GDPR Fines in France: What Managers Can Learn from Recent CNIL Decisions

Role of the Commission nationale de l’informatique et des libertés (CNIL)

CNIL is France’s data protection authority. It investigates complaints, runs inspections, and can issue corrective measures, including formal notices, orders to comply, and financial penalties. CNIL also publishes many enforcement updates in English and French, which makes it a strong reference point for managers who want to learn from real cases.

What matters for managers is that CNIL decisions often focus on governance basics, not just technical controls. For example, the regulator checks whether the organisation had a valid legal basis, clear information for people, reliable consent flows, and security measures that match the risk level.

Trends in recent sanction amounts

Two clear trends stand out:

More enforcement volume: CNIL reported 87 sanctions in 2024, with total fines of €55.2m, supported by a simplified procedure that increased the number of decisions.

Very large penalties where the impact is massive: In 2025–2026, CNIL issued major penalties tied to high-traffic digital practices and large-scale data incidents, such as Google €325m and Shein €150m for cookie-related failures, plus telecom and public-sector security cases in early 2026.

Breakdown of Recent High-Profile Fines

Transparency failures

CNIL repeatedly penalises situations where people are not told clearly what happens to their data, or where the user journey nudges them into acceptance.

A strong example is the Google €325m decision (September 2025). CNIL cited problems including advertisements inserted between Gmail emails without consent, and invalid consent flows connected to cookie placement during account creation. The decision shows how transparency and consent design can become a board-level risk when the user base is large.

Weak consent mechanisms

Cookie consent remains a high-enforcement area in France. CNIL’s action plan on cookies has produced repeated large sanctions across multiple years.

Two high-impact examples:

• Shein €150m (September 2025): CNIL stated that cookie rules were not respected for users visiting shein.com, with failures tied to how cookies were placed and managed.
  

• Criteo €40m (June 2023): The case is widely referenced because it links adtech practices to GDPR obligations around user rights and valid grounds for processing in personalised advertising ecosystems.
  

Practical takeaway for managers: CNIL is not only checking whether a banner exists, it checks whether consent is freely given, informed, and as easy to refuse as to accept, and whether the organisation can prove it.

Data security gaps

Security cases show that CNIL will fine organisations when protections are not strong enough for the risk, especially when large datasets are involved:

• FREE MOBILE and FREE €42m (January 2026): CNIL stated the measures used to secure subscriber data were inadequate, leading to two sanctions totalling €42m.
  

• FRANCE TRAVAIL €5m (January 2026): CNIL fined the organisation for failing to ensure security of job seeker data.
  

For non-technical managers, this is a reminder that security is not just an IT job. It is a management responsibility to fund, prioritise, and verify controls that protect personal data.

This is precisely why managers benefit from targeted training such as Les Essentiels Du RGPD Pour Managers Non Techniques, which focuses on decision-making rather than technical implementation.

Why Managers Were Implicated

Accountability principle

Under GDPR, organisations must not only comply, they must be able to demonstrate compliance. In practice, CNIL decisions often reveal weak evidence trails: unclear ownership, missing records, or incomplete validation of key processes like consent, retention, and incident response.

Governance failures

Managers get exposed when:

• Consent and transparency are treated as a marketing UI issue, not a compliance control.
  

• Security risks are known but not fixed, or fixes are not verified.
  

• Data protection is not embedded into product changes, vendor decisions, and day-to-day operations.
  

CNIL’s annual reporting shows enforcement attention across many categories, which is why basic governance routines (reviews, approvals, monitoring) matter as much as policies.

Financial and Reputational Impact on Organisations

Financial impact is not limited to the fine. There can also be:

Remediation cost: reworking consent journeys, rebuilding data flows, improving security controls, and retraining teams.

Operational constraints: compliance orders with deadlines and potential daily penalties if changes are not implemented (seen in major cookie enforcement).

Reputational damage: CNIL announcements can trigger media coverage and stakeholder concern, which can affect customer trust, partner confidence, and hiring.

