Category: Newsletter

Data Breach: CNIL imposes a €42 million fine on Free Mobile and Free (13 January 2026)

 

In October 2024, an attack compromised the information systems of Free Mobile and Free, exposing the personal data of 24 million subscribers, including IBANs for shared customers. Following more than 2,500 complaints, the CNIL found breaches of the GDPR attributable to each of the companies for the processing of their subscribers’ personal data.

 

Firstly, the CNIL noted that Free Mobile and Free had not implemented sufficient security measures in accordance with Article 32 of the GDPR, in particular for VPN authentication and the detection of abnormal activity, exposing subscribers’ data. The companies were ordered to finalise their security enhancements within three months.

 

The CNIL also noted that Free Mobile and Free had informed subscribers of the breach by email and via a toll-free number/internal system, but that the email did not contain all the information required by Article 34 of the GDPR, preventing those affected from fully understanding the consequences of the breach and the protective measures to be taken.

 

Finally, the CNIL found that Free Mobile was storing millions of pieces of personal data belonging to former subscribers without justification, beyond the period necessary for accounting purposes. The company has begun sorting and deleting the excess data and has been ordered to complete this operation within six months.

 

• For more information on this subject, click here.

 

The report on “Influence and social networks” was submitted to the government (13 January 2026)

 

Two and a half years after the enactment of Law No. 2023-451 of 9 June 2023 regulating commercial influence, a parliamentary report presented on 13 January 2026 gives an overall positive assessment of the existing system. The law has had a real educational effect, increasing the transparency of commercial communications and confidence in the digital economy, while combating misleading practices more effectively.

 

However, the report highlights the persistence of new abuses linked to the rapid evolution of uses and technologies. Monetised live streams, particularly on certain platforms such as TikTok, are identified as a major area of concern, notably due to the integrated financial mechanisms, the risks of aggressive commercial practices and the increased exposure of minors.

 

In response, French parliamentarians have formulated 78 recommendations, including several key measures:

 

• the creation of a mandatory registration system for influencer agents in order to professionalise the sector, which will involve criminal background checks;
• the strengthening of the supervision of online training courses promoted by influencers, with the introduction of a prior authorisation system;
• strengthening the obligations imposed on platforms, particularly with regard to user protection, transparency of financial flows and limiting minors’ access to certain content;
• increased supervision of sensitive promotions (alcohol, health, gaming, adult content), including when these are based on tools using generative AI.

 

The report highlights the insufficient operational resources of the supervisory authorities, in particular the DGCCRF (French authority for competition, consumer affairs and fraud control), ARCOM (French authority for audiovisual and digital communication) and AMF (French financial markets authority), which are faced with the considerable volume of content disseminated daily on platforms. It recommends strengthening automated monitoring and detection capabilities, improving coordination and information sharing between public actors, and creating a one-stop portal for reporting “digital disorder” attached to the Prime Minister’s office in order to structure and centralise the public response.

 

This work should feed into the forthcoming submission of a draft “influencers 2” bill, aimed at adapting the legal framework to technological developments and new economic models of influence.

 

• For more information on this subject, click here.

 

Airbnb does not have the status of a hosting provider and can be held liable for illegal subletting.  (7 January 2026)

 

In two rulings handed down on 7 January 2026, the French Court of Cassation ruled on the liability of the Airbnb platform in cases of subletting without the landlord’s authorisation.

 

In the first case, a social housing tenant had sublet her flat, located in a tourist area, without her landlord’s consent. In the second case, a tenant of a Parisian property had also sublet the property on a short-term basis without the written authorisation of the owner, in violation of Article 8 of the Law of 6 July 1989. In both cases, the landlords sought the return of the rent received and held Airbnb liable.

 

The lower courts adopted differing analyses. In the first case, the Court of Appeal recognised Airbnb as a host within the meaning of the Law on Confidence in the Digital Economy (LCEN), thereby excluding any liability on the part of the platform. In the second case, however, the Court of Appeal considered that Airbnb played a role that went beyond that of a mere technical intermediary and could, as such, be held liable.

 

The Court of Cassation points out that the benefit of the liability exemption regime provided for by the LCEN is strictly reserved for operators who adopt a neutral, purely technical and passive role in the storage and provision of content supplied by users. Such status presupposes a lack of knowledge and control over the offers disseminated.

