Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.

The GDPR is evolving fast, and digital news is constantly shaking up compliance issues. Cybersecurity, artificial intelligence, international platforms, record sanctions... how can you stay up to date without spending hours on it?

Every month, the GDPR Minute brings you a digest of essential information, analyzed and contextualized to help you make compliance a real business lever, not a constraint.

On the program:

  1. New identity, same mission : Dipeeo, your outsourced DPO to boost your business
  2. "Monsieur, Madame" : The end of gendered forms?
  3. CNIL (National Commission for Information Technology and Civil Liberties) ) 2024 assessment : GDPR, sanctions explode!
  4. Is your cookie banner GDPR compliant? 
  5. AI & GDPR: New CJEU ruling, are you compliant?
  6. Trump jeopardizes EU-US data transfer: Should we fear a "Schrems III"?
  7. No more telephone harassment? Canvassing without consent confirmed!
  8. Apple in turmoil: Is Siri spying on your conversations?
  9.  GDPR, AI, RIA... The pitfalls to avoid explained in video!
  10.  Join us at Tech for Health on March 26/27, 2025

Enjoy your reading!

1. New identity, same mission: Dipeeo, your outsourced DPO to boost your business

Four years ago, Dipeeo was born with a clear mission: to support companies in their GDPR compliance as an outsourced DPO.
Today, we go far beyond mere compliance. We turn GDPR into a true business ally thanks to a perfect blend of people, technology and expertise. 💡 Our promise: simple, effective and value-creating compliance.

✔ A DPO declared to the CNIL (National Commission for Information Technology and Civil Liberties)
✔ Unlimited support from legal experts and e.g 
✔ A GDPR label 
✔ A fixed monthly cost
It's about time our image fully reflected our ambition and our solution🚀

📌 Consequences for companies: What to watch out for?

  • Reassess your forms: is each field really essential?
  • Propose a neutral option or leave the choice to users.
  • Justify the collection of sensitive data and limit its use to the strict legal requirements.

2. "Monsieur, Madame": The end of gendered forms?

On January 9, 2025, the Court of Justice of the European Union (CJEU) ruled: the systematic collection of gender by SNCF Connect violates the GDPR's data minimization principle

Why this decision?

The Mousse association has challenged the requirement for SNCF Connect users to enter a gender ("Monsieur" or "Madame") when purchasing a ticket online. In its view, this collection is unnecessary and discriminatory, particularly for people who do not identify with the binary gender. 

The CJEU reiterates the rules of the game:
✔All data collection must be justified by a genuine need (contract, legal obligation, etc.).
✔ Gender cannot be collected for commercial purposes without legitimate grounds.
✔ Companies must limit collection to only those data that are strictly necessary. 

A strong reminder: the GDPR primarily protects individuals, not corporate habits. Improper data collection can lead to sanctions and damage your image.

Consequences for companies: What to watch out for?

  • Justify the collection of sensitive data and limit its use to the strict legal requirements.
  • Reassess your forms: is each field really essential?
  • Propose a neutral option or leave the choice to users.

3. CNIL (National Commission for Information Technology and Civil Liberties) ) assessment 2024: GDPR, sanctions explode!

The CNIL (National Commission for Information Technology and Civil Liberties) draws up its 2024 balance sheet, and one thing is clear: controls and sanctions are intensifying! Between record fines and formal notices, GDPR regulation is going from strength to strength.

Key figures :

  • 87 sanctions handed down - a record!
  • 55.2 million euros in fines imposed in 2024
  • 180 formal notices for non-compliance
  • 64 reminders to raise company awareness

Who's in the crosshairs?

  • Cookies & trackers: No more misleading banners
  • Illegal canvassing: More respect for consumers
  • Improper surveillance of employees: Protection of rights in the workplace strengthened
  • Data leaks: Increased penalties for lack of security

Discover the complete review of the CNIL (National Commission for Information Technology and Civil Liberties).

The message is clear: GDPR is not an option! Companies, adapt now to avoid sanctions.

4. Is your cookie banner GDPR compliant?

The cookie banner is often the first interaction with your visitors, but many companies still don't comply with GDPR. The result? Penalties, loss of trust and impact on user experience.
5 essential questions to check your compliance:

  • Explicit consent: Is refusal as simple as acceptance?
  •  Compliant banner: Have you removed pre-checked boxes and misleading incentives?
  • Lifetime: Are your cookies automatically deleted after 13 months?
  • Withdrawal of consent: Can users change or withdraw their consent at any time?
  • Immediate deletion: Are cookies deactivated as soon as consent is withdrawn?

If the answer is no, your cookie banner needs to be updated! To help you, we've put together a handy handy checklist for a compliant cookie banner in just a few minutes.

5. AI & GDPR : New CJEU ruling, are you compliant?

Following the entry into force of the Artificial Intelligence Regulation (AIR ) last August (more on AIR), the CJEU adopted a new key decision on February 27, 2025.

