Israeli Marketing Firm Fined €1 Million for GDPR Violations Following Massive Data Breach
In a significant enforcement action, the French data protection authority has levied a €1 million fine against Israeli marketing technology company Optimove for breaching data processor obligations outlined in the General Data Protection Regulation (GDPR). The penalty, issued on December 11, 2025, stems from systematic failures in Optimove’s data handling practices, which led to a massive data breach affecting 46.9 million users of Deezer, a popular music streaming service, with 9.8 million users impacted in France.
The Commission Nationale de l’Informatique et des Libertés (CNIL) announced the fine following an investigation that commenced in 2023. Findings disclosed that Optimove, which had been contracted to provide marketing personalization services to Deezer from December 1, 2016, to December 1, 2020, failed to comply with several provisions of the GDPR, specifically Articles 28, 29, and 30. These violations occurred during the data handling processes connected to Optimove’s provision of services.
During the investigation, which unfolded under President Philippe-Pierre Cabourdin’s leadership, representatives from Optimove defended the company’s decision to copy non-anonymized personal data of Deezer users, claiming it was undertaken without managerial consent for service enhancement purposes. However, the committee dismissed this defense, affirming that the company holds ultimate responsibility for employee actions and must ensure robust oversight of data handling practices.
The breach, which reportedly took place between October 31 and November 5, 2022, was initially identified by Deezer on November 10, 2022, when it notified CNIL of a potential compromise stemming from Optimove. By the end of the investigation, it was determined that Optimove had retained copied data long after its contract with Deezer was terminated, contravening Article 28, which mandates the deletion or return of personal data at the end of service provision.
Within the scope of the MITRE ATT&CK Matrix, the tactics employed by adversaries likely included “initial access” through improper data management and “persistence” via unauthorized retention of sensitive information. The breach exemplifies how negligence in data processing handling can create conditions ripe for significant data exposure, indicating both a need for comprehensive internal controls and rigorous adherence to data protection regulations.
The CNIL’s ruling emphasizes the growing scrutiny over data processors, especially those operating outside the European Union, and underscores the necessity for companies to implement effective data governance strategies. Companies must maintain formal records of their data processing activities, ensuring compliance with GDPR mandates even when geographical boundaries exist.
As businesses increasingly rely on third-party services, understanding the implications of processor responsibilities under regulations like GDPR is vital. The Optimove case serves as a critical reminder that software and marketing technology providers must establish stringent measures to protect client data and prevent unauthorized access. With fines reflecting a company’s size and financial capacity, this incident could set a crucial precedent for future enforcement actions concerning data breach accountability.
The implications of the ruling extend beyond the immediate penalty, signaling regulatory intent to hold processors accountable for compliance lapses, thereby protecting the rights of individuals in an evolving digital landscape. As the landscape of data handling continues to grow in complexity, adherence to established rules and frameworks like the GDPR is becoming increasingly paramount for all organizations handling personal data.