 

However, the Court of Cassation noted that Airbnb actively organises and supervises the operation of its platform. It imposes rules on users, intervenes in the publication and transaction process, and promotes certain offers or hosts. These elements reflect interference in the relationship between hosts and travellers and give the platform a capacity for influence that is incompatible with the neutrality required of a host.

 

Consequently, the Court of Cassation ruled that Airbnb could not be classified as a hosting provider and therefore could not benefit from the exemption from liability provided for in this capacity. Airbnb may therefore be held liable in the event of illegal subletting.

 

• • For more information on this subject, click here and here.

 

The European Commission is preparing the Digital Fairness Act

 

The European Commission is preparing the Digital Fairness Act (DFA), a future legislative initiative intended to complement the Digital Services Act (DSA) and the Digital Markets Act (DMA) by strengthening consumer protection in the digital environment.

 

The DFA is a follow-up to the “Fitness Check” launched in 2022 and published in October 2024, which assessed the effectiveness of three key directives (UCPD, CRD and UCTD). This analysis concludes that, although these texts remain relevant, they only partially achieve their objectives in the face of contemporary digital practices. Consumers today are exposed to misleading or addictive interfaces, forms of personalisation that exploit their vulnerabilities, difficulties in cancelling digital subscriptions, and unfair contract terms. The annual financial loss is estimated at least £7.9 billion for consumers in the European Union, without taking into account psychological damage (link).

 

In this context, the DFA will aim to combat dark patterns, the addictive design of digital products, misleading influencer marketing, abusive online profiling and certain subscription practices. Particular attention will be paid to the protection of minors and vulnerable consumers. The text will also seek to strengthen legal certainty and limit the risks of regulatory fragmentation, as several Member States are considering national initiatives.

 

The text will be formally proposed to the Parliament and the Council in the third quarter of 2026, after which its legal form (stand-alone regulation or targeted directive) will be specified.

 

• For more information on this subject: click here.

• Equal treatment: meal vouchers also apply to teleworkers

 

Until now, the question of granting meal vouchers to teleworking employees has been contentious. While some judges favored the principle of equal treatment, others considered that an employer could refuse them in the absence of additional meal-related expenses.

 

In two rulings handed down on October 8, 2025, the Court of Cassation settled the matter: teleworking employees are entitled to meal vouchers under the same conditions as those working on-site.

 

Relying on Article L. 1222-9 of the French Labour Code, which provides that teleworkers enjoy the same rights as employees working within company premises, the Court clarified that the only criterion for granting meal vouchers is that the meal must fall within the employee’s working hours, regardless of the place or organization of work.

 

In a second ruling, the Court added that the practice of granting meal vouchers to employees located far from the company cafeteria cannot be suspended simply because they switch to telework.

 

💡 Key takeaway: The allocation of meal vouchers must now be identical for on-site and teleworking employees, provided their schedule includes a lunch break. Beyond this landmark decision, meal vouchers remain a useful tool for strengthening employees’ purchasing power, benefiting from favorable social and tax treatment (exemption from social contributions up to €7.26 per voucher issued since January 1, 2025).

 

• Dismissal and late delivery of end-of-contract documents

 

Under Articles L.1234-19, L.1234-20, and R.1234-9 of the French Labour Code, the employer must provide the employee’s end-of-contract documents upon termination.

 

In cases of dismissal for gross misconduct, the employment relationship ends immediately upon notification. The termination date is therefore the date the employer expresses the intent to end the employment — that is, the date the dismissal letter is sent by registered mail.

 

Relying on these provisions, the Court of Cassation overturned a Montpellier Court of Appeal decision, ruling that when a dismissal for gross misconduct is pronounced, the employer must provide the end-of-contract documents on the same date, given the absence of notice period.

 

In this case, the employee was dismissed on April 9, 2018, but received his end-of-contract documents on June 6, 2018. The Court of Appeal had rejected his claim for damages, reasoning that no harm could be proven given the hypothetical notice period.

 

The Court of Cassation logically quashed this decision, reaffirming that these documents must be delivered as of the dismissal date. Otherwise, the employee may claim damages, provided that harm can be demonstrated — for instance, delayed access to unemployment benefits. A short gap of a few days is, however, unlikely to cause prejudice, since unemployment benefits are deferred by a mandatory seven-day waiting period, in addition to any delay due to unused paid leave.

