Newsletter Juin 2025 : Vers la simplification du RGPD ?

The GDPR is evolving fast, and digital news is constantly shaking up compliance issues. Cybersecurity, artificial intelligence, international platforms, record sanctions... how can you stay up to date without spending hours on it?

Every month, the GDPR Minute brings you a digest of essential information, analyzed and contextualized to help you make compliance a real business lever, not a constraint.

On the agenda for this June 2025 edition:

1. Vers un RGPD simplifié ? – Ce qui pourrait changer pour les PME et ETI
2. 90 M€ avoided since 2018 thanks to GDPR - What if compliance became profitable?
3. Age control - Arm wrestling between platforms, blinds and regulators
4. 500,000 fine for forgetting to processor - Not to be repeated
5. Human Resources - Employee complaints soar, CNIL (National Commission for Information Technology and Civil Liberties) takes a harder line
6. Vishing - The new AI phone attacks
7. Commercial prospecting: the CNIL (National Commission for Information Technology and Civil Liberties) strikes hard - Caloga and SoLocal sanctioned
8. E-commerce, one leak after another - Cartier, Adidas, The North Face, Victoria's Secret
9. GDPR e-commerce guide - The essential kit for businesses
10. Dipeeo at VivaTech 2025 - Shall we meet?

Enjoy your reading!

1. Vers un RGPD simplifié ? – Ce qui pourrait changer pour les PME et ETI

On May 21, 2025, the European Commission unveiled a long-awaited project: a targeted simplification of the GDPR to ease constraints for small and medium-sized structures. Some were already seeing this as a turning point, or even the end of a regulatory era. A "thunderclap" in the compliance ecosystem. But... nonsense. 

What the reform proposes (if it succeeds) :

Companies with up to 750 employees (instead of 250 today) would be exempt from registering, except in the case of high-risk treatments.

• Companies with up to 750 employees (instead of 250 today) would be exempt from registering, except in the case of high-risk treatments.
• Even sensitive processingHR, health, social) would no longer automatically entail this obligation.
• Des codes de conduite spécifiques aux PME/ETI seraient introduits

The hollow admission: the EU recognizes that the register of processing operations is a cumbersome formality, with little added value for agile structures. (In other words: useless.) For GDPR pros or insomniacs: Here's the full draft in PDF format (48 pages only).

At Dipeeo, we didn't wait for Brussels to understand this.
For the past 4 years, we've been telling our clients : record of processing is an administrative constraint, not a compliance tool. It won't prevent data breaches, it won't respond to your audits, it won't protect your data, and it will never win you a tender.  That's why our register has been 100% automated since 2021. Generation time: 1 second. And we spend the rest of the time on what really matters.
Our vision at Dipeeo: Make GDPR your best business ally, not the other way around.

2. €90m avoided since 2018 thanks to GDPR - What if compliance became profitable? 

On June 5, 2025, the CNIL (National Commission for Information Technology and Civil Liberties) published a groundbreaking study on the economic benefits of the GDPR, entitled:
"Cybersecurity: the economic benefits of the GDPR  [PDF available].

What the report reveals:

For the first time, GDPR is analyzed not as a constraint, but as an economic lever, via its direct impact on reducing fraud and identity theft.

• 90 to 219 million euros in losses avoided in France since 2018 thanks to GDPR implementation
• EU-wide: an estimated impact of between €585 million and €1.4 billion
• Up to 82% of these gains would directly benefit companies

Why such an effect?

• Enhanced security requirements
  → Fewer exploitable leaks, faster detection, notification obligation (Articles 32 to 34 GDPR)
• Positive chain effects → Better protection for partners, processors and clients thanks to collective maturity gains
• Concrete, lasting benefits → Fewer disputes, greater trust, improved reputation, competitive advantage

The key lesson for businesses :

 ✔ Less risk = less cost → Every data leak avoided protects your sales and avoids legal costs.

 ✔ client trust is a financial asset → By showing that you protect data, you build clients loyalty and strengthen your reputation.

 ✔ Compliance leads to concrete gains → GDPR and economic performance are not opposed: they reinforce each other.

GDPR doesn't cost: it pays off. Securing your data means investing in your economic future.

3. Age control: a tug-of-war between platforms, blinds and regulators

Since the beginning of 2025, the debate on online age verification has intensified. In the background: the desire to better protect minors from sensitive content (social networks, pornography). Meta, supported by other platforms, is pushing the European Union to require app stores (Apple, Google) to Accountability verify users' age and obtain parental consent before a minor downloads an application. 

In fact, you may have seen it in action: since May, Meta has launched an extensive communications campaign, both on its own platforms and in the metro. The slogan: "Instagram calls for European regulation requiring age verification and parental consent on the App Store."

The stated aim is to create a unified, simpler and - according to Meta - more privacy-friendly system.
The unofficial aim is to delegate legal Accountability to the blinds.

