Explore the ultimate guide to GDPR & RGPD compliance for businesses in France and beyond. Learn essential data protection steps, fines, legal requirements, and future trends to stay compliant and secure personal data. Updated for 2026 with insights from CNIL, GDPR.eu, and the European Commission.
Data privacy is no longer optional. Whether you run an e-commerce store in Lyon, a SaaS startup in Paris, or a marketing agency targeting clients across the European Union, the General Data Protection Regulation (GDPR) — known in French as the Règlement Général sur la Protection des Données (RGPD) — governs every aspect of how you collect, store, and use personal data. Non-compliance is not a technicality: in 2024 alone, France's data protection authority, the CNIL, issued €55.2 million in fines across 87 sanctions, with enforcement accelerating year on year.
This pillar guide covers everything — from foundational definitions and territorial scope, to practical compliance steps, your customers' rights, the CNIL's enforcement priorities, AI governance, and what lies ahead for 2026 and beyond. Bookmark this page. Share it with your legal team. Act on it now.
|
€20M or 4% Maximum fine (higher tier) |
€55.2M CNIL fines in 2024 alone |
27 EU states GDPR applies across the EEA |
Since 2018 GDPR has been in force |
The General Data Protection Regulation (Regulation EU 2016/679), commonly abbreviated as GDPR, is the European Union's landmark law governing how organisations — both public and private — collect, process, store, and transfer the personal data of individuals located within the EU and European Economic Area (EEA). Adopted by the European Parliament and the Council of the EU on 14 April 2016, it came into force on 25 May 2018, replacing the outdated Data Protection Directive 95/46/EC.
The GDPR is widely considered the world's strongest and most comprehensive privacy law. Its core purpose is twofold: to give individuals meaningful control over their own personal data, and to harmonise data protection rules across all EU member states, removing the patchwork of conflicting national laws that previously existed.
|
WHY THIS MATTERS The GDPR does not merely regulate companies that are physically located in Europe. It applies to any organisation — anywhere in the world — that processes the personal data of people residing in the EU. |
The regulation is structured around 99 Articles and 173 Recitals, covering everything from the fundamental principles of data processing and the legal bases for doing so, to the rights of individuals, the obligations of data controllers and processors, and the enforcement powers of supervisory authorities.
|
GDPR (English) |
RGPD (French) |
|
General Data Protection Regulation |
Règlement Général sur la Protection des Données |
|
Official EU legal term |
French translation of the same regulation |
|
Used in EU official documents, international contexts, and English-language compliance literature |
Used in all French-language official documents, CNIL communications, French legal contexts |
|
Regulatory text: Regulation (EU) 2016/679 |
Same legal text; same legal force |
|
Applies uniformly across all 27 EU member states |
Enforced in France by the CNIL under the same Articles and penalties |
GDPR and RGPD refer to the same piece of legislation. There is no difference in legal content, obligations, penalties, or scope. The distinction is purely linguistic. When the CNIL publishes guidance, it refers to the RGPD; when the European Data Protection Board (EDPB) publishes guidelines, it uses GDPR. Both terms have identical legal weight.
In France, the RGPD is complemented by the Loi Informatique et Libertés (French Data Protection Act of January 6, 1978, as substantially amended in 2018 to incorporate the GDPR). This national law fills in areas where the GDPR allows member states to legislate independently — such as the age of digital consent (set at 15 in France), specific conditions for processing employee data, and the status and powers of the CNIL itself.
One of the most transformative aspects of the GDPR is its extra-territorial reach, set out in Article 3. The regulation applies in three distinct scenarios:
If your organisation has any form of stable establishment in France — a registered office, a branch, employees, or even significant and ongoing operations — then the GDPR applies to all of your personal data processing activities, regardless of whether that processing takes place inside or outside the EU. This means even if your servers are in the US and your data team is in India, the GDPR still governs how you handle data if you have a French establishment.