 

In light of this decision, companies must ensure that end-of-contract documents are sent promptly after dismissal for gross misconduct. This simultaneous issuance may raise logistical issues for employers who usually prepare such documents at month-end. To ensure legal security, practices may need adjusting.

 

• Adoption and medically assisted reproduction: strengthened protection and authorized absences

Adopted on June 19, 2025, and published in the Official Journal on July 1, 2025, Law No. 2025-595 strengthens the protection of individuals involved in a “parental project” through assisted reproduction (PMA/IVF) or adoption.

 

Henceforth, protection against discrimination linked to parental projects applies to all employees — men and women — engaged in a PMA or adoption process. Employers can no longer refuse hiring, terminate a contract, or transfer an employee on the basis of such participation. They are also prohibited from seeking or using related information.

 

Employees undertaking PMA treatments may now take paid leave to attend necessary medical appointments, procedures, or treatments. They may also accompany their spouse, civil partner, or cohabitant to up to three mandatory medical appointments per protocol.

 

Likewise, employees involved in an adoption project are entitled to leave to attend compulsory adoption interviews. A forthcoming decree will set the maximum number of absences allowed.

 

This law represents a major advance in equality and anti-discrimination policy: parental projects, whether through PMA or adoption, are now fully recognized within the professional sphere. Employers must adjust internal leave and HR management procedures accordingly.

 

• Automatic compensation in cases of proven trade union discrimination — a new reversal

In 2016, the Court of Cassation established that in the event of an employer’s breach of a legal or contractual obligation, trial judges have sovereign discretion to assess the existence and quantum of damages.

 

Since then, the Court has recognized various exceptions.

 

In a ruling dated September 10, 2025, it introduced a new one, holding that “the mere finding of trade union discrimination entitles the employee to compensation.”

 

In this case, a former staff representative dismissed for incapacity claimed damages for trade union discrimination. The Dijon Court of Appeal rejected his claim, holding that he had neither proven the damage nor needed further reparation since the court’s recognition of discrimination was itself compensatory.

 

The Court of Cassation overturned that decision, ruling that the mere finding of trade union discrimination automatically opens the right to compensation.

 

This surprising decision appears to rest on an unwritten, third criterion suggested by the Advocate General, based on both:

• the importance of the legal rule at stake, and
• the victim’s inability to prove the harm suffered.

 

Although not explicitly stated, it seems the Court relied on this reasoning.

 

If confirmed, this new standard could significantly broaden automatic compensation cases. However, recent rulings from the Court of Justice of the European Union reaffirm that judges’ discretion to assess damages does not undermine the effectiveness of EU law, suggesting the French courts may maintain a case-by-case approach.

 

• Hidden cameras in the workplace: CNIL recalls legality requirements

 

In a decision dated September 18, 2025, the CNIL fined a company €100,000 for installing hidden cameras disguised as smoke detectors and recording employees’ conversations in storage areas. This ruling reiterates the strict conditions governing workplace video surveillance.

 

Hidden cameras may only be used exceptionally, where reasonable suspicion of serious misconduct exists, and with strict safeguards balancing corporate security and employee privacy.

 

To be lawful, such monitoring must be:

• temporary and strictly time-limited;
• documented and objectively justified;
• compliant with GDPR, following consultation with the Data Protection Officer.

 

In this case, the company failed to prove the temporary and proportionate nature of the system, nor its compliance with transparency or fairness obligations. The CNIL also noted excessive audio recording, lack of DPO involvement, and failure to report a personal data breach.

 

This decision reaffirms that hidden video surveillance is a highly exceptional measure that must observe robust proportionality and GDPR compliance safeguards.

La société Fred Paris a obtenu, le 18 juin 2025 (TJ Paris, 18 juin 2025, RG n° 23/10855), la condamnation d’une créatrice de bijoux qui commercialisait une gamme de bijoux reproduisant les caractéristiques essentielles du bracelet Force 10 GM et de son modèle communautaire. Nous n’avons pas connaissance d’un éventuel appel interjeté.

 

Le litige oppose un célèbre joailler et une créatrice de bijoux

 

La célèbre maison française de joaillerie et d’horlogerie compte, parmi ses créations, deux gammes de bijoux dénommées « Force 10 » et « Chance Infinie ». La maison est titulaire du modèle de l’UE n° 000772819-0001, déposé en 2007, représentant la fameuse boucle en forme de manille stylisée des créations de la gamme Force 10.