Practical Lessons for Non-Technical Managers

1. Treat consent as a control, not a banner: measure refusal vs acceptance friction, keep proof of consent, and re-check after any UX change.
   
   
2. Make transparency easy to audit: keep layered notices, plain language explanations, and a reliable record of what was shown to users.
   
   
3. Run security like a management system: assign ownership, track risk, test controls, and confirm fixes, especially for large datasets.
   
   
4. Use CNIL reporting as a quarterly board input: it shows where enforcement is heading and helps you prioritise.
   
   
5. Vendor and adtech oversight is non-negotiable: map who processes what, why, and on what basis, and ensure rights handling works end-to-end.

To effectively take on this role, many professionals turn to Les Essentiels Du RGPD Pour Managers Non Techniques, a french course specifically designed to make GDPR accessible and actionable for non-technical managers.

GDPR Enforcement is Increasing – What It Means for Managers

Since GDPR came into force in 2018, enforcement activity across Europe has steadily risen — and France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), is one of the most active regulators in this space. CNIL’s actions include both formal notices and financial sanctions for organisations that cannot demonstrate GDPR compliance.

• In 2023 alone, CNIL issued 168 formal notices and dozens of sanctions for non-compliance.
  

• GDPR allows fines up to €20 million or 4% of global turnover, giving CNIL substantial enforcement power.
  

For managers, this trend means prevention and leadership — not just technical fixes — are central to organisational resilience.

The Most Common Compliance Failures Identified by CNIL

CNIL’s enforcement and inspection history shows recurring compliance gaps — many of which stem from poor organisational controls rather than purely technical glitches.

Excessive Data Collection

GDPR requires that organisations only collect data that is necessary for a clearly defined purpose. CNIL and other DPAs have noted breaches where companies retained data far longer than necessary or collected more data than justified by law.

Poor Retention Policies

Retaining personal data without lawful justification is a frequent issue seen in CNIL inspections — particularly where companies rely on outdated legal bases or apply retention rules uniformly without justification.

GDPR demands data be kept no longer than necessary, and documentation of retention schedules is a key compliance requirement.

Inadequate Breach Response

Organisations that cannot demonstrate timely breach detection, response plans, or notification processes risk not only fines but also follow-on audits.

Large enforcement cases — e.g., the French telecom sector fines in early 2026 for inadequate security controls and extended data retention — highlight how weak breach response intersects with other risks.

Managerial Accountability Under GDPR

GDPR is not a checklist; it is a governance-driven regulation. Leadership accountability is emphasised in multiple GDPR principles, including:

• Accountability — management must demonstrate compliance through documentation, decision logs, and evidence of controls.
  

• Risk-based approach — organisations need to assess data protection risks at the governance level and allocate resources accordingly.
  

Failure to do this shifts scrutiny from IT teams to departmental and executive leadership — especially where decisions relate to strategy, consent mechanisms, third-party tools, or security budgets.

Building Internal Controls to Prevent Sanctions

Effective GDPR compliance requires internal systems that embed data protection into everyday operations. Key elements include:

• Policy ownership: clear assignment of responsibility for data processing activities and data protection decisions.
  

• Training & awareness: consistent education for all departments on GDPR risks tied to their daily tasks.
  

• Data inventories & records: up-to-date registers of processing activities and retention schedules.
  

• Incident response plans: structured procedures to detect, report and remediate breaches with leadership oversight.
  

• Third-party governance: rigorous vendor assessments and contractual controls for processors and sub-processors.
  

These controls help demonstrate GDPR accountability, a central theme regulators look for during investigations and audits.

