Tired of general newsletters that skim over your real concerns? DastraNews, offers legal and regulatory monitoring specifically designed for DPOs, lawyers, and privacy professionals.
Each month, we go beyond a simple recap: we select about ten decisions, news, or positions that have a concrete impact on your missions and organizations.
🎯 Targeted, useful, and grounded data protection monitoring.
Here is our selection for March 2025:
CNIL Recommendation on Multifactor Authentication
The CNIL adopted the final version of its recommendation on multifactor authentication (MFA) on March 20, 2025, to promote cybersecurity solutions that are GDPR compliant by design. The authority clarifies, among other things:
The situations where the use of MFA is appropriate, based on security needs (e.g., sensitive data or access to a professional email). Avoid unnecessary use of MFA to prevent desensitizing users and diminishing its effectiveness.
The legal basis for MFA: There are two ways to consider it under the GDPR:
Case 1: MFA as a security measure integrated into the main data processing (e.g., accessing a user account) → no need for a separate legal basis, as it is included within the scope of the main processing.
Case 2: MFA as a cross-cutting security measure for the information system itself → to be considered as a separate processing, with its own purpose being the security of information systems. In a professional context, the most suitable legal basis is the legitimate interest of the employer (Article 6.1.f of the GDPR), in the absence of a legal obligation (Article 6.1.c of the GDPR).
The choice of authentication methods (knowledge, possession, inherence factors) and their compliance conditions with the GDPR. For inherent factors in a professional context (e.g., biometric access control to a work app), the data controller must refer to the specific rules governing the use of biometrics (Workplace Biometrics Model Regulation).
Authentication logs must be kept for a limited period. In the absence of specific provisions, the CNIL recommends a duration of between 6 and 12 months.
No More ‘Mr./Ms.’: SNCF Removes Gendered Titles
In its January 2025 ruling, the CJEU clarified that collecting civil status data is not justified when used solely to personalize marketing messages, as it lacks objective necessity under the GDPR. Therefore, SNCF no longer requires its users to provide their status ("Mr." or "Ms.") when purchasing tickets online.
Lawful basis of contract performance, rejected: The Court reiterates that personal data processing can only be lawfully based on the performance of a contract if it is objectively necessary for its execution. In the context of a railway transport contract, while communication with the user is essential, personalizing those communications using civil status (e.g., Mr./Ms.) is not required to fulfill the core obligations of the contract.
Legitimate interest, strict conditions: The Court acknowledges that direct marketing may constitute a legitimate interest under the GDPR. However, using civil status for personalization purposes fails the necessity test, especially when less intrusive alternatives (such as using first and last names or neutral salutations) are available. If such processing carries a risk of discrimination, particularly regarding gender identity, the company’s legitimate interest cannot override the rights and freedoms of the data subject.
Right to object does not legitimize processing: The Court clarifies that the mere existence of a right to object (Article 21 GDPR) cannot be used to justify the initial legality of the processing.
In short: a controller cannot argue that a processing activity is lawful simply because individuals have the option to object. The processing must be lawful, necessary, and proportionate from the outset.
Sanction of a Norwegian Telecom Company for DPO-related Breaches
In March 2025, the Norwegian Data Protection Authority (Datatilsynet) imposed a fine of 4 million Norwegian kroner (approximately 350,000 euros) on Telenor ASA, a Norwegian telecommunications company. The main breaches identified include:
No appointed DPO: Telenor ASA had eliminated the DPO position, arguing that it was not required to appoint one under Article 37(1) of the GDPR without providing sufficient documentation to support the decision.
DPO information not available: The DPO's contact information was only available on the internal intranet, inaccessible to the public.
Incomplete record of processing activities: The company’s record of processing activities did not accurately reflect the reality of its data processing operations.
No documented direct repoting line: There was no formalized direct line of communication between the DPO and top management, which undermines the DPO’s ability to act independently and effectively.
Insufficient resources & lack of documentation: The DPO was not allocated adequate resources, and the documentation concerning their role was incomplete—particularly regarding independence and conflicts of interest, as the DPO also held responsibilities as an associate lawyer within the company.
The Datatilsynet ordered the company to update its record of processing activities and assess whether it is legally required to appoint a DPO. If so, the company must establish measures to ensure the DPO's independence, a direct reporting line with management, a separate email address, and document the DPO's shareholding and potential conflict of interest.
Group Revenue Must Be Considered in GDPR Fine Calculations, Says CJEU
In its judgment of February 13, 2025, the Court of Justice of the European Union (CJEU) clarified a key point regarding GDPR enforcement:
When calculating fines for GDPR violations, the revenue of the entire corporate group—not just the directly liable legal entity—must be taken into account.
Article 83 of the GDPR must be interpreted as follows:
The notion of an "undertaking" should be interpreted in line with EU competition law (Articles 101 and 102 TFEU), where it designates an economic unit that may consist of multiple legal or natural persons.