Unsurprisingly...Apple and Google are opposed:

• Google warns of the risks associated with excessive centralization: data leakage, profiling, resale...
• Apple offers a technical approach via an API that indicates whether a user is a minor, without directly collecting his or her age. But Accountability remains with developers.

This debate on age control is not simply a disagreement between platforms and app stores. It reveals a growing tension between industrial logic, legal Accountability and regulatory requirements, in a context where the protection of minors is becoming a political imperative. France has taken a particularly proactive stance: it is pushing for a European coalition and does not rule out acting alone, as it has already done with the blocking of pornographic sites.

Indeed, the CNIL (National Commission for Information Technology and Civil Liberties) has included the protection of minors among its 2025-2028 strategic challenges, calling for the implementation of effective, proportionate and privacy-friendly systems. Companies need to prepare for this: age verification is becoming a priority compliance issue, at the intersection of GDPR, regulatory pressure and societal expectations.  

Anticipating today means avoiding sanctions tomorrow.

4. €500,000 fine for forgetting to processor - Not to be reproduced

In April 2025, a hospital was fined €500,000 by the SpanishData protection authority .

Why was this? Because he called in technical service providers (laterprocessors ) without informing his client, the Valencia Ministry of Health.

What the GDPR says - Article 28:

A processor may not delegate processing to another service provider unless three conditions are met:

• Inform the client (the data controller),
• Obtain written authorization,
• Frame the subsequent processor with an equivalent contract.

In this case : The hospital did not transmit the list of its providers, did not notify the additions, and refused to communicate the contracts.

Result: ongoing GDPR violation, heavily sanctioned

What we at Dipeeo recommend for the processors we support:

✔ Prefer general authorization (VS prior authorization)

→ More flexible to manage: you don't need to ask the client 's agreement for each new processor, but you do need to inform them systematically.

✔ Provide an updated list of subsequent processors as soon as the contract is signed

→ This reinforces transparency right from the start, and reassures your clients that your processing chain is under control.

✔ Inform your clients of any changes (no fixed deadline)

→ Authorization is general, but information remains mandatory. The GDPR does not set a deadline, but the information must be transmitted before or as soon as the new processor takes up his or her duties.

✔ Clearly define objection criteria in the contract

→ To avoid abusive blockages, frame this right of opposition with objective and legitimate criteriae.g.: ongoing dispute with subsequent new processor ).

5. Human resources - Employee complaints soar, CNIL (National Commission for Information Technology and Civil Liberties) gets tough,

In 2025, the CNIL (National Commission for Information Technology and Civil Liberties) confirms a steady rise in HR-related complaints.
In its annual report, it reports 17,772 complaints received in 2024, over 13% of which concern HR processing.

Excessive surveillance, CVs kept too long, uncontrolled access to employee data...

HR practices are clearly in the spotlight.

At Dipeeo, we see it every day with our clients :the GDPR is becoming a lever in social tensions.

A dismissal deemed unfair? Internal litigation? Increasingly aware, employees are activating their GDPR rights as a tool for pressure or negotiation.

When the CNIL (National Commission for Information Technology and Civil Liberties) opens a file, it quickly extends its analysisto your entire personal data management system.

The signal is clear: of the last 10 CNIL (National Commission for Information Technology and Civil Liberties) sanctions (simplified procedure of May 22, 2025),
6 out of 10 concern HR breaches. 

The most penalized practices :

• Excessive surveillance of employees (cameras, eavesdropping, unjustified activity monitoring)
• Illegal Data retention of CVs or HR data for too long
• In-house access to personal data is too broad
• Lack of information on HR treatments (no internal memo, no clear policy)

 Best practices to adopt without delay :

• Supervise surveillance: justify each device, limit its scope, inform employees.
• Define clear Data retention retention periods: CVs, newsletters, HRfiles... no unnecessary retention.
• Restrict access to HR data: role-based management, logging, regular audits.
• Clearly inform your employees: internal notes, GDPR HR policy, mentions upon hiring.
• Train your HR teams: understand the GDPR, manage access or deletion requests.

6. Vishing: the new AI phone attacks 

ZATAZ lifts the veil on a new wave of AI-powered phone attacks.
Hackers use cloned voices to call you... and it works: 

• Truer-than-life voices: colleague, deliveryman, banker... everything is imitated to perfection.
• Personalized calls: first name, recent order, business info - it's all there.
• Objective no. 1: get you to click, install an app or deliver a code.
• Objective no. 2: embezzle funds, spy on a company or prepare broader attacks. 

As a result, your phone becomes a Trojan horse, a gateway to your personal or business data.