Even organisations with no physical presence in France or the EU fall within the GDPR's scope if they either (a) offer goods or services to individuals in the EU (whether free or paid), or (b) monitor the behaviour of individuals in the EU. Regulators look at factors including the language of your website, the currency you display, whether you offer EU delivery, and whether you use behavioural analytics on EU-based visitors.
|
EXTRA-TERRITORIAL REACH A US-based e-commerce company selling products to French customers, a Canadian SaaS platform with EU subscribers, or a Brazilian analytics firm tracking EU website visitors — all are subject to GDPR. Ignorance of jurisdiction is not a defence. |
The GDPR also applies where a controller is not established in the EU but is in a place where EU member state law applies by virtue of public international law, such as EU member states' embassies or consulates abroad.
A persistent myth is that the GDPR only concerns large corporations. This is categorically false. The regulation applies to any organisation — from a solo freelancer building a newsletter to a startup with five employees — that handles personal data of EU individuals. However, the GDPR does provide one limited exemption: organisations with fewer than 250 employees are not required to maintain a formal Record of Processing Activities (ROPA) — but only for processing activities that are not occasional, do not carry risk to individuals' rights, and do not involve special categories of data (health, biometric, etc.). In practice, most SMEs will still need a ROPA.
Here is how the GDPR applies across different business types:
|
Who Must Comply — By Business Type |
|
E-commerce websites: Must comply if selling to EU/French customers — regardless of where the business is headquartered. Cookie consent, privacy notices, and data security are mandatory. |
|
SaaS companies: Must establish data controller/processor roles, sign DPAs with clients, maintain records of processing, and handle international data transfer mechanisms. |
|
Marketing agencies: Processing personal data on behalf of clients makes you a data processor. You must sign data processing agreements (DPAs) and ensure all campaigns use lawfully collected data. |
|
Freelancers: If you manage a mailing list, use CRM tools, or collect contact details, you process personal data. Basic compliance — privacy notice, consent records — is required. |
|
Digital platforms & apps: Must display cookie banners, collect valid consent, implement user rights mechanisms, and conduct DPIAs for high-risk processing such as profiling or location tracking. |
|
Non-EU startups with EU users: Must appoint an EU representative (under Article 27), implement all GDPR obligations, and may be supervised by the DPA of the EU country where most of their EU users reside. |
Under Article 4(1) of the GDPR, 'personal data' means any information relating to an identified or identifiable natural person (the 'data subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
The definition is intentionally broad. If a piece of information can, alone or in combination with other data, lead to the identification of a living individual, it constitutes personal data under the GDPR.
|
Direct Identifiers |
Indirect Identifiers |
|
Full name |
IP address (in combination with other data) |
|
National ID number |
Cookie IDs and device identifiers |
|
Passport or driving licence number |
Location data (GPS coordinates, postcode) |
|
Email address (personal) |
Online pseudonyms or usernames |
|
Residential address |
Employment position + department + employer |
|
Phone number |
Date of birth combined with postcode |
|
Photograph showing someone's face |
Social media profile handles |
|
Biometric data (fingerprint, facial recognition) |
Transaction history linked to an individual |
Yes, in most circumstances. The Court of Justice of the EU (CJEU) confirmed in Breyer v Germany (2016) case that a dynamic IP address can constitute personal data when the website operator has the legal means to identify the individual behind it — for example, with the help of an internet service provider. The CNIL and the EDPB take a conservative stance: IP addresses should be treated as personal data by default.
Cookies and similar tracking technologies (pixels, device fingerprints, session identifiers) that can be linked to individuals — directly or indirectly — also constitute personal data. This is why the CNIL's cookie enforcement is so robust: placing an analytics cookie without consent is not just a technical violation; it is a breach of the GDPR's fundamental principles.
|
PRACTICAL DISTINCTION A cookie that stores a unique user ID is personal data. A cookie that stores only that the user's preferred language is 'English' is not. Context determines whether data is personal. |
Personal data does not stop at the customer relationship. Everything your organisation holds about employees, contractors, job applicants, and former employees is personal data under the GDPR. This includes names, salaries, bank account details, performance appraisals, sick leave records, disciplinary notes, CCTV footage of the workplace, email monitoring logs, and geolocation data from company vehicles or mobile phones.
The CNIL has been particularly active in sanctioning employers for disproportionate employee monitoring. In June 2024, Amazon received a €32 million fine from the CNIL for violations related to excessive worker monitoring. Employee surveillance is only lawful if it is necessary, proportionate, and employees have been properly informed in advance.