A 10-Point Compliance Checklist for Department Heads

Below is a practical checklist that non-technical leaders can use to self-assess GDPR readiness (adapted from reputable sources):

1. Document all personal data flows — know what you collect, how it moves, and where it is stored.
   

2. Validate lawful basis for each processing activity (consent, performance of contract, legitimate interest).
   

3. Implement clear retention rules — justify and document retention periods.
   

4. Review consent mechanisms — ensure consent is freely given, specific, and easy to withdraw.
   

5. Monitor and test breach detection & notification processes.
   

6. Maintain a current Record of Processing Activities (ROPA).
   

7. Ensure vendor data protection commitments through contracts and audits.
   

8. Conduct regular privacy impact assessments (DPIAs) for high-risk activities.
   

9. Train employees on GDPR principles relevant to their role.
   

10. Periodic GDPR governance reviews by leadership — incorporate compliance metrics into strategic reporting. 
    

Executive Governance Perspective

From IT Issue to Board-Level Risk

In the early years of GDPR, many organisations treated data protection as a technical or legal issue. That approach no longer works. Today, GDPR enforcement in France clearly shows that data protection failures are governance failures.

The Commission nationale de l’informatique et des libertés (CNIL) has repeatedly imposed significant fines across sectors, including retail, telecom, advertising technology, and public institutions. GDPR allows fines of up to €20 million or 4% of global annual turnover (Article 83 GDPR), making data protection a financial and strategic risk for leadership.

Boards now face questions such as:

• Do we know where all personal data sits?

• Can we demonstrate lawful basis for every processing activity?

• Is breach reporting structured and tested?

• Is privacy embedded into new product decisions?

If the answer to any of these is unclear, the risk is not technical — it is executive.

How CNIL Investigations Begin

CNIL investigations do not start randomly. They typically arise from identifiable triggers.

Complaints

A large proportion of CNIL investigations begin with complaints from individuals. Under GDPR, any data subject can file a complaint if they believe their rights have been violated.

CNIL receives thousands of complaints annually. These often relate to:

• Direct marketing without consent

• Failure to honour data access or deletion requests

• Unclear privacy notices

If complaints reveal systemic governance issues, investigations escalate quickly.

Breach Notifications

Under Article 33 GDPR, organisations must notify the regulator within 72 hours of becoming aware of a personal data breach.

Late notifications, incomplete incident reports, or repeated security weaknesses can trigger deeper regulatory review.

Executives should understand that breach handling is a governance test. Regulators evaluate:

• Was there an incident response plan?

• Was leadership informed?

• Were risks assessed properly?

Sector-Wide Audits

CNIL also conducts thematic inspections in targeted sectors, such as cookies, public services, health data, and employment practices.

These audits focus on recurring risk areas and often result in multiple sanctions within the same industry. This means risk exposure may be sector-driven, not company-specific.

For boards, this reinforces the need to monitor regulatory priorities proactively.

Governance Failures Behind Major Fines

Reviewing CNIL’s major enforcement decisions shows common patterns:

• Weak oversight of consent mechanisms

• Insufficient vendor due diligence

• Lack of documented risk assessments

• Poor security governance

• Absence of clear accountability

The GDPR accountability principle (Article 5(2)) requires organisations to not only comply but to demonstrate compliance.

In many high-profile cases, fines were not simply due to a breach, but due to inadequate internal governance controls.

This is where executive responsibility becomes visible.

Cost of Non-Compliance Beyond the Fine

Financial penalties are only part of the impact.

Loss of Customer Trust

Public sanctions often attract media attention. When customers see that their data was mishandled, confidence declines.

Research consistently shows that consumers are less likely to engage with organisations that mishandle personal data.

Loss of trust can affect:

• Customer retention

• Conversion rates

• Brand value

Operational Disruption

Sanctions frequently come with corrective measures, deadlines, or restrictions.

GDPR Article 58 gives regulators the power to:

• Order suspension of processing

• Restrict certain operations

• Require structural remediation

For organisations heavily dependent on data processing, such measures can disrupt operations more severely than the financial penalty itself.

Embedding GDPR into Strategic Decision-Making

To prevent escalation to regulatory scrutiny, GDPR must be integrated into strategic processes. Executive-level integration includes:

1. Including privacy risk in enterprise risk management frameworks

2. Requiring privacy impact assessments (DPIAs) for new products

3. Reviewing vendor contracts at board level for data risk exposure

4. Monitoring CNIL enforcement trends as part of quarterly reporting

5. Linking data governance metrics to executive KPIs

Source

• GDPR DPIA requirements (Article 35): https://gdpr-info.eu/art-35-gdpr/

Data protection maturity today signals governance quality. Regulators increasingly assess whether privacy is embedded in strategy rather than treated as an afterthought.

