resources
chevron blanc pointant vers la droite
Sanctions 2025 - Group turnover

CNIL sanctions 2025: impact of global turnover

A strategic reading of the recent decisions of the CNIL and their implications for data governance.

Posted by
Joanna Masson
.
30 Oct 2025

CNIL sanctions 2025: when the group's worldwide turnover determines the amount of the fine

The year 2025 marks a turning point in the regulation of personal data.

With sanctions reaching 325 million euros against Google (€200 million for Google LLC and €125 million for Google Ireland Limited), 150 million euros against SHEIN, 900,000 euros against SOLOCAL or even 100,000 euros for illicit video surveillance, the CNIL has reached a new level in terms of amounts and firmness.

But beyond the figures, a major lesson is emerging and is profoundly changing risk analysis: the calculation of the fine based on the group's worldwide turnover, whether it is a question of GDPR or ePrivacy breaches.

Facade of a French administrative building, symbol of the rigor and continuity of public action — like the position of the CNIL in 2025.

1. What changes in 2025: the application by the CNIL of European case law

1.1. The concept of” venture ” within the meaning of competition law

Recital 150 of the GDPR states that:

When administrative fines are imposed on a business, this term should, for that purpose, be understood [...] in accordance with Articles 101 and 102 of the TFEU ”.

The EDPS guidelines on administrative fines recall that the concept of enterprise corresponds to:

an economic unit that can be formed by the parent company and all the subsidiaries concerned ”.

The CJEU, in a judgment of December 5, 2023, reaffirmed that the amount of the fine must be calculated according to the real economic capacity of the person responsible, which leads to the retention of the economic unit and not the isolated legal entity.

1.2. The concrete application by the CNIL in the 2025 sanctions

First example: Google (SAN-2025-004)

The restricted training highlights:

When a subsidiary is 100% owned by its parent company, there is a rebuttable presumption of decisive influence. [...] It is necessary to take into account the turnover of the parent company in order for the fine to be effective, proportionate and dissuasive in order for the fine to be effective, proportionate and dissuasive ”.

And precise:

ALPHABET Inc. generated more than $350 billion in sales in 2024 ”.

In conclusion, the CNIL takes into account ALPHABET's turnover and not that of Google France or GIL.

Second example: SHEIN (SAN-2025-005)

The CNIL also retains economic unity:

ROADGET BUSINESS PTE LTD is a 100% owner of INFINITE STYLES SERVICES CO LIMITED. [...] The turnover of the group's parent company should be retained ”.

Again, the CNIL uses the worldwide turnover of the Singaporean company to calculate the fine.

2. Implications for organizations

2.1. Increased financial exposure

The logic is now clear: even if the breach is committed by a local subsidiary, the fine can be calculated on the basis of the group's consolidated turnover.

2.2. The revenue base is not limited to turnover derived from breaches

The CNIL expressly states this in the Google decision:

No text provides for a limitation of the base to only turnover resulting from breaches. [...] He Is it appropriate to rely on total turnover ”.

In other words:
→ the seriousness of the breach is not linked to the revenue generated,
→ economic capacity is the only thing that counts.

3. Operational lessons for groups

🔸 Reassess your financial exposure

Integrate into your risk analyses the global turnover of the group, and no longer only that of the French entity or subsidiary concerned. A local failure can now cost several tens or even hundreds of millions of euros if you are part of an international group.

🔸 Strengthen group governance

Establish control and supervision mechanisms at the parent company level to ensure the compliance of all subsidiaries. The presumption of decisive influence comes into play when a subsidiary is 100% owned by its parent company.

🔸 Document autonomy (if applicable)

If a subsidiary operates in a truly autonomous manner, document this autonomy in an attempt to overturn the presumption of decisive influence of the parent company. Warning: this presumption is rebuttable but difficult to overturn.

🔸 Treat cookies with the same level of requirement as the GDPR

Cookie breaches now expose them to the same levels of sanctions as GDPR breaches.

Conclusion: a major break

The sanctions imposed by the CNIL in 2025 mark a breakthrough: the calculation of fines based on the group's turnover, including for ePrivacy breaches (cookies and electronic prospecting), multiplies the financial exposure of international groups.

The era of symbolic sanctions is definitely over. The CNIL now has the legal and methodological tools to impose truly dissuasive sanctions, calibrated to the real economic size of the sanctioned groups.

For international organizations, compliance is becoming a strategic and budgetary imperative. Legal departments, DPOs and general management must integrate this new approach into their governance, risk analyses and compliance budgets.

When compliance becomes strategic, The regulator's perspective becomes essential

With over 20 years of experience, Odoné supports leading organisations with rigorous, pragmatic and accessible guidance.

Make an appointment
flèche noire pointant vers la droiteflèche noire pointant vers la droite
Did you like this article?

Share it with colleagues or friends:
Logo bleu FacebookLogo bleu LinkedinLogo bleu X