Article 9 of the GDPR identifies specific categories of data that receive heightened protection because of the particular risks their misuse poses to individuals' fundamental rights:
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data for the purpose of uniquely identifying a natural person
• Health data
• Data concerning sex life or sexual orientation
Processing these special categories is prohibited unless one of the specific conditions in Article 9(2) applies — such as explicit consent, employment law obligations, vital interests, or scientific/statistical research purposes. The bar for legitimacy is significantly higher than for ordinary personal data.
Article 5 of the GDPR establishes the foundational principles that govern all lawful data processing. These are not optional guidelines — they are legally binding obligations. Every data processing activity your organisation undertakes must be measurable against all seven of them.
Processing must be lawful (based on one of six legal grounds in Article 6), fair (not used in ways that harm individuals), and transparent (individuals must know what is being done with their data). Transparency means providing clear, accessible, plain-language privacy notices at the point of data collection.
|
TRANSPARENCY IN PRACTICE You cannot obscure what you do with data in 40-page legalese. The CNIL expects privacy notices to be understandable to an ordinary person — concise, clearly structured, and written in plain French for French audiences. |
Data collected for one purpose cannot be repurposed for something incompatible without a fresh legal basis or new consent. If you collect email addresses to process an order, you cannot then use those same addresses for marketing campaigns without a separate, specific legal justification. The CNIL has sanctioned numerous businesses for reusing data from loyalty programmes or third-party data brokers for commercial prospecting without ensuring the original collection was GDPR-compliant.
Organisations must collect only the data that is adequate, relevant, and limited to what is necessary for the stated purpose. Collecting date of birth 'just in case', requiring a phone number to download a PDF, or recording all employee calls rather than spot-checking — all are examples of data minimisation violations. The CNIL has explicitly called out continuous video surveillance of employees at their workstations as a data minimisation breach.
Personal data must be accurate and kept up to date. Where data is inaccurate, it must be erased or corrected without delay. This principle underpins the right to rectification (Article 16) and requires organisations to establish processes for reviewing and updating their data holdings regularly.
Personal data may be kept in an identifiable form only for as long as is necessary for the purposes for which it was collected. After that period, data must be securely deleted or anonymised. The CNIL requires organisations to define and document clear retention periods for each category of data. For example, customer billing data may be kept for 10 years under French accounting law, but marketing consent records should be refreshed or deleted after a defined period.
Data must be processed with appropriate technical and organisational security measures to protect against unauthorised access, accidental loss, destruction, or damage. Article 32 requires organisations to implement measures appropriate to the risk level — including encryption, access controls, pseudonymisation, regular security testing, and business continuity protocols. In 2026, the CNIL fined France Travail (formerly Pôle Emploi) €5 million for inadequate data security following a significant breach of jobseeker data.
The GDPR places the burden of proof on organisations: you must not only comply, but be able to demonstrate compliance. This means maintaining records of processing activities (ROPA), conducting Data Protection Impact Assessments (DPIAs) for high-risk processing, implementing privacy by design and by default, training staff, and appointing a Data Protection Officer (DPO) where required. The accountability principle transforms GDPR from a box-ticking exercise into an ongoing, documented compliance programme.
The Commission Nationale de l'Informatique et des Libertés (CNIL) is France's independent administrative authority responsible for ensuring that data protection laws — including the RGPD — are applied across all sectors, in both public and private domains. Established under the Loi Informatique et Libertés of 6 January 1978, the CNIL is one of the most active, technically sophisticated, and globally influential data protection authorities in the world.
The CNIL's primary functions include: investigating complaints from individuals; conducting targeted and routine inspections of organisations; publishing guidance, recommendations, and practical tools for compliance; issuing formal notices, sanctions, and fines; cooperating with European counterparts through the EDPB's one-stop-shop mechanism; and advising the French government on data protection implications of legislation and technology.
