The latest podcast with Stefan Brink and Niko Härting focuses mainly on (non-German) fines.
First, we discuss (01:34) the annual review of sanctions and regulatory measures for 2025 published by the French CNIL in February. In it, the authority reports that it imposed a total of 83 sanctions amounting to a total fine of €486.8 million. In total, the CNIL issued 259 decisions, including 143 orders to ensure data protection compliance and 31 reminders of legal requirements. Wow.
Niko and Stefan then (18:12) discuss a €3.5 million fine imposed by the CNIL for the sharing of customer data with social media platforms. In December 2025, the CNIL sanctioned the sports retailer Intersport for targeted advertising within its loyalty programme, which has around 10.5 million members in France alone.
The discussion then turns (29:27) to a decision by the UK’s data protection authority, the ICO: the UK data protection authority has fined Reddit £14.47 million for unlawfully processing data from children under the age of 13 due to a lack of age verification.
This is followed (36:46) by a decision from the Dutch data protection authority, which, in notices dated February 2026, imposed fines of €25,000 each on ten Dutch municipalities (including Delft and Eindhoven) because the municipalities had processed sensitive data on Muslim residents without the knowledge of those concerned.
Finally (42:56), the focus is on a decision by the Spanish data protection authority, which imposed a fine of €500,000 on the football club FC Barcelona. The reasons for this included an inadequate data protection impact assessment in connection with the processing of biometric data to update the membership directory.
A string of fines from which the German supervisory authorities could also take a leaf out of the book.