 

La défenderesse est une créatrice de bijoux qui commercialisait, sur son site Internet et sur des marchés locaux, des modèles qui reproduisaient, selon Fred Paris, les caractéristiques essentielles de ses produits.

 

Fred Paris a ainsi, après mise en demeure, assigné la créatrice de bijoux en contrefaçon de droit d’auteur, en contrefaçon de modèle et en concurrence déloyale.

 

Des actes de contrefaçon et de concurrence déloyale étaient invoqués

 

Fred Paris alléguait que la créatrice avait enfreint ses droits d’auteur en reproduisant les caractéristiques essentielles composant l’originalité des produits litigieux. Concernant le modèle de l’UE, la société estimait que les bijoux litigieux reprenaient les caractéristiques essentielles des produits de la marque, de sorte qu’ils créaient une même impression visuelle globale, caractérisant ainsi des actes de contrefaçon.

 

La créatrice reconnaissait la similitude entre les bijoux mais invoquait la banalisation de la gamme, de nombreux bijoux similaires étant commercialisés par des tiers. Elle arguait, pour sa défense, que l’acheteur moyen n’est pas conscient de la similitude entre les produits litigieux et ceux de Fred Paris.

 

Le tribunal a reconnu l’ensemble des faits reprochés

 

Sur la contrefaçon de droits d’auteur

Après avoir reconnu la titularité des droits revendiqués par Fred Paris, qui exploite publiquement sa gamme depuis au moins 2008, les juges caractérisent l’originalité des bijoux la composant.

 

Ils constatent que les bijoux litigieux reprennent, comme l’alléguait la demanderesse, les caractéristiques essentielles des siens.

 

Les actes de contrefaçon sont ainsi caractérisés selon les juges, « peu important l’existence d’autres sites proposant des bijoux similaires […], la bonne foi étant indifférente », en particulier dans un contexte où la créatrice avait été mise en demeure par Fred Paris.

 

Sur la contrefaçon de modèle communautaire

De même, le tribunal reconnait la reproduction des caractéristiques essentielles du modèle dans les bijoux de la créatrice qui produisent, sur l’utilisateur averti, la même impression globale.

 

Sur la concurrence déloyale et le parasitisme

Le risque de confusion ou d’association dans l’esprit du public créé par l’effet de gamme des bijoux de la défenderesse est reconnu. Il vaut en particulier pour la gamme « Chance infinie » qui n’avait pas fait l’objet d’un dépôt de modèle.

 

Le parasitisme résulte de la volonté de la défenderesse de se placer dans le sillage de la société Fred Paris pour profiter de ses investissements et de la notoriété de ses bijoux.

 

La réparation octroyée reste modeste

 

La créatrice de bijoux est condamnée à réparer le préjudice subi par Fred Paris au titre de la contrefaçon, estimée à hauteur de 3 000 euros, et du parasitisme et concurrence déloyale, à hauteur de 1 000 euros. Le caractère modeste de ces montants résulte notamment du fait que Fred Paris n’avait pas prouvé, selon le tribunal, des conséquences économiquement négatives ; que les bénéfices réalisés étaient limités ; qu’il n’était pas prouvé que les actes reprochés s’étaient étalés dans le temps. Le préjudice réparé est donc circonscrit aux économies d’investissement réalisées et au préjudice moral résultant de la banalisation des bijoux de la demanderesse.

 

La défenderesse est également condamnée à verser 3 000 euros à Fred Paris en application de l’article 700 du code de procédure civile.

 

Cette décision illustre la double protection des créations joaillières (et de toutes les œuvres d’art appliqué) par le droit d’auteur et le droit des dessins et modèles, mais aussi par le droit commun de la responsabilité civile entre concurrents.

 

Elle incitera peut-être les titulaires de droits qui envisagent d’assigner à opérer une balance entre les coûts de la procédure, les perspectives de réparation potentiellement très modestes et le souhait éventuel de faire de ces condamnations une affaire de principe.

A dynamic semester for the Joffe & Associés Team!

