GDPR Minute GDPR May 2025

The GDPR is evolving fast, and digital news is constantly shaking up compliance issues. Cybersecurity, artificial intelligence, international platforms, record sanctions... how can you stay up to date without spending hours on it?

Every month, GDPR Minuteprovides youwith a summary of essential information, analyzed and contextualized to help youmake compliance a real business ally, not a constraint.

On the agenda for thisMay 2025edition:

CNIL (National Commission for Information Technology and Civil Liberties) Annual Report CNIL (National Commission for Information Technology and Civil Liberties) – Record number of complaints, increase in penalties
World Password Day– 4 simple habits to adopt
CNSS hacked– Salaries of 2 million Moroccans exposed
"Starter Pack"– The viral trend that feeds AI with your personal data
Europe strikes hard– TikTok fined €530 million
Meta goes on the offensive– Your data at the service of AI
AI Act under American influence– Regulate or give in?
SMS fraud– “It’s the delivery guy” or the scam that persists
GDPR Guide– The essential kit for e-commerce businesses
SantExpo 2025– We'll be there!

Enjoy your reading!

1. CNIL (National Commission for Information Technology and Civil Liberties) ) Annual Report 2024 - Record number of complaints, sanctions on the rise

As it does every year, the CNIL (National Commission for Information Technology and Civil Liberties) takes stock of its actions. Controls, sanctions, awareness-raising, supervision of AI... it's all there. On April 29, 2025, it published its 2024 activity report.

Here are the 5 key points to remember:

1. Increased controls and penalties:

The CNIL (National Commission for Information Technology and Civil Liberties) carried out 360 inspections in 2024, with priority given to sensitive sectors (health, education, local authorities, digital). Results? 87 sanctions handed down, 33 formal notices, 55.2 million euros in fines imposed.

➜Recurring issues: inadequate cookie management, insufficient data security, poor management of individual rights, Data retention

2. Record number of complaints: 15,350 complaints in 2024.

This historic record reflects the growing awareness of citizens of their rights.

➜Main concerns: Abusive commercial use of data, difficulties in exercising one's rights (erasure, objection, access), opaque practices of platforms and digital players.

3. Explosion of data breaches:

Cybersecurity, the black spot of the year. The CNIL (National Commission for Information Technology and Civil Liberties) received 5,629 notifications of data breaches (+20%), with 40 cases involving more than one million people.

➜These facts reveal: unpatched security vulnerabilities, unauthorized access via compromised credentials, and poor anticipation of cyberattacks on processors side.

4. More education on artificial intelligence:

With the rise of generative AI, the CNIL (National Commission for Information Technology and Civil Liberties) has positioned itself as a key player on ethics and compliance.

➜Its actions in 2024: Guidelines on generative AI, support for AI startups and companies, active participation in the implementation of the European Regulation on Artificial Intelligence (RIA), expected at the end of 2025.

5. Raising awareness among young people:

The CNIL (National Commission for Information Technology and Civil Liberties) is stepping up its efforts to protect minors. Targeted initiatives include social networking, protection against cyberbullying and education in digital consent.

➜Its actions: 210 interventions in schools, 200,000 visitors to its online educational content.

Discover the CNIL (National Commission for Information Technology and Civil Liberties) Annual Report of the CNIL (National Commission for Information Technology and Civil Liberties)

What companies need to remember in 2025

Strengthen your compliance: cookies, security, individual rights, Data retention .

Be responsive:establish clear processes for handling GDPR requests.

Mandatory transparency: update your privacy policy (targeted advertising, profiling, etc.).

Secure your systemsto prevent data breaches.

Monitor your processorswith regular audits.

Anticipate AI regulation: assess risks, document your algorithms, add them to the registry.

Minors targeted?Verify age, adapt your interfaces, limit data collection.

2. World Password Day - 4 simple reflexes to adopt

Every year, May 6 is a reminder that a password is more than just an access code: it's the first line of defence in protecting your digital identity.

Article 32 of the GDPR requires data controllers and processors to guarantee a level of security appropriate to the risks.

In the event of leakage or unauthorized access linked to a weak password, the company can be held responsible and sanctioned by the CNIL (National Commission for Information Technology and Civil Liberties).

CNIL (National Commission for Information Technology and Civil Liberties) recommendations 2025

Enable multi-factor authentication(MFA) wherever possible.

