EU Regulators are coming directly after non-EU processors for GDPR violations

By Odia Kagan on December 19, 2025

I’m a non-EU data processor, no EU regulator is coming after me right? Wrong, says French regulator, CNIL, in new decision fining SaaS provider 1 Million EUR!

At issue in this case was a non-EU processor that had failed to delete controller data after the termination of the agreement between them, and subsequently suffered a data breach impacting many of the users of the controller’s platform. (Similar to the fact pattern in the recent Spanish AEPD decision)

CNIL makes it clear that:

You can be in direct scope of GDPR even as a non-EU processor.

…even to the tune of a 7 digit fine.

Even dated contact information and listening habits can be deemed sensitive by European regulators.

If you use controller data to improve your services without explicit permission, this can be a violation of the controller’s instructions and of GDPR.

If you don’t have a stand alone ROPA, you could be liable, even if the data is included in your DPA.

In its decision CNIL clarifies a few thorny GDPR points:

A non EU processor can be subject to GDPR when it carries out a processing activity on behalf of a controller. In this case, the company’s activity was deemed to be linked to those of the controller in that it enabled the controller to provide personalization and optimization services for marketing campaigns in order to offer its own music streaming services

GDPR is not only applicable to processing whose primary purpose is to monitor the behavior of a person residing in the European Union, but to all processing that is “related” to such monitoring, that is to say, that is carried out by means of or in connection with operations to monitor persons residing in Europe.

The sole activity of hosting a controller’s data for the purpose of carrying out the advertising targeting activity, is sufficient to characterize a subcontracting activity related to the monitoring of people’s behavior for the purpose of GDPR applicability.

The fact that a processor is present in a country that has been granted adequacy by the EU does NOT preclude GDPR applicability to its activities.

The fact that the data was copied by two of the processor’s employees, without the knowledge of management, does not alleviate the processor’s liability, as it is responsible for verifying the operations carried out by the employees under its supervision.

If your contract with the controller (the “data processing addendum” or DPA) only allows you to use controller data in order to ensure the repair or updating of your platform, using the data to to improve the performance of the services offered to the controller or, more generally, the performance of your own service – is outside the scope of the instructions and a violation of Art 29 GDPR.

If you store something in an non-production environment – make sure it is equally as secure as other environments and that it is subject to data retention limitations.

You must maintain an Art 30 Record of Processing Activities (ROPA) even if you are a non-EU processor, whenever you process data for a controller in a manner which is other than just occasional. This needs to a be stand-alone document. The fact that the relevant information is contained in the contract and DPA between the controller an processor does not alleviate the violation.

CNIL fined the processor 1 Million EUR because:

There was a large amount of data that was breached (many people affected).

CNIL deemed the breach of identity (surname, first name, age), contact details (email address) and listening habits poses a risk to the rights and freedoms of individuals, in that those whose data appears in files posted online on the dark web are prime targets for personalized phishing attacks (sending fake messages or documents to obtain personal information or money). This is the case even though the data was correct only as of 2019.

The company was negligent in its oversight regarding the copying and storing of the data.

The fine in this scope was imposed despite the company demonstrating that it has recorded net losses for the past few years, because CNIL noted that it’s revenues have been increasing.

Some lessons for US (and other Non-EU processors).

If you are providing services that relate to offering of goods and services to individuals in the EU or to monitoring their behavior (storage can be enough!), you can be in direct scope of GDPR. This means you have additional responsibilities with which you should ensure compliance. It also means you can be subject to direct enforcement by European authorities and can be subject to very large fines!

If you want to use controller’s data for your own purposes, make sure that this clearly spelled out in the contract up front. Saying something like: “ensure repair and update” and hope it covers improvement of your services, may land you with an Art 29 violation (for exceeding controller’s instructions).

Make sure that your information security setup is sufficient, even if you deem the data you are processing to be not sensitive. In Europe, the magic words are “personal data”, not PII, and even basic identifier plus 6 year old streaming habits, can be deemed by EU authorities to impact the rights of individuals.

Make sure you have good hygiene, even in non-production environments. Those should be protected to the same level as your other environments and subject to retention limitations.

Write that separate Records of Processing Activities (ROPA), even if you are a processor and even if the data is minimal or captured in your DPA anyway.

menu

Privacy Compliance & Data Security

About Our Firm

Categories

Archives