 

The past six months have been marked by a steady pace of milestones and achievements: the appointment of a new partner, the arrival of fresh talent, recognitions in leading rankings, media features, expert analyses, industry conferences, sporting challenges, social commitments, and interactions with students. It has been a period of sustained activity on all fronts.

 

Behind every initiative stands a committed and dynamic team, attentive to the needs of its clients as well as the broader issues shaping society.

 

This newsletter looks back at the highlights of the semester and reflects what truly sets us apart: the strength of our collective.

 

We hope you enjoy reading it!

 

Read the full newsletter here: Joffe & Associés : Newsletter – First Half of 2025.

According to the CJEU, annual paid leave is intended for rest, while sick leave is for healing. One cannot therefore replace the other.

 

However, the French Labor Code ignores this situation and case law considers that “if an employee falls ill during their leave, their sick leave is not taken into account. The days of leave cannot be carried over and are lost.”

 

In view of this gap, the European Commission launched an infringement procedure against France on 18^th June 2025. A letter of formal notice has been sent urging France to comply with Directive 2003/88/EC on working time in order to guarantee the effectiveness of the right to annual leave. France has two months to comply, or risk a referral to the CJEU and a possible sanction. The legislator will therefore have to adapt the Labour Code.

 

Some lawyers and trade unions in favour of the change see this as an important social step forward in order to guarantee employees a real right to rest, even in the event of illness occurring during the holidays, while sick leave and paid leave pursue two different purposes. Many countries provide for this right to deferral: in Belgium, provided that the employee informs their employer immediately, provides a medical certificate, and reschedules the days later; in Italy, Spain or Switzerland where the right to deferral is strictly regulated with the requirement of rigorous medical proof and without allowing extended holidays.

 

However, many critics have been raised against this system, fearing a generalization of sick leave during holidays and opportunistic behavior to artificially extend vacations.

 

The abuse of sick leave is already a worrying reality in France. The Health Insurance has noted an explosion of false work stoppages in recent years. 42 million euros of sick leave fraud were detected in 2024, a figure 2.4 times higher than in 2023. In addition, out of 230,000 sick leaves verified by medical advisors, one in three was unjustified and was suspended.

 

In order to effectively combat these abuses, the Health Insurance has made available, and then made mandatory from July 2025, a new standardized form for notice of sick leave that is difficult to falsify and more secure (special paper, holographic label, magnetic ink, identification of the prescriber, etc.).

 

Strengthening the control of sick leave is certainly a reasonable counterpart to the evolution of French law required by the European Commission, to avoid abuses and preserve the credibility of the system. Confidence requires maintaining the balance between individual rights and the prevention of abuse. It is on this condition that this reform can be fully accepted and effective.

Click here to download our newsletter.

 

IN BRIEF:

 

• SANCTIONS– 2024 review of the sanctions and corrective measures pronounced by the CNIL and sanction of a company for the excessive surveillance of its employees.
• ARTIFICIAL INTELLIGENCE – Clarification of the definition of AI systems by the European Commission and new recommendations from the CNIL to support responsible AI.
• ANONYMIZATION/PSEUDONYMIZATION – A search engine called to order by the CNIL and publication of guidelines by the European Data Protection Board.
• RIGHT OF ACCESS – European coordinated action identifies gaps in the implementation of the right of access.
• TRANSFER OUTSIDE THE EUROPEAN UNION – Publication of the CNIL guide on impact assessments of data transfers.

 

I. SANCTIONS TO REMEMBER

 

a. 2024 report on the CNIL’s sanctions

 

In 2024, the Commission Nationale de l’Informatique et des Libertés (“CNIL“) (France) issued 87 sanctions, including 69 under the simplified procedure (here). This significant increase compared to 2023 (42 sanctions) and 2022 (21 sanctions) can be explained by the increasingly frequent use of the simplified procedure (almost three times more than in 2023).

 

As part of its ordinary procedure, the CNIL has sanctioned companies in particular for:

• Commercial prospecting: in particular for the failure to collect prior consent from individuals before sending commercial communications.
• Health data processing: in particular with regard to anonymisation (e.g. clarification of the qualification of data processed in health data warehouses).

 

As part of its simplified procedure, the CNIL has sanctioned (i) the failure to cooperate with the CNIL, (ii) the failure to comply with the exercise of rights, (iii) the failure to minimise data, (iv) the breach relating to the security of personal data, and (v) the breach of the regulations relating to cookies.

