The first month of 2026 has already delivered a stark reminder to organisations across Europe: GDPR enforcement is serious, and the stakes are high. Several headline-grabbing fines this January underscore that regulators are no longer hesitating to penalise both large telecom operators and other companies for lapses in security, governance, and transparency.

Free Mobile and Free: €42 million in fines

At the top of the list are Free Mobile with a €27m fine and Free with a €15m fine by France’s CNIL following a 2024 data breach that affected over 24 million users, including exposure of sensitive information like IBANs.

The breach revealed multiple failings:

• Weak VPN authentication for remote work, enabling attackers to access subscriber data
• Insufficient detection of abnormal activity within information systems
• Failure to provide complete and comprehensible notifications to affected users
• Excessive retention of personal data, including millions of former subscriber records

The CNIL’s assessment factored in the volume of affected users, the sensitive nature of the data, and the companies’ financial capacity. The fine highlights that technical and organisational safeguards are not optional under GDPR.

Social media company: €3.5m in fines

CNIL also fined a social network for transmitting loyalty programme data to a social network for targeted advertising without proper safeguards.

Key points from the decision:

• Consent was invalid, users were not properly informed about the transfer of their data.
• Transparency obligations were not met, information on purpose and retention periods was incomplete or misleading.
• Data security and DPIAs were insufficient, passwords were poorly hashed, and no DPIA was conducted despite high-risk processing.

Interestingly, the CNIL did not name the company, emphasising that this practice is widespread and the educational value of the sanction did not require disclosure.

Spanish cases: €1.2m and €500K in fines

• IDCQ Hospitales y Sanidad was fined €1.2m for deleting patient data too quickly, preventing compliance with data subject access obligations 
• Curenergía Comercializador was fined €500K for disclosing personal data to unauthorised parties, sending monetary claims to the wrong individuals

These cases show that GDPR violations are not limited to large-scale breaches. Operational errors and poor data handling continue to attract significant enforcement attention.

What do these fines say about GDPR enforcement?

A lot. The January fines highlight several important lessons for organisations.

First, GDPR is operational, not theoretical. Compliance cannot rely on having policies on paper, as regulators now expect demonstrable proof of effective technical and organisational measures. Security controls, notification procedures, and retention practices must be actively managed and auditable. 

Second, scale and sensitivity matter. Fines are calibrated based on the number of individuals affected, the nature of the data, and the financial capacity of the company, with particularly close scrutiny on financial information, health data, and large datasets. 

Third, transparency and consent are non-negotiable. The CNIL’s social media case underscores that users must fully understand how their data is used, including any transfers to third parties for advertising, and that conducting DPIAs and providing clear communication are central to demonstrating compliance. 

Finally, operational lapses can be costly, as even relatively small errors, such as misdirected emails, insufficient cookie consent, or premature data deletion, can trigger significant fines if they violate GDPR obligations.

What should organisations do now?

• Review VPNs, remote access, and system monitoring. Technical gaps are a common enforcement trigger
• Check retention schedules. Ensure personal data is deleted when no longer necessary
• Verify consent and transparency practices. This is especially relevant for marketing and advertising processing
• Document DPIAs and security measures. CNIL looked for evidence that risks were identified and mitigated
• Treat GDPR compliance as part of day-to-day operations. These fines reinforce that GDPR is continuous, not episodic

These January 2026 fines reinforce that regulators are prioritising real-world accountability. Organisations must implement effective safeguards, monitor systems, and communicate clearly with users. For compliance teams, technical controls, retention policies, consent management, and operational governance must all be robust, auditable, and embedded in daily operations.

2026 promises to be a year where GDPR enforcement focuses on operational reality, and these early fines set the tone for what regulators expect.

Our 10-step guide to data protection outlines the essential actions organisations should take to build and maintain a robust data protection framework. It turns complex legal requirements into a clear, practical roadmap you can use to assess your current approach and strengthen your policies, controls and practices. Get it here.