For executives, the key message is simple:

GDPR is no longer a compliance task. It is a governance obligation.

Practical Manager Survival Guide

The Reality of GDPR Fines in France

GDPR enforcement in France is active and consistent, with CNIL imposing significant penalties in recent years. These fines often result from failures in transparency, consent, or organisational security and can apply even to non-EU firms operating in the French market. For example:

• In 2025, CNIL fined fast-fashion platform Shein €150 million for placing tracking cookies without valid user consent — one of the largest GDPR fines in Europe.
  

• In the same enforcement wave, Google received a €325 million penalty for inserting personalised ads and cookies without clear consent.
  

• In January 2026, telecom companies FREE MOBILE and FREE were fined a combined €42 million for failing to implement basic security measures that exposed millions of subscribers’ personal data following a breach.
  

• Public institution FRANCE TRAVAIL was fined €5 million for inadequate security protections that led to the exposure of job seekers’ sensitive information.
  

These examples show that GDPR fines in France are not theoretical risks — they affect major corporations and public organisations alike.

Top Mistakes That Trigger CNIL Sanctions

Understanding these common compliance failures helps managers prevent serious issues.

Misuse of Employee Data

GDPR places strict limits on processing employee personal data. Fines have been issued in cases involving excessive surveillance or data processing without lawful basis, especially in workplace contexts such as video monitoring or remote access systems.

Poorly implemented employee data controls show a management oversight failure, not just a technical issue.

Marketing Consent Issues

Consent problems are among the most frequent triggers of enforcement actions. Regulators often find consent mechanisms that are pre-ticked, unclear, or designed to favour acceptance, which does not meet GDPR’s requirements for freely given, specific, and informed consent.

For example, cookie-related fines like those against Shein and Google reflect broader trends where insufficient consent practices put companies at risk.

Insecure Cloud Tools

Using cloud services without verifying their data protection controls is a common regulatory concern. Security lapses — whether due to misconfiguration, weak access policies, or lack of encryption — can expose data and lead to breach-related fines similar to those CNIL imposed in the FREE MOBILE case.

Other common GDPR mistakes include lack of training, incomplete data inventories, weak breach response planning, and insufficient documentation — all of which can draw CNIL scrutiny.

What Managers Must Document

GDPR’s accountability principle means you must be able to prove compliance. Key documentation includes:

• Record of Processing Activities (ROPA): A complete and current inventory of all personal data processing operations.
  

• Consent Logs: Records of how, when, and by whom consent was collected and whether it can be withdrawn.
  

• Data Protection Impact Assessments (DPIAs): Especially for high-risk processing, properly documented DPIAs show you’ve evaluated and mitigated privacy risks.
  

• Security Assessments & Controls: Evidence of risk assessments, security measures, and breach response plans — all needed to demonstrate readiness if CNIL asks.
  

These documents not only satisfy regulators but help managers make informed decisions about risks and priorities.

How to Prepare for a CNIL Audit

Being audit-ready is not optional. CNIL inspections can occur without notice and focus on evidence of practical compliance, not just written policies. Preparing means:

1. Conduct internal GDPR audits that mirror what CNIL would review.
   

2. Review your ROPA and retention schedules for accuracy and completeness.
   

3. Check consent mechanisms (banners, CMPs, withdrawal flows) for alignment with current standards.
   

4. Test breach notification processes to verify timelines and communications.
   

5. Document risk treatment decisions showing how you measured and mitigated risks.
   

Preparation transforms an audit from a stressful inspection into a structured compliance exercise.

Immediate Actions You Can Take This Week

Start with these steps:

• Update your ROPA: Identify all processing activities, legal bases, and controllers/processors — and make sure this inventory reflects reality.
  

