, and did not maintain required processing activity records. The penalty aims to ensure effective, proportionate, and dissuasive enforcement while protecting fundamental rights of data subjects and holding processors accountable for GDPR obligations regardless of their geographic location.