On 11 December 2025, France’s Data Protection Authority, the CNIL, issued a fine of €1 million against Mobius Solutions, an Israeli company providing marketing services to its clients, for violation of key processor obligations under the GDPR.(1)

The sanction follows a wide-scale data breach which had affected the music streaming platform Deezer and exposed on the dark web the personal data of users of the platform (around 46 million users globally and more than nine million users in France) including names, ages, e-mail addresses and listening habits. As part of its notification of the data breach to the CNIL, Deezer had determined that Mobius Solutions, its former processor, was likely to be the source of the incident. This led the CNIL to carry out an investigation with Mobius Solutions and to initiate further sanction proceedings. Although the data breach was international in nature and had impacted Deezer users also in other EU countries, the one-stop-shop mechanism provided by the GDPR was not applicable since Mobius Solutions has no establishment in the EU. The CNIL was thus competent to take enforcement action against the company without the involvement of other EU data ­protection authorities.