January 2025 Newsletter: OpenAI sanctioned, a fatal error for a town hall

On the agenda

1. Dipeeo, who are we?Let's get introduced!
2.  6 reasons to comply: GDPR business ally for 2025
3.  80% of data breaches are dueto human error: top 3 most common causes
4. Sales prospecting: 3 tips for compliant emails
5. The elimination error –Residents labeled "friendly" or "Sarkozy supporters" 
6. Two sanctionsthat caused a stir: Is this the end of Chat GPT and KASPR?
7. Sanctions imposed by the CNIL (National Commission for Information Technology and Civil Liberties): where does the money go?
8. Accept cookies: what does that mean?
9.  Article of the month: 8 GDPR rules GDPR protect your website in 2025
10.  WEBINAR: How to adopt AI without GDPR risks GDPR don't miss out on the invitation!

1.Dipeeo, who are we?Let's get introduced! 

Dipeeo is a team of35 experts with complementary skills who offer you comprehensive support:

Lawyers and e.g: to support you on a daily basis in the GDPR compliance process.Legal Ops: to automate legal tasks that do not add value.Developers, product owners, UX/UIdesigners: for an innovative and high-performance platform. Sales, marketers, and CSMs: to advise you, communicate with you, and ensure the success of your projects. As an external DPO, we take careof all your GDPR compliance needsto make ityour best business ally. For more information, visitour website.

Nearly 450 clients compliant by Dipeeo.

2.Six reasons to comply: GDPR business ally for 2025

✔ Build trust: Earn your clients trust clients protecting their personal data.

✔ Prevent the risk of cyberattacks and data leaks: By implementing strict data protection measures, you significantly reduce your risks.

✔ Facilitating your growth: Compliance is becoming a prerequisite for accessing new markets, collaborating with large corporations, and expanding internationally.

✔ Stand out: Set yourself apart from your competitors by adopting an ethical, responsible approach that respects individual rights.

✔ Avoid complaints and penalties: Limit the risk of complaints to the CNIL (National Commission for Information Technology and Civil Liberties) fines by complying with applicable regulations.

✔ Comply with legal and ethical expectations: Demonstrate your Accountability and commitment to ethical practices in the management of personal data.

3. 80% of data breaches are due to human error: top 3 most common causes

1. Losing your USB drive containing sensitive data.
2. Disclosing confidential information via AI tools (ChatGPT, DeepL).
3. Sending a confidential email to the wrong person.

Our advice

→ Prioritize storing information insecure clouds. 

→ Anonymize databefore using artificial intelligence

→Double-check recipientsandprotect sensitive files witha password or encryption.

4. B2B sales prospecting: 3 tips for compliant emails 

1. Consentis not mandatoryin B2B.
2. You must always offer anopt-out(a way to unsubscribe).
3. Add alegal noticeto inform your prospects of their rights, the source of their data, and the terms and conditions of collection, etc. Don't forget to include a link to your privacy policy.

🎁As a gift, here is a GDPR legal notice, ready to use in your emails.

This email and all its attachments are confidential. If you have received this message in error, please delete it and notify the sender immediately. Any reproduction, disclosure, or use, even partial, of its contents is strictly prohibited. We obtained your contact information i) directly from you ii) through public sources (e.g trade shows, databases, and websites) iii) through social media (e.g LinkedIn) or iv) via tools authorized by the CNIL (National Commission for Information Technology and Civil Liberties) e.g Drop Contact), in accordance with the provisions of Article L34-5 of the CPCE and the guidelines of the CNIL (National Commission for Information Technology and Civil Liberties). To stop receiving messages, send “stop” via email to co*****@****eo.com. You may also request access to your data by emailing co*****@****eo.com. For more information on how your data is collected and your rights, please review our privacy policy availablehere.

5. The eliminatory error –Residents labeled as "friendly" or "Sarkozy supporters" 

Last November, in the municipality ofBourg-les-Valences(Drôme), a routine audit by theRegional Chamber of Accountsrevealed a file containing the data of15,000 citizens: names, addresses, telephone numbers, etc. and, even more seriously, theirpolitical opinions, accompanied by annotations such as "nice," "ready to help us," or "supports Sarkozy."