The aim? To strengthen the obligations of companies in order to make their AI systems more transparent and give individuals real power over the automated decisions that affect them.

What the decision specifies:

More transparency: companies must clearly explain how and why an AI uses an individual's personal data. 

✔ Right of objection: Anyone affected by an automated decision(recruitment, scoring, loans...) must be able to access the criteria used and ask for explanations.

✔ Enhanced corporate Accountability : companies must prove that their algorithms comply with the GDPR and do not make uncontrolled decisions about individuals.

Enterprise: 3 best practices for compliance 

  •  Make AI explainable: Clearly document and communicate decision criteria.
  • Guarantee user control: Offer the right to challenge and human intervention for important decisions.
  • Audit and secure AI: Analyze your algorithms, detect bias and update your GDPR policies.

Need support? At Dipeeo, we take care of your GDPR & AI compliance: AI charter, audits, impact analysis... 

6. Trump jeopardizes EU-US data transfer: Should we fear a "Schrems III"?

Important reminder: The GDPR strictly prohibits data transfers outside the EU without adequate safeguards.

The Data Privacy Framework (DPF), the latest agreement to frame data transfers between the EU and the US, could already be in the hot seat. After the invalidation of Safe Harbor in 2015(Schrems I) and Privacy Shield in 2020(Schrems II), a "Schrems III" appears to be on the horizon.

Why this new risk?

  • January 2025: Donald Trump fires 3 key members of the committee overseeing FBI and CIA access to European data. The result? Control of US agencies is paralyzed, undermining the validity of the DPF.
  • Max Schrems and NOYB denounce an ineffective agreement, believing that the DPF does not protect European data any better than its predecessors.
  • If the DPF is cancelled, data transfers to the USA could become illegal, impacting cloud services such as AWS, Microsoft Azure, Google Cloud...

What does this mean for companies?  

Legal risk: Your data transfers outside the EU may no longer be GDPR.
Trade blockages: Restrictions on US cloud services, making digital sovereignty more crucial than ever.
Back to Standard Contractual Clauses (SCCs) and other complex solutions for maintaining legal data flows.

Anticipate now! Secure your transfers and explore GDPR alternatives to avoid any business impact.

7. No more telephone harassment? Canvassing without consent confirmed!

We told you about it in February... It's now a fact! On March 6, 2025, the French National Assembly definitively adopted the ban on BtoC cold calling without consent.

What this means:

  • Consent required: Companies will have to obtain consumers' explicit consent before contacting them by telephone.
  • Exceptions: Certain calls remain authorized, notably for the performance of a contract in progress, or the door-to-door sale of food and animal products.
  • Penalties: Offenders risk a fine of up to €75,000 for an individual and €375,000 for a company.

Entry into force on January 1ᵉʳ, 2026, giving companies time to adapt.

Next step: validation by the Senate. We'll keep you informed as we go along!

Why does it matter to you?

  • If your company uses telephone prospecting, you'll need to review your sales strategies.
  • Compliance is essential to avoid sanctions and preserve your image.

Need to adapt your practices to these new regulations? Dipeeo supports you for ethical and GDPR prospecting.

8. Does Siri spy on your conversations?

Apple in turmoil?

On February 13, 2025, the Ligue des Droits de l'Homme (LDH) filed a complaint against the American giant, accused of collecting and analyzing private conversations via Siri, without consent.

The revelations : 

  • Sensitive records (health, political opinions, privacy) captured by Siri without users' knowledge.
  • Apple processors in charge of listening to and transcribing these conversations.
  • A blatant violation of the GDPRwhich requires clear consent and fair data processing.

Why is this a problem? 

✕ Total lack of transparency on data use.
✕ Major risk of misuse of personal information.
✕ Repetition of scandals: Apple had already promised measures after similar revelations in 2019.

Should we still trust voice assistants? The LDH demands investigations, while Apple tries to quell the controversy. To be continued.

9. GDPR, AI, RIA... The pitfalls to avoid explained in video!

Use AI safely with this practical guide:

Why 95% of AI projects are subject to the GDPR.
How the AI Regulation (RIA) complements the GDPR.
The concrete risks associated with OpenAI, DeepSeek and others
Why your clients might reject your AI solution if it's not compliant.
Best practices for anticipating compliance.

Watch the video to understand it all! 

10. Join us at Tech for Health on March 26/27, 2025

Come and see us at the Startup Pavilion(Paris Expo Porte de Versailles – Hall 7.1) where we will have a stand to discuss your challenges with you: GDPR, AI Act, health data, etc.

Healthcare expert: With more than 1/3 of our clients in this sector, we can help you : 

Ensure your GDPR compliance
Reduce the risk of data breaches
Strengthen the trust of your patients and partner

We hope you have found this information useful.


See you next month for another edition of La Minute GDPR.


If you have any questions or would like to find out more, please don't hesitate to contact us!

Anaïs Guilloton
Anaïs Guilloton

Marketing Manager - GDPR Expert