Unsurprisingly, the GDPR frames this type of threat: 

✕ Unlawful processing of personal data (no legal basis) 

✕ Breach of safety obligation 

✕ Data breach = mandatory alert 

✕ Accountability principle

The GDPR expects companies to put in place robust technical, organizational and human measures to prevent, detect and respond to these threats.

As a company, you're on the front line. Here's what you need to do to anticipate these attacks: 

• Securing terminals → MFA, MDM, blocking unauthorized apps
• Train teams → Recognize attacks, apply the right reflexes, follow clear procedures
• Document and prove → Up-to-date register, internal policies, proof of awareness
• Crisis management → CNIL (National Commission for Information Technology and Civil Liberties) ) notification within 72 hours, information for those concerned

The GDPR expects companies to anticipate, protect and react - and to be able to demonstrate this.

7. Commercial canvassing, the CNIL (National Commission for Information Technology and Civil Liberties) strikes hard - Caloga and SoLocal sanctioned 

At the beginning of the year, the CNIL (National Commission for Information Technology and Civil Liberties) announced that commercial prospecting would be one of its priority control themes in 2025. And it was quick to act. As a result, two major sanctions have been imposed in recent weeks:

Caloga - €80,000 fine (May 15, 2025): A data broker specialised in the resale of prospect data. The CNIL (National Commission for Information Technology and Civil Liberties) has conducted a targeted investigation into the practices of data brokers. Among the breaches found : 

• Sending marketing e-mails without valid recipient consent.
• Transfer of data to partners without serious legal basis

 SoLocal Marketing Services - €900,000 fine (May 21, 2025): SoLocal, e.g, acts as an advertising intermediary. The company was fined for the following breaches: 

• Lack of proof of prior consent for e-mail and SMS campaigns.
• Unclear collection forms, making it impossible to verify the validity of consent.
• Very slow response time: the company continued to process data for 17 months after the deficiencies were identified.

Things to remember :

✔ Consent must be explicit, free and documented: It must not come from a pre-ticked box or ambiguous forms.

✔ The right to object must be incorporated and respected immediately: You must remove anyone who objects, without delay.

✔ The CNIL (National Commission for Information Technology and Civil Liberties) doesn't wait for your complaints, it controls directly: Even without an appeal brought by an individual, an inspection is enough to trigger a sanction.

8. E-commerce, one leak after another - Cartier, Adidas, The North Face, Victoria's Secret

May-June 2025 will have been marked by a series of data breaches in the retail and e-commerce sectors: Cartier, Adidas, The North Face, Victoria's Secret...

So many iconic brands targeted by sophisticated attacks, illustrating the fragility of the sector in the face of cyberthreats. Why is this sector so targeted?

• Mass clients data: identities, histories, addresses, sometimes payment data
• Online payments and digitalized transactions → automated attacks (credential stuffing, phishing, scraping...)
• Multiple service providers → client support, CRM, IT services: all potential entry points Focus on Cartier and Adidas  

Cartier le 2 juin : brèche directe dans les systèmes internes

An intruder has compromised clients data via internal software → Data concerned: identifiers, contact details, order history.

 Adidas on May 23: leak via a service provider

A poorly secured marketing tool exposed the preferences and emails of thousands of clients → Origin: a careless processor .

Retail: 3 safety reflexes you must adopt

✔ Audit your critical service providers: Don't rely on appearances, demand concrete proof (contractual clauses, certification, access security). A negligent service provider can jeopardize the entire data chain.

✔ Deploy a data breach management plan: who does what if a leak occurs? How quickly do you notify the CNIL (National Commission for Information Technology and Civil Liberties) ? Your clients ? A clear, tested process limits the legal impact and protects your image.

✔ Restrict access to sensitive data: Implement the principle of least access: only employees who need it access it.

9. GDPR Guide - The essential kit for e-commerce companies  

We've put together everything you need to know to make your e-commerce GDPR, simply and effectively, in one handy guide. 

  The 7 essential best practices to apply without delay: clients information, how to manage legal requests, etc. A list of all the legal documents you need to comply: privacy policy, data breach management procedure, etc. Practical tips to simplify your procedures and avoid classic mistakes: rules for commercial prospecting, cookies, etc.

10. Dipeeo at VivaTech 2025 - Shall we meet?

 Rendez-vous du 11 au 14 juin à Paris Expo Porte de Versailles pour VivaTech, le plus grand salon tech d’Europe. Nous serons sur place pour parler conformité RGPD, DPO externalisé, et surtout pour échanger avec vous sur vos enjeux business et data. 

 Lucia and Lisa will be on hand on Thursday June 12 and Friday June 13 - ready to discuss, share and advise.

A coffee, a quick point, a real chat? Just drop us a line! By return e-mail or directly via their LinkedIn profiles: Lisa | Lucia

We hope you have found this information useful.

See you next month for another edition of La Minute GDPR.

If you have any questions or would like to find out more, please don't hesitate to contact us!