CNIL Sanctions Free Mobile And Free For Various Breaches Of The GDPR Following Data Breaches

On 8 January 2026, the French data protection authority (CNIL) issued two rulings against Free Mobile¹ and Free² (the "Companies"), imposing fines of €27 million and €15 million respectively for various breaches of the General Data Protection Regulation (GDPR).

In this case, the Companies were alerted in October 2024 that an attacker had broken into their information systems and had been able to access more than 24 million subscriber contracts containing, in some cases, customers' IBANs. These data breaches were reported to the CNIL on 23 October 2024.

Following numerous complaints filed by individuals affected by these data breaches, the CNIL conducted an inspection of each of the two Companies and found, in particular :

• a breach of the obligation to ensure data security pursuant to Art. 32 of the GDPR³ : the CNIL noted in particular shortcomings concerning (i) the authentication procedure for connecting to the companies' VPN and (ii) the measures for detecting abnormal behaviour on their information systems ;
• failure to comply with the obligation to notify data subjects of a personal data breach in accordance with Art. 34 of the GDPR⁴ : the Companies informed the data subjects of the data breaches by sending an information email, providing a toll-free number and setting up an internal system for managing requests to the data protection officer (DPO ticket).

However, the CNIL considered that the initial information email did not contain all the required information and therefore did not meet the requirements of Art. 34 of the GDPR (e.g. the information provided was not sufficiently precise with regard to the remedial measures implemented, the likely consequences of the data breach in question and the measures to be taken to mitigate any negative consequences).

During the inspection of Free Mobile, the CNIL also found a breach of the obligation to retain data for a period proportionate to the purpose of the processing in accordance with Art. 5(1)(e) of the GDPR⁵.

The CNIL noted that Free Mobile had not finalised the roll-out of its data purging mechanism, resulting in the potentially indefinite storage of data relating to cancelled invoices and subscriptions, without any distinction being made between purposes. It thus found data relating to more than 15 million contracts that had been terminated more than 5 years ago, including 3 million that had been terminated more than 10 years ago. Free Mobile had therefore retained millions of data for an excessive period of time without justification.

Footnotes

1. Délibération SAN-2026-001 du 8 janvier 2026

2. Délibération SAN-2026-002 du 8 janvier 2026

3. art. 32, RGPD

4. art. 34, RGPD

5. art. 5(1)(e), RGPD

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.