The ceiling for fines is calculated as a percentage of the total annual worldwide turnover of the entire group, not just the infringing subsidiary (see CJEU December 5, 2023, Deutsche Wohnen, C‑807/21).
However, this maximum amount should not be confused with the amount actually applied, which must be determined by the supervisory authority, taking into account the specific GDPR infringement identified in each case, to ensure that the fine is effective, proportionate, and dissuasive (Article 83(1) of the GDPR).
- To determine the amount actually applied, contextual elements must be taken into account, such as the nature and gravity of the infringement, the number of data subjects affected, measures taken to mitigate the damage, negligence or deliberate acts, etc. (Article 83(2) of the GDPR).
- Although not explicitly mentioned in the GDPR, the Court has already stated in the aforementioned judgment that a fine that only takes into account the actual economic capacity of its recipient - through the lens of EU competition law - is likely to meet these three conditions (effective, proportionate, and dissuasive). This requires determining whether the entity in question forms part of an "undertaking", understood as a broader economic unit.
This strengthens the effectiveness of sanctions and prevents large groups from evading significant fines through compartmentalized legal structures.
Primacy of the GDPR over Trade Secrets: CJEU Clarifies Scope of the Right of Access in Automated Decision-Making
In a judgment rendered on February 27, 2025, the Court of Justice of the European Union (CJEU) ruled that the GDPR prevails over trade secrets, particularly in the context of the data subject’s right of access & safeguards provided under Article 22 in cases involving automated decision-making.
The case involved an Austrian national who was denied a mobile phone contract following an unfavourable creditworthiness assessment carried out entirely by automated means. The telecom operator refused to disclose detailed information regarding the logic underpinning this automated assessment, invoking the protection of trade secrets.
The Court ruled that data subjects must be provided with "meaningful information about the logic involved" in automated decision-making processes. The invocation of trade secrecy does not exempt the controller from this obligation, particularly where such secrecy is used to shield the functioning of algorithms from scrutiny.
This interpretation aligns with the Court’s earlier decision in the SCHUFA (C-634/21) case, in which the Court held that a solvency score generated by an automated algorithm, and subsequently used by a financial institution as the basis for its own decisions, constitutes an automated individual decision within the meaning of Article 22(1) GDPR. Such a decision is deemed to be solely based on automated processing and produces legal or similarly significant effects on the data subject.
Accordingly, full transparency must be ensured, and the data subject must be informed in a way that allows them to understand the decision and challenge it effectively.
The ruling reinforces the protection of data subjects by confirming their right to contest an individual automated decision, unless the controller can demonstrate that one of the exceptions provided for in Article 22(2) applies—namely, where the decision is:
necessary for the performance of a contract,
authorised by Union or Member State law, or
based on the data subject’s explicit consent.
This decision underscores the importance of balancing the protection of trade secrets with the fundamental rights to data protection and transparency.
CNIL Control Priorities for 2025
For the year 2025, the CNIL announced that its controls will mainly focus on data collection through mobile applications, the cybersecurity of local authorities, and data processing by the prison administration.
These priority areas reflect the areas where the CNIL has identified increased risks to individuals' rights and freedoms. Mobile applications, for example, often collect significant amounts of personal data, sometimes without sufficient transparency.
Key takeaways
- Preparation for inspections: Entities operating in these sectors must proactively prepare for inspections by assessing and strengthening their GDPR compliance.
- Documentation: It is essential to maintain comprehensive and up-to-date documentation of data processing activities to demonstrate compliance in the event of a supervisory authority's audit.
European Controls on the Right to Erasure
The CNIL and its European counterparts have launched a series of controls to verify the implementation of the right to erasure, following its selection as a European investigation theme for 2025.
The right to erasure allows individuals to request the deletion of their personal data. The authorities will examine how organizations handle these requests, particularly in terms of response times and effective measures taken to delete the data concerned.
Key takeways:
Clear processes: Organizations must have transparent and efficient procedures for handling erasure requests.
Demonstrable compliance: It is important to be able to demonstrate that erasure requests are being processed in accordance with the GDPR requirements.
Extension of UK Adequacy Decision
The European Commission has proposed a six-month extension of the adequacy decision concerning the United Kingdom, extending the free flow of data until December 27, 2025.
This extension aims to provide more time to assess whether the UK continues to offer an adequate level of data protection, particularly in light of its recent legislative reforms in data protection.
Key points:
Ongoing monitoring: Organizations should stay informed about developments regarding data transfers between the EU and the UK.
Planning: It may be cautious to plan alternative measures for data transfers in case adequacy is not renewed after the extension.
🚀 Dastra's March news overview:
We are now certified ISO 27001 and 27701!
Data Migration to Dastra to start your transition smoothly, available here!