Newsletter April 2025: are you on the CNIL (National Commission for Information Technology and Civil Liberties) ) radar in 2025?

The GDPR is evolving fast, and digital news is constantly shaking up compliance issues. Cybersecurity, artificial intelligence, international platforms, record sanctions... how can you stay up to date without spending hours on it?

Every month, the GDPR Minute brings you a digest of essential information, analyzed and contextualized to help you make compliance a real business lever, not a constraint.

On the program:

1. 7 years on, Brussels revises the GDPR : what should we expect?
2. Your medical data accessible throughout Europe? Coming soon
3. Google Ads functionality: what if you're breaking the law without knowing it?
4. Are you in the sights of the CNIL (National Commission for Information Technology and Civil Liberties) this year? The 4 main targets announced
5. Shein: ultra fast-fashion that tracks your private life - the CNIL (National Commission for Information Technology and Civil Liberties) opens the file
6. Data breaches: 4 cases that shook up the month of March
7. Double authentication: password + SMS? Too risky. The CNIL (National Commission for Information Technology and Civil Liberties) warns
8. A poorly advised client , a condemned processor : Justice sends a clear message
9. Is your site GDPR ready? We share our express audit method
10. See you at SantExpo?

Enjoy your reading!

1. 7 years on, Brussels revises the GDPR : what should we expect?

Will the GDPR evolve? The question is on the table in Brussels.

Seven years after it came into force, the European regulation on personal data protection is the subject of a critical review by European institutions. 

Why this revision?

• Adapting the legal framework to today's challenges: the explosion of AI, new marketing practices, reuse of healthcare data... The technological context has changed radically since 2018.

• Eliminate the legal and technical bottlenecks that complicate its day-to-day application.

• Lighten the load for SMB and start-ups, who find GDPR too complex. 

What is planned?

• Better articulation between GDPR and IA Act, particularly on automated processing.Clarification of the role of processors and co-responsible parties.

• Strengthening people's rights in certain sensitive sectors (health, education, etc.).

• A possible simplification for small structures, without reducing guarantees.

What this means for you:

• Updating your compliance documents will probably be necessary.

• It's best to look ahead: the topics under discussion are already pointing towards greater transparency, documentation and accountability.

2. Your medical data accessible throughout Europe? Coming soon

On March 26, 2025, a new European regulation came into force: the European Health Data Space (EHDS). It marks a turning point in healthcare data management on a European scale.

The aim? To give citizens easier access to their medical data (prescriptions, imaging, history, etc.) anywhere in Europe, while strictly controlling their re-use for research or innovation purposes. 

The 4 key changes to come : 

• Information always available, even abroad: A problem in Spain or Germany? Doctors will be able to consult your data, with your consent.
  
• Clear rules for reuse: Your data can be used to advance research or AI, but not just any old way: your clear consent is required, each use must be justified, and everything must go through an official authority (a one-stop shop).

• A one-stop shop per country: Each country will designate an authority to centralize and supervise requests for access to health data. In France, this could involve the DSSIS or the Health Data Hub (to be confirmed). 

• Double supervision: From now on, data will be monitored by both the health authorities and those who protect your personal data (such as the CNIL (National Commission for Information Technology and Civil Liberties)).

When will it be implemented?

• September 2025: Designation of national authorities (the famous "one-stop shop").

• 2026 - 2028: Technical implementation: common infrastructures, harmonized data formats, interoperability.

• March 2029: Full implementation of most obligations for all stakeholders.

For companies handling healthcare data: what do you need to be prepared for? 

✔ Mandatory European compatibility: Your tools will have to speak the same language as those in other EU countries. No more closed systems!

✔ Clearly separated uses: Care, research, AI... Each use must be clear, distinct and traceable. No mixing.

✔ Concrete consent: it will be necessary to prove that the person said yes, and for what exactly.

✔ The "national counter", a new compulsory passage: Any request to reuse data will have to go through a designated authority. Good news: if you're already rigorous on GDPR, you're one step ahead. The EHDS strengthens this foundation, without reinventing it.

3. Google Ads functionality: what if you're unknowingly breaking the law?

Can I use the Google Ads Google "advanced conversion tracking" feature? This is a question that has been asked several times by our clients.  

But what exactly are we talking about? 

We tell the story! It all starts with a universal need among advertisers: to know what works to convert your prospects into clients... and to be able to reproduce it.