This information, collected without citizens' consent, constitutes a serious violation of the GDPR. As political beliefs aresensitive data, their collection is prohibited, except in strict cases.

The municipality faces a fine of up to€20 million.

This case highlights the importance of GDPR protectingfundamental rightsand preventing discrimination linked to the misuse of personal data.

Advice for companies: Whetherin the context of an annual review, CRM, or HR administrative file,avoid subjective comments thatcould lead to disputes. Stick to factual and relevant information.

6.Two sanctionsthat caused a stir: Is this the end of Open AI and Kaspr? 

1. OpenAI sanctioned: €15 million fine for non-compliance with the GDPR

First penalty in Europe for OpenAI!

On December 20, 2024, the Italian data protection authority (GPDP) sanctioned OpenAI for several breaches ofGDPR

• Illegal use of personal datato train ChatGPT without legal basis.
• Lack of transparencyand failure to comply with information obligations towards users.
• Failure to verify the age ofminors under 13, exposing them to inappropriate content.
• Failure to notifythe competent authority following a data breach in March 2023.

Italy has forwarded the case tothe Irish Data Protection Authority (DPC), which is responsible for overseeing this type of investigation at European level, for further investigation.

This fine may seem modest for a player like OpenAI. But it is part of a series of sanctions targeting large technology companies for similar GDPR violations.

This decision serves as a reminder that theGDPR to all companies, regardless of their location, as long as theyprocess the personal data of European residents.

2. Commercial prospecting: the CNIL (National Commission for Information Technology and Civil Liberties) an end to KASPR's practices

OnDecember 5, 2024, the CNIL (National Commission for Information Technology and Civil Liberties) imposed a fine of€240,000on KASPR, a solution widely used by companies to enrich their databases for commercial activities.

Summary of GDPR violations GDPR

• Illegal collection: extraction of contact details from LinkedIn users who have chosen to restrict their visibility.
• Non-compliance with Data retention periods: lack of a clear definition and failure to comply with a period proportionate to the Purpose processing.
• Lack of transparency: failure to provide clear and accessible information to those concerned.
• Failure to respect individuals' rights: inability to process requests to exercise the right of access.

Our advice: We recommend that you, like our clients, stop using KASPR and opt for solutions certified by Dipeeo, such as Pharow, Surfe, and Humanlinker.

7. Sanctions imposed by the CNIL (National Commission for Information Technology and Civil Liberties): where does the money go?

Contrary to what one might think, fines imposed by the CNIL (National Commission for Information Technology and Civil Liberties) go to the CNIL: they are paid directly tothe Treasury.

The moral of the story:if you don't want to line the government's pockets, make sure you comply with the GDPR !

8. Focus on cookies: "What does accepting cookies mean?"

Cookies are small files stored on your computer or phone. They remember your information to make your online experience easier.

When you accept cookies, three types of cookies may be stored: 

• Statistical cookies: Collect anonymous information for statistical purposes (e.g pages visited, session duration).
• Technical cookies: Essential for the proper functioning of the website (language preferences, shopping cart, etc.)
• Advertising cookies: Track your activities across multiple websites to provide you with targeted advertising.

In other words: Accepting cookies = sharing your data!

Users: How can you browse with peace of mind?

• Choose strictly functional cookies and, if possible, refuse advertising cookies.

Businesses: Why comply with the GDPR cookies?

• For a company, complying with GDPR requirements GDPR cookies not only means avoiding penalties, but also strengthening user confidence by ensuring transparency in your practices.

9. Article of the month

Protect your website: The 8 GDPR rules GDPR cookiesObtain clear consentDisplay a transparent cookie bannerProvide a comprehensive (and compliant) cookie policyRenew consent every 6 monthsAllow users to change their preferences at any timeEnsure fair designKeep evidence...[Read more]