Data breach: MOBIUS SOLUTIONS LTD fined €1 million

Background information

In November 2022, the CNIL was notified of a data breach by DEEZER. The company reported that its users' data had been posted on the dark web and that its former processor, MOBIUS SOLUTIONS LTD, whose services it used to carry out personalised advertising campaigns for its customers, was involved.

In 2023 and 2024, the CNIL carried out documentary investigations on MOBIUS SOLUTIONS LTD.

On the basis of these investigations, the restricted committee – the CNIL body responsible for imposing sanctions – considered that the company had failed, as a processor, to comply with several obligations under the GDPR.

The restricted committee therefore issued a fine of €1 million and decided to make its decision public. The amount of the fine was determined in light of the seriousness of the breaches, the number of people affected by the data breach and the turnover of MOBIUS SOLUTIONS LTD.

The breaches sanctioned

A breach of the obligation for the processor to delete the data controller's data at the end of the contractual relationship (Article 28.3.g of the GDPR)

MOBIUS SOLUTIONS LTD retained a copy of the data of more than 46 million DEEZER users after the end of their contractual relationship, despite its obligation to delete all such data at the end of the contract.

The company stated that this data had been copied by three of its employees without its knowledge. However, the restricted committee considered that the company was responsible for their actions, as the data was stored on a non-production environment belonging to the company with data from other customers.

This unlawful storage of data led to a risk for the security of individuals' data.

A breach of the processor's obligation to comply with the instructions of the controller (Article 29 of the GDPR)

MOBIUS SOLUTIONS LTD copied and used DEEZER's data without any instructions from the data controller in order to improve the performance of its own services, provided through its platform for creating personalised advertising campaigns.

The company stated that copying users' data could be considered part of the performance of the contract, with the prospect of generally improving the services it provided to DEEZER. The restricted committee considered, on the contrary, that no contractual clause authorised MOBIUS SOLUTIONS LTD to use DEEZER's data for such a purpose without prior instruction from the data controller.

Failure to comply with the obligation to keep a record of processing activities (Article 30 of the GDPR)

With some exceptions, the record of processing activities is a mandatory tool for public or private organisations that process personal data. A processor that processes data on behalf of a controller must also keep a record of the data processed.

However, MOBIUS SOLUTIONS LTD did not keep a record of its processing activities in its capacity as a processor.

The applicability of the GDPR and the jurisdiction of the CNIL

In order to be able to sanction MOBIUS SOLUTIONS LTD, even though it is not established on the territory of the European Union, the restricted committee determined that the processing carried out in its capacity as a processor, consisting of the analysis, segmentation and hosting of DEEZER's user data, should be classified as monitoring of individuals' behaviour.

The cooperation mechanism provided for in the GDPR (the "one-stop shop" mechanism) does not apply in this case, as the company does not have an establishment in the territory of a Member State of the European Union. The CNIL has jurisdiction to verify the compliance of the processing operations carried out by MOBIUS SOLUTIONS LTD on behalf of DEEZER on the French territory.