The method used to be simple (and well-oiled): A web surfer clicks on an ad → a cookie is set in their browser → if the person converts, bingo, we can link the action to the campaign. But today, this model is breaking down:

✕ Users refuse cookies.
✕ Browsers block them automatically. →

→ Result: conversions are increasingly difficult to measure.

Google's plan B: advanced conversion tracking

In response, Google has come up with a new trick: instead of using a cookie,

Google collects personal information - such as e-mail address or telephone number - entered in your forms (order, registration, etc.).

This data is then cross-referenced with Google accounts to reconstruct the purchase or conversion path. → No need for cookies: we "re-identify" the user via their personal data, all without consent.

 Except that... on the GDPR side, it's far from neutral.

Even without a cookie, you are processing personal data.

So, the rules change... but the legal framework remains. Clear and explicit consent should be required to track these prospects.

This functionality closely resembles "automated profiling", described by Article 22 of the GDPR, very much framed by the GDPR.

According to our analysis, the tool cannot be used as it stands without serious precautions to guarantee its GDPR compliance. (Consent, transparency, documentation...).

So what do we do? 

The CNIL (National Commission for Information Technology and Civil Liberties) has yet to give its official opinion on this Google feature. Pending a clear position, caution is called for. 

Our recommendation:

✔ Do not activate advanced tracking by default.

✔Ensure that data collected (e-mail, telephone...) is collected with explicit, clear and granular consent.

✔ Clearly mention this Purpose in your privacy policy.

✔ And above all: document everything. If you're audited tomorrow, you need to be able to justify every step.

4. Are you in the sights of the CNIL (National Commission for Information Technology and Civil Liberties) this year? The 4 major targets announced for 2025

Like every year, the CNIL (National Commission for Information Technology and Civil Liberties) announces its control priorities.

In 2025, four key themes are in the spotlight, based on very concrete situations that many organizations experience on a daily basis. 

Exercising individual rights 

Notably the right to erasure (Article 17 GDPR), the subject of coordinated action with 26 European authorities launched in March 2025.
What the CNIL (National Commission for Information Technology and Civil Liberties) is checking:

• Are requests processed on time (1 month in most cases)? 
• Is the data really deleted from all your systems (CRM, logs, backups, etc.)?
• Is the process clear, documented and traceable?
   

Mobile applications

More specifically, the focus is on the management of tracking data, geolocation, user information and the conditions for obtaining consent.

Cybersecurity in local authorities  

The aim? To check whether local authorities have put in place sufficient protection measures in the face of increasing cyber-attacks (ransomware, data leaks...). Audits will focus in particular on access, backups, updates and processors management.

Video surveillance in sensitive areas

Focus on prisons and restricted-access areas (archive room, computer room with sensitive data, etc.):

• Are people properly informed?
• Is image Data retention regulated?
• Is the system regularly audited?

This theme gives a broader signal: all monitoring devices must be assessed with regard to the GDPR.

 Why is this important?

Even if you don't fall directly into one of the target categories, these themes give a clear reading grid on the expectations of the CNIL (National Commission for Information Technology and Civil Liberties):
✔ Transparency
✔ Mastery of technical tools
✔ Respect for rights
✔ Data security 

5. Shein: ultra fast-fashion that stalks your private life - the CNIL (National Commission for Information Technology and Civil Liberties) opens the file

Identity, purchase history, payment method, product preferences, online behavior, browsing, likes on social networks, IP address etc.: they track everything about you. they track everything about you. 

The more Shein knows about you, the more effectively it sells to you: personalizing your experience, optimizing its sales, retargeting you on social networks, feeding its predictive algorithms.

How do we do it? By installing dozens of trackers on your devices: even before asking for your consent, or even if you've explicitly clicked "refuse". 

You guessed it... these practices are illegal. 

This is what the CNIL (National Commission for Information Technology and Civil Liberties) is pointing its finger at, and it's considering a record fine of €150 million, with a daily penalty of €100,000 for as long as the infringements persist. We'll keep you posted on the final decision.

Are you an e-commerce company?  

Every e-commerce site is affected. The GDPR is not an option, and concerns:your marketing practices,your site or application,your tools & processors. Everything must be scrutinized to avoid punishment - and above all, to protect your most valuable asset: your consumers.

6. Data breaches: 4 cases that shook up the month of March

Healthcare, retail, the public sector... in March, no sector was spared.

What do they have in common? For the organizations targeted, the consequences are far-reaching: legal, financial... but also reputational.