Do not force regular password changes without reason: this weakens security.

Avoid simple or reused passwords: prioritize length and unpredictability.

Use password managers: banish Excel files and sticky notes.

Our advice for businesses: Regularly remind your teams about these best practices—password security is an integral part of GDPR compliance.

3. CNSS hacked - Salaries of 2 million Moroccans exposed

Background

Just imagine, you open a file... and surprise: you discover the salaries of your boss, your co-workers, the CEO of Royal Air Maroc, and even the daughter of the head of the Moroccan government.

This is exactly what happened in Morocco on April 8, with the biggest social data leak in its history. Nearly 2 million employees and 500,000 companies saw their confidential information exposed after a major cyber attack on the Caisse Nationale de Sécurité Sociale (CNSS).

Salaries, social security numbers, ID card numbers, bank details...Thousands of files were published on a Telegram channel, accessible to everyone before being deleted.

Behind the attack, the hitherto unknown group Jabaroot DZ claims to be Algerian, and claims to have acted in retaliation for alleged Moroccan digital harassment. The Moroccan government is calling it a hostile and criminal act, and the CNDP is calling for the utmost vigilance, reminding us that accessing or disseminating such data is illegal.

This scandal acts as a wake-up call

Critical digital infrastructures are vulnerable. A security breach can become a time bomb, with economic, political and diplomatic consequences.

GDPR, a model to follow?

Outdated legal framework: Morocco still relies on Law 09-08, adopted in 2009, well before the era of massive cyberattacks.

Partnerships under threat: To strengthen trade with Europe, legislative upgrades are essential.

Call for GDPR compliance: Omar Seghrouchni, president of the CNDP (National Commission for Data Protection), emphasizes the importance of becoming GDPR in order to maintain business flows with the EU.

Strategic opportunity: For all companies, the GDPR become a lever for credibility and competitiveness internationally.

4. "Starter Pack - The viral trend that feeds AIs personal data

The "Starter Pack" trend is booming: you describe your personality, habits, relationships, and let AI generate a funny or stylized image of yourself.
But to do this, you provide... a lot of personal information.

Common examples: "Make my HR starter pack HR my name is Raphaël, I'm in charge of recruitment at a tech startup in Marseille, I have a dog, and I only drink filter coffee."

Beneath its harmless exterior, this social game feeds artificial intelligence models with very precise, often uncontrolled data.

What are the risks?

Non-consensual profiling: AI cross-references your personal information—job, location, habits, preferences—to build a comprehensive behavioral profile, often without your knowledge or consent.

Reuse of data for training: some AIs retain user prompts to refine their models, without clear consent.

Leaks or exposure: No one is immune. In 2023, a leak of logs on ChatGPT revealed private prompts. What you think is confidential... isn't always.

Reverse mirror effect: the more you feed an AI with your details, the more it is able to caricature you or produce content in your image... without your control.

Our recommendations for using AI

✔️Avoid using prompts that are too personal or identifiable,especially on free or less transparent tools.

✔️ If you're using AI for business or personal use, prefer services that guarantee non-DataData retention of prompts.

✔️In the workplace, raise awareness among your teams: what may seem like fun can actually be a real data leak.

✔️(Read the terms of use for generative AI, especially the "use of data" or "training data" sections).

5. Europe hits back hard - TikTok fined €530 million

Background

On May 2, 2025, the Irish Data Protection Authority (DPC) fined TikTok a record €530 million, with six months to comply with the GDPR. This decision marks the culmination of an investigation opened in 2021.

The reason? Two major violations of GDPR

Illegal transfers to China: TikTok has left European user data accessible from China, without any guarantee of protection. However, the GDPR a level of security equivalent to that of the EU for any transfer outside Europe.

A lack of transparency: The GDPR clear information about data transfers. However, TikTok's privacy policy is extremely vague: there is no specific information about the countries concerned, no clarity about the types of data transferred, and the content is generally incomprehensible to users.

To top it all off?TikTok is making matters worse by admitting to making false statements during the investigation.

And this isn't a first for TikTok: €3 million fine from Italy (2020) - €750,000 from the Netherlands (2021) - €345 million already imposed by Ireland (2023)

A clear message: This exemplary sanction confirms the European Union's determination to enforce its digital sovereignty in relation to international platforms and to impose strict rules to ensure the protection of European citizens' data.

