GDPR Compliance: What the Latest European Sanctions and Decisions Reveal

Reading time: 7 min

Le GDPR almost eight years of applicationBut the news cycle remains busy. The last three months have brought a wealth of useful signals for marketing, product, data, and security teams. On one hand, national authorities are pursuing a sanctions policy which targets both major players and solution providers. On the other hand, European law continues to specify the role of the platformswhile Brussels puts back on the table adjustments intended to "simplify" the digital arsenal.

This article summarizes the key events observed in recent months, and then draws concrete lessons for organizations that handle personal data.

The return to the forefront of a simple subject: security

At the end of 2025 and the beginning of 2026, several decisions put security back at the heart of compliance. CNIL NEXPUBLICA FRANCE, publisher of a user relationship management tool in the social sector, has been sanctioned for insufficient security measures. The message is classic but consistent: when data circulates in software used by numerous organizations, security is not simply a technical aspect. It becomes a commitment contractual, an operational risk, then a compliance issue.

A few weeks later, the CNIL (French Data Protection Authority) imposed very high fines on Free Mobile and Free following a data breach. Beyond the amount, the key point lies in the assessment of the "adequacy" of the security measures. The GDPR does not require infallibility. It expects a coherent, risk-based approach that covers controls, detection, response, and evidence.

This reminder also applies to marketing departments. All data activation relies on a processing chainAn incident at a service provider or publisher can turn into a crisis of confidence for the brand. The GDPR does not distinguish, in the public's perception, between the source of the breach.

Platforms: the line between "simple hosting provider" and "simple host" is narrowing

On December 2, 2025, the Court of Justice of the European Union rendered a decision that interests all marketplace operators and, more broadly, platforms that publish content submitted by third parties. The underlying idea is this: the operator can bear direct responsibility under the GDPR when advertisements contain personal data, including sensitive data.

The operational impact is significant for product governance. A platform must implement technical and organizational measures to detect potentially risky content before publication, or at least reduce its exposure. This requirement goes beyond a simple "report" button. It encompasses form design, moderation rules, automated controls, and documentation demonstrating compliance efforts.

This movement reinforces an already visible trend: the more a platform frames publication and monetizes interactions, the more the argument of the simple role of intermediary loses its strength.

Targeted advertising: litigation accelerates the demand for transparency

Another signal emerged in December 2025 with a ruling by the Austrian Supreme Court concerning Meta and personalized advertising. The reasoning emphasizes two points: the collection of sensitive data without explicit consent, and the user's ability to obtain a complete view of their data, its sources, and its recipients.

For the teams martechThe main teaching focuses on evidence management. Organizations must do more than simply "comply" with the rules. They must be able to explain, upon request, the sources, legal bases, flows, and purposes of data processing. Data architectures that pile up enrichments, reconciliations, and segments quickly lose their readability. Yet, when an access request is made, this readability is just as important as initial compliance.

DSA and GDPR: the regulator seeks consistency

The regulatory landscape is no longer limited to the GDPR. The Digital Services Act imposes new obligations to numerous online services. In November 2025, the European Data Protection Board adopted guidelines on the DSA-GDPR relationship.

This stance has very concrete implications. It aims to avoid a "double standard" between two texts that sometimes call for the same actions from different perspectives: transparency, complaint handling, logging of certain actions, and cooperation with authorities. For organizations, the challenge lies in linking requirements. A product team can consolidate controls, indicators, and processes, instead of building two parallel compliance programs.

“Simplifying” the GDPR: the debate reopens in Brussels

In November 2025, the European Commission presented a package called " Digital Omnibus "intended to adjust several digital rules. Analyses and press articles have mentioned avenues that directly affect data protection, with a recurring argument: reducing the burden on businesses, especially small ones.

The issue remains political. Any revision of the GDPR requires a lengthy institutional process and a delicate balance between competitiveness and fundamental rights. For professionals, this debate primarily heralds a period of uncertainty. The most experienced players will benefit from maintaining a robust compliance strategy. Any potential relaxation of the rules will not eliminate customer expectations, reputational risks, or the contractual requirements circulating in calls for tenders.

A common thread: the quality of governance makes the difference

These news items trace a common thread. Sanctions call into question security measures deemed insufficient. Courts clarify the responsibilities of platforms. Advertising disputes demand greater transparency. European guidelines seek alignment between regulations.

For a growth-oriented organization, the challenge lies in turning this context into an advantage. Robust GDPR governance simplifies product decisions, secures data partnerships, reduces friction regarding consent, and ultimately protects the brand.

In reality, three projects stand out.

The first task involves the actual mapping of flows. Many teams have "theoretical" diagrams. However, decisions and incidents expose the "real" flows: exports, synchronizations, enrichments, technical access, subcontractors.
The second area of focus concerns security in a broad sense: access policies, logging, testing, alert procedures, patch management, and then the ability to prove everything.
The third area of focus is actionable transparency: understandable information, consistent choices in interfaces, and the ability to respond to people's requests without improvisation.

Conclusion

The last three months have confirmed a simple reality: the GDPR is progressing through practice, driven by audits, decisions, and clarifications. Security remains a major area for sanctions. Platforms are seeing their responsibility become more pronounced. Targeted advertising continues to fuel litigation that demands greater transparency. At the same time, the European Union is seeking alignment between its digital regulations while, in the background, reopening the debate on "simplification."

For marketing and tech teams, the best strategy remains pragmatic: strengthen governance, consolidate security, and then make data flows more transparent. In an environment where compliance is also measured by the ability to explain and prove, these efforts serve both as legal assurance and as an investment in trust.