• Review consent tools: Turn off scripts or tags that run before valid consent and log decisions.
  

• Scan cloud services: Confirm you have current security assessments and contracts with appropriate data-processing clauses.
  

• Check breach protocols: Confirm your team knows how to detect, record, and notify incidents within 72 hours.
  

• Train key staff: Hold a brief refresher session on GDPR principles and your internal procedures.
  

These practical steps reduce immediate risk and start building a culture that CNIL wants to see.

CNIL Enforcement Trends for 2025–2026

As we move into 2025–2026, GDPR enforcement in France continues to evolve from isolated penalties to ongoing regulatory oversight and governance expectations. CNIL remains one of the most active data protection authorities in Europe, and its guidance expands into emerging technologies such as AI systems.

CNIL published recommendations on AI system development to help organisations balance innovation with respect for individuals’ data rights — a clear regulatory trend that GDPR enforcement is extending into technology domains such as AI governance.

This trend reflects a broader shift in data protection: regulators now expect organisations to demonstrate governance structures and evidence controls, not just meet minimal compliance checkboxes.

Intersection of GDPR with NIS2 and AI Regulation

The regulatory landscape is no longer siloed. GDPR now intersects with other EU frameworks like NIS2 (cybersecurity) and the EU Artificial Intelligence Act (AI Act) — both of which impose governance, reporting, and accountability requirements that overlap with GDPR obligations.

For example, NIS2 and GDPR reporting obligations can apply to the same incident, but with different timelines and targets — GDPR focuses on data breach notifications to the data protection authority, while NIS2 requires cyber incident reporting to national cybersecurity bodies.

This means organisations must build integrated incident response playbooks and governance processes that satisfy multiple regimes simultaneously, rather than treating GDPR compliance independently.

Similarly, the AI Act’s governance requirements for high-risk AI systems complement GDPR principles like privacy by design, documentation, and risk assessment — urging organisations to align privacy and AI governance frameworks.

Why Operational Managers Face Greater Scrutiny

Regulatory expectations are shifting from purely documentation and technical controls toward operationalised evidence of governance and accountability. In other words, it’s no longer enough to have a policy; organisations must demonstrate how controls actually work in practice and who is accountable.

This heightened scrutiny affects operational managers because they sit at the intersection of compliance, risk management, and daily execution. Regulators increasingly focus on whether teams can demonstrate:

• Clear ownership for data processing and risk mitigation

• Integration of privacy and security controls into operational workflows

• Evidence of ongoing monitoring and documentation that reflects actual practices

Organisations that treat compliance as a back-office checklist rather than a proactive governance discipline risk deeper investigations and extended audits.

Creating a Proactive Compliance Culture

To thrive in this future compliance landscape, organisations must build a proactive compliance culture that moves beyond reactionary approaches. A proactive culture involves:

• Embedding compliance considerations into strategic decision-making

• Aligning privacy, cybersecurity, and emerging tech governance into a unified framework

• Promoting cross-functional accountability throughout product, security, legal, and data teams

Integrated governance helps organisations meet overlapping requirements under GDPR, NIS2, and the AI Act more efficiently, while also strengthening resilience to regulatory scrutiny.

In practice, a culture like this means leadership encourages:

• Regular risk assessments tied to business outcomes

• Documentation of decisions and risk treatment measures

• Routine compliance health checks based on evidence and outcomes rather than policy statements

Training as a Risk Mitigation Strategy

Training is a core pillar of proactive compliance. Organisational research and regulatory guidance emphasise training to ensure that data protection principles are understood and applied across all levels of the organisation — not just within legal or IT teams.

With emerging tech such as AI, additional specialised training is required to help teams understand how privacy intersects with innovation and risk — for example, how personal data used in AI training must adhere to GDPR principles.

Effective training helps organisations:

• Reduce compliance gaps caused by misunderstanding or poor execution

• Build a shared language around privacy, security, and risk across functions

• Foster an environment where compliance is seen as a strategic enabler rather than an overhead