Things to remember :

✔️ Provide clear information: Detail what data is collected, for what purposes, with whom it is shared, and how long it is stored. A vague privacy policy is no longer sufficient.

✔️Regulate transfers outside the EU:Before sending data outside the European Union, ensure that the Data recipient country Data recipient an adequate level of protection. If not, put standard contractual clauses or other safeguards in place.

✔️Protect minors: For any service accessible to young people, obtain clear parental consent for those under 15. Use accessible language, limit data collection to what is strictly necessary, and apply enhanced security measures.

6. Meta goes on the offensive - Your data in the service of AI

From May 27, 2025, Meta (Facebook, Instagram, WhatsApp) will start using the personal data of all its users to train its generative artificial intelligence models.

This potentially includes photos, captions, publications, private messages, reactions and other interactions, for the purpose of developing its AIs.

All without explicit consent, but invoking the legal basis of legitimate interest.

The user will have to actively refuse (opt-out) via a low-profile form.

Regulators take up the cause

The announcement immediately triggered alerts from data protection authorities, including France's CNIL (National Commission for Information Technology and Civil Liberties) , Austria's DSB and Germany's BfDI. The NOYB association, headed by Max Schrems, has already filed a complaint, accusing Meta of circumventing the clear consent imposed by the GDPR.

At the same time, the European Regulation on Artificial Intelligence (RIA), currently being finalized, could change things. This text aims to regulate the use of personal data in AI training, by imposing reinforced transparency obligations. It could therefore eventually prohibit this type of practice.

The two main implications for companies

Association risk: Staying on Meta could expose companies to accusations of indirect complicity if regulators deem these practices non-compliant with GDPR.

Confidence crisis : By using Meta platforms, companies risk having their clients interactions clients and reused, which can affect user trust.

How to exercise your right to object as an individual :

Here are the links to prevent the use of your personal data:

7. AI Act under American influence - Regulate or yield?

The United States is exerting pressure.

As the European AI Act prepares to come into force, the United States is stepping up pressure to lighten its content. In their sights: codes of conduct designed to govern general-purpose AI models such as ChatGPT and Gemini.

Washington has officially asked the European Commission to abolish these codes, which are deemed too restrictive, and is proposing to let companies define their own rules. This position is supported by OpenAI, Meta, Microsoft and Google, who advocate greater flexibility.

Their argument: too much regulation slows innovation and stifles the economy.

Europe resists.

Brussels remains firm. For her, the objective is clear: to create common, transparent and enforceable frameworks to structure, protect and encourage sustainable innovation, without giving in to deregulation.

The AI Act will gradually come into force from 2025, with strengthened obligations in terms of transparency, risk governance, explicability and AI ethics.

To be continued.

8. SMS fraud – “Hello, this is the delivery person” or the scam that persists

"Hello Julien, I'm the delivery man. The package did not fit in the mailbox. Please choose a relay point via this link."

You've probably received it. Maybe even several times a day.

A well-honed scam.

An SMS that seems banal, polite, personalized, almost reassuring. And sometimes at just the right moment: you're waiting for a parcel, you're in a hurry, you're distracted. So you click. You arrive on a fake site, perfectly credible, which asks for a small payment to "reschedule delivery".

And then, without realizing it, we give away: our bank details, our personal data, access to our phone...

Result: data theft, mobile infection, identity theft.

These attacks are massive, targeted and extremely well-crafted, thanks to personal data already stolen and increasingly sophisticated phishing techniques.

Everyone is affected. Regardless of age, level of alertness or familiarity with digital technology.

Notice to companies: your image is also a target

Confidence crisis : By using Meta platforms, companies risk having their clients interactions clients and reused, which can affect user trust.

Here are a few essential reflexes to limit the damage:

Monitor the use of your name in phishing campaigns - your brand may be used without your knowledge.

Secure your databasesincluding those entrusted to your processors.

In case of leakage, inform people quickly and the CNIL (National Commission for Information Technology and Civil Liberties) if necessary.

Strengthen your contracts with logistics service providers For example, impose strict data security clauses.

At Dipeeo, we help you anticipate this type of risk: audit, GDPR compliance, crisis management, team awareness - we secure your data, but also your reputation.