Cyberalliance - A critical flaw in Oracle Cloud has exposed 6 million pieces of clients data, including SSO credentials and encryption keys. The data was put up for sale by a pseudonymous hacker.

Intersport - Internal documents (passports, pay slips, social security numbers...) have been released by the Hive group, following a ransomware attack. Cash register and inventory systems were disrupted.

Autosur - A database of 12 million clients files (contact details, vehicles, passwords) has been exfiltrated and put up for sale on the dark web. The flaw is believed to have been caused by an unprotected tool.

Harvest - The financial software publisher suffered ransomware via a poorly secured virtual machine. Sensitive clients asset data would have been exposed.

 At Dipeeo, we help you prevent the worst: we raise your teams' awareness and set up a clear data breach management procedure. And if the incident does occur, we're with you every step of the way - from detection to notification of the CNIL (National Commission for Information Technology and Civil Liberties)).

7. Double authentication: password + SMS? Too risky. The CNIL (National Commission for Information Technology and Civil Liberties) warns

Double authentication: password + SMS? Too risky. The CNIL (National Commission for Information Technology and Civil Liberties) alertsIn March 2025, the CNIL (National Commission for Information Technology and Civil Liberties) published an official recommendation on multi-factor authentication (MFA), a subject that has become central in the face of the rise in identity theft attacks.  The aim: to help organizations adopt robust authentication systems, adapted to the risks involved. 

Things to remember : 

✔ Double authentication is becoming the norm, especially for accessing accounts containing personal or business data with a certain sensitivity. 

✔ Not all means are equal: The password + code combo received by SMS is not recommended, deemed too easy to hack. Instead, use authentication applications (such as Google Authenticator, Microsoft Authenticator...) or: physical security keys (such as YubiKey).

✔ The level of authentication must be proportionate to the risk: the more sensitive the data, the stronger the device must be.

And what does that mean for you?

If your teams or clients access online accounts, it's time to :

✔ Check your current access methods.
✔ Implement a more secure dual authentication solution.
✔ Update your internal documentation and instructions.

At Dipeeo, we'll help you choose the right solution for your context, secure your access and stay compliant with the law.

8. A poorly advised client , a condemned processor : justice sends a clear message

On March 19, 2025, the French Supreme Court upheld the conviction of an IT service provider... for failing in its duty to advise on data protection. 

Background

The processor had helped its client to set up a video surveillance system in a company, without alerting it to the legal risks, even though the system clearly violated the GDPR (particularly with regard to informing those filmed). 

What the Court says: A processor cannot simply carry out a client 's requests "without reservation", especially when he knows that the processing is illegal. It must advise, warn and propose alternative solutions.

Why this is a strong signal: The service provider was deemed to be primarily responsible, alongside the client.

This confirms thatGDPR Accountability is shared, including on technical services.

Any company that provides a service involving data must be a prime mover, not just a doer.

Dipeeo support

We are already supporting 260 processors in their GDPR compliance, in accordance with Article 28 : 

✔ Provision of a comprehensive and personalized DPA ( GDPR subcontracting agreement).
✔ Negotiation of the DPA with your clients to secure your responsibilities.
✔ Participation in calls with your prospects or clients to demonstrate that you are a compliant and reliable provider. 

Our aim: to make compliance a lever of commercial credibility - not a box to tick.

 9. Is your site GDPR ready? We share our express audit method

Your website is your company's first GDPR showcase.
If it's not compliant, it's often a sign that the rest isn't either (marketing practices, HR, applications etc.). 

The risk? Creating a bad image, scaring off prospective customers... and attracting the attention of the CNIL (National Commission for Information Technology and Civil Liberties) 

And you don't have to be a GDPR expert to find out. We're sharing our express audit method - download it right here.

10. See you at SantExpo?

 Thank you to everyone who came to meet us at Tech for Health! Many of you came to discuss your GDPR, healthcare data, AI and digital compliance, HDS and other issues with us. Next event: SantExpo

• May 21 to 23, 2025
• Paris Expo Porte de Versailles - Startup Pavilion 

Healthcare expert: With more than 1/3 of our clients in this sector, we can help you : 

✔ Guarantee your GDPR compliance
✔ Reduce the risk of data breaches
✔ Strengthen the trust of your patients and partner

We hope you have found this information useful.

See you next month for another edition of La Minute GDPR.

If you have any questions or would like to find out more, please don't hesitate to contact us!