 

b. Excessive surveillance of employees: €40,000 fine for a company in the real estate sector

 

The CNIL, by deliberation SAN-2024-021 of December 19, 2024 (here), imposed a fine of €40,000 on a company in the real estate sector for having set up excessive surveillance of its employees, by means of software for monitoring working time and employee performance and a continuous video surveillance system set up in employees’ work and break areas. The CNIL has identified several shortcomings, in particular:

 

Failures	Details
Excessive surveillance	(i)     The continuous recording of images and sounds of employees is contrary to the principle of data minimization (Article 5 of the GDPR); and (ii)   There is no legal basis for implementing endpoint monitoring software (Article 6 of the GDPR).
Lack of information	Oral information on the implementation of the monitoring software does not meet the conditions of accessibility over time and, in the absence of a written record of it, its completeness is not established (Articles 12 and 13 of the GDPR).
Lack of security measures	The CNIL recalls the reinforced requirement for individualized access to administrator accounts, which have very extensive rights over personal data – here, several employees shared the same access to data from the surveillance software (Article 32 of the GDPR).
Lack of impact assessment (DPIA)	The systematic monitoring of employees at their workstations required the formalization of a DPIA (Article 35 of the GDPR).

 

II. TOWARDS RESPONSIBLE AI

 

a. Prohibited practices in artificial intelligence: the new guidelines of the European Commission

 

On 6 February 2025, the European Commission adopted guidelines on the definition of artificial intelligence (“AI“) systems to help stakeholders identify whether a software system falls under AI. It should be noted that these guidelines do not address general-purpose AI models. The Commission has identified and clarified the 7 elements that make up the definition of ‘AI system’, introduced in Article 3(1) of Regulation (EU) 2024/1689 on AI:

 

Definition of the AI Act	Commission clarifications
Machine-based system	AI systems must be computationally driven and based on machine operations.
that is designed to operate at varying levels of autonomy	The deductive capacity of systems is key to ensuring their autonomy: an AI system must operate with a certain reasonable degree of independence of action (which excludes systems requiring full manual human involvement and intervention).
and that may exhibit adaptiveness after deployment	The condition of the system’s self-learning capacity is optional and non-decisive.
and that, for explicit or implicit objectives	Explicit (encoded) or implicit (inferred from behavior or assumptions) objectives are internal and refer to the goals and results of the tasks to be performed. They are part of a broader notion of the “purpose” of the AI system, which corresponds to the context in which it is designed and how it must be operated.
infers, from the input it receives, how to generate outputs	This notion refers to the building phase of the AI system, and is therefore broader than just the phase of use of the system. The Commission distinguishes between AI systems and other forms of software that have only a limited capacity to analyse patterns and adjust autonomously their output.
such as predictions, content, recommendations, or decisions	AI systems are distinguished by their ability to generate nuanced results, leveraging complex models or expertly defined rules. The Commission details each of the terms of the definition.
that can influence physical or virtual environments.	AI systems are not passive but actively impact the environments in which they are deployed.

 

 

b. The CNIL’s new recommendations for responsible AI

 

On February 7, 2025, the CNIL published new recommendations to support the development of responsible AI, in compliance with the GDPR (here). These relate both to the information of individuals and to the exercise of their rights:

 

• Information: the data controller must inform individuals when their personal data is used to train an AI model. This information can be adapted according to the risks to people and operational constraints and can therefore sometimes be limited to general information (when people cannot be contacted individually) and/or global information (when many sources are used, for example by indicating only categories of sources).
• Rights of individuals: the CNIL invites stakeholders to take into account the protection of privacy from the design stage of the model (e.g. anonymization strategy, non-disclosure of confidential data). The implementation of rights in the context of AI models can be difficult and a refusal to exercise rights can sometimes be justified. When these rights must be guaranteed, the CNIL will take into account the reasonable solutions available and may adjust the conditions of delay.

 

III. ANONYMIZATION AND PSEUDONYMIZATION UNDER DEBATE

 

a. The new EDPS Guidelines on pseudonymisation

 

On 16 January 2025, the European Data Protection Board (EDPB) adopted new guidelines 01/2025 on pseudonymisation, which are subject to public consultation until 14 March 2025.

 

Pseudonymisation means that personal data is no longer attributed to a data subject without additional information (Article 4(5) GDPR). Pseudonymised data is personal data because there is a risk of re-identification of the data subjects.

