For the first time since its creation in 1978, the French Data Protection Authority fined not only a data controller but also its data processor. The CNIL imposed a 75,000 euros penalty on a processor due to insufficient security measures. This new approach completely shifts the contractual balance between processors and controllers. Whether it be during negotiations or while performing their own obligations, processors are no longer safe. From now on, they are just as likely as controllers to be fined by the CNIL.