 

The EDPB states that pseudonymisation can (i) facilitate the use of the legal basis of legitimate interest, provided that all other requirements of the GDPR are met, (ii) ensure compatibility with the original purpose in the context of further processing, and (iii) help organisations comply with obligations relating to the principles of the GDPR, protection by design and by default, and security.

 

The EDPB is also analysing a set of robust technical measures to prevent unauthorised re-identification. Recommended techniques include hashing with a secret key or salt, separation of information for attribution, and strict access control.

 

It will be pointed out that these guidelines are to be read in the light of Case C-413/23 pending before the Court of Justice of the European Union between the European Data Protection Supervisor and the Single Resolution Board (SRB). In this case, pseudonymised data was transferred by the SRB to Deloitte for the purposes of an analysis mission. In his Opinion of 6 February 2025, the Advocate General asks the Court to rule on whether the recipient of pseudonymised data who does not have reasonable means to re-identify the data subjects could be considered not to be processing personal data insofar as the risk of identification is ‘non-existent or insignificant’.

 

IV. SPOTLIGHT ON THE RIGHT OF ACCESS

 

The CNIL and the European Data Protection Supervisor participated in a coordinated action of the European Data Protection Board in order to evaluate the implementation of the right of access to personal data.

 

During 2024, the CNIL inspected public and private bodies, chosen on the basis of complaints received, and issued several reminders of legal obligations. She notes that the organizational measures implemented by these organizations to process right-of-access requests are sometimes insufficient/unsatisfactory. Organizations should both (i) provide information about the processing, (ii) include a copy of the data processed, and (iii) should not systematically exclude certain processing or categories of personal data from their responses.

 

The EDPS has monitored the processing of requests for the right of access by the EU institutions, bodies, offices and agencies and has highlighted in his report of 16 January 2025 : (i) the low volume of requests, (ii) the decentralisation of the management of requests, (iii) the fact that it is difficult to distinguish between access requests and other types of requests,  (iv) the excessive processing of data caused by the verification of the identity of applicants, (v) the difficulty of reconciling the protection of rights and freedoms and respect for the right of access of individuals. Controllers and processors are invited by the EDPS to refer to Guideline 01/2022 on the right of access of data subjects.

 

V. IMPACT ANALYSIS OF DATA TRANSFERS

 

On January 31, 2025, the CNIL published the final version of its guide on the Impact Assessment of Data Transfers (AITD) (here) to help data exporters assess the level of protection in destination countries located outside the European Economic Area and the need to put in place additional safeguards. This analysis is necessary when the transfer is based on a tool of Article 46 of the GDPR (standard contractual clauses, binding corporate rules, etc.): the destination country does not benefit from an adequacy decision and the transfer is not carried out on the basis of a derogation from Article 49 of the GDPR.

 

The guide proposes a six-step methodology:

• Identify the data concerned and the actors involved;
• Choose the appropriate transfer tool;
• Analyze risks related to the laws and practices of the third country;
• Determine and apply additional measures (e.g. encryption or anonymization);
• Implement these additional measures;
• Reassess the compliance of the transfer at appropriate intervals.

 

This publication follows a public consultation that allowed the CNIL to adapt its guide to the practical realities of companies, and to modify it in order to take into account the latest opinions of the European Data Protection Board.

 

🚨 DPO Newsletter: What You Need to Know! 🔒

 

 

🔥 Our latest issue is out, covering key decisions, upcoming regulations, and major trends to watch:

 

 

In this edition:

🚫 Record-breaking fines – Orange (€50M), Meta (€251M), and OpenAI (€15M) hit with major sanctions.
📉 Data Transfers outside the EU – The CJEU condemns the European Commission for illegal data transfers to the U.S.
📢 GDPR Certification for Processors – The CNIL opens a public consultation. Be ready for what’s next!
⚠️ Deceptive Cookie Banners – Time’s up for several website publishers ordered to comply.
🤖 Responsible AI – The EDPB sets the tone for AI development within GDPR rules.
📊 2025-2028 Strategic Focus – CNIL’s roadmap to secure the digital future.

 

 

👉 Stay sharp and anticipate the impact on your business!

 

 

Should you have any questions, do not hesitate to contact us: contact@joffeassocies.com