|
CNIL Enforcement Statistics |
|
2024 investigations: 331 conducted (331 corrective measures adopted) |
|
2024 total sanctions: 87 sanctions issued |
|
2024 total fines: €55,212,400 (55.2 million euros) |
|
2024 formal compliance orders: 180 issued |
|
2024 complaints received: 17,772 from individuals |
|
2025 fines total: €486,839,500 — focusing on cookies, employee monitoring, and data security |
|
January 2026 fines: FREE MOBILE: €27M; FREE: €15M; France Travail: €5M |
|
Key 2024 cross-border sanction: Uber (cooperation with Dutch DPA): €290M fine |
Each year, the CNIL publishes its enforcement focus areas, signalling where it will concentrate investigations. In 2024, the primary themes were:
• Cookie compliance — banner design, pre-loaded tracking, dark patterns
• Commercial prospecting — use of third-party data lists without verified consent
• Children's and minors' data — age verification, parental consent, online platforms
• Health data security — patient record access controls in healthcare establishments
• Data subject access rights — failure to respond to erasure, rectification, access requests
In 2025, the CNIL's announced priorities shifted to cookies, employee monitoring, and data security — with fines topping €486 million, a nearly ten-fold increase from 2024, reflecting both escalating enforcement capability and coordinated EU-wide actions.
The most frequent violations leading to CNIL sanctions include:
• Deploying non-essential cookies before obtaining user consent
• Using misleading or asymmetric cookie banners (dark patterns) that make acceptance easier than refusal
• Failing to respond to individual requests for data access, erasure, or rectification
• Using personal data purchased from data brokers without verifying that original consent was lawfully obtained
• Inadequate technical security measures leading to data breaches
• Continuous and disproportionate employee monitoring (video surveillance, keystroke logging, full call recording)
• Failure to cooperate with CNIL investigations — the single most common simplified-procedure violation in 2024
The CNIL provides an extensive suite of free guidance and practical tools, available at cnil.fr:
• Practical compliance sheets covering cookies, employee data, health data, security, AI, and more
• The LINC (Digital Innovation Lab) — publishing research on emerging privacy challenges
• The PIA (Privacy Impact Assessment) tool — a free software tool for conducting DPIAs
• The Référentiel (sectoral guidelines) — specific guidance for sectors like healthcare, HR, and education
• Webinars, regional outreach events, and the annual activity report
Before processing any personal data, you must identify and document a lawful basis. Article 6 of the GDPR provides six possible legal grounds. You must choose the most appropriate one for each processing activity — you cannot 'stack' multiple bases or switch between them retroactively.
|
The Six Legal Bases for Processing (Article 6) |
|
1. Consent: Freely given, specific, informed, unambiguous indication of agreement. Must be as easy to withdraw as to give. Cannot be bundled or pre-ticked. Most appropriate for marketing, newsletters, non-essential cookies. |
|
2. Contract: Processing necessary to fulfil a contract with the individual, or to take pre-contractual steps at their request. E.g., processing delivery address to ship an order. |
|
3. Legal obligation: Processing required by EU or member state law. E.g., keeping payroll records for tax purposes, retaining invoices under accounting law. |
|
4. Vital interests: Necessary to protect someone's life. Narrow ground, applicable mainly in medical emergencies. |
|
5. Public task: Processing in the exercise of official authority or a public interest task. Mainly applies to public sector bodies. |
|
6. Legitimate interests: Balanced against the individual's rights. Most flexible ground for business purposes, but requires a three-part test: identify the interest, assess necessity, balance against individual rights. Cannot override consent where consent is the appropriate basis. |
|
COMMON MISCONCEPTION Legitimate interest is the most commonly invoked — and most commonly misused — legal basis. The CNIL expects a documented Legitimate Interest Assessment (LIA) demonstrating that the processing does not override individual rights. It is not a 'get out of jail free' card. |
Cookie compliance in France is governed by the GDPR in combination with the ePrivacy Directive, transposed into French law as Article 82 of the Loi Informatique et Libertés. Between December 2022 and December 2024, the CNIL issued combined cookie-related fines exceeding €139 million under Article 82 alone. This framework is among the strictest in Europe.
Under CNIL guidelines, valid cookie consent must satisfy all of the following conditions:
Following its 2020 guidelines and subsequent recommendations, the CNIL enforces specific technical and design requirements for cookie banners:
|
CNIL ENFORCEMENT EXAMPLE In December 2024, the CNIL issued formal compliance orders to multiple publishers for cookie banners where the 'reject' option appeared only once in vague terms ('I decline non-essential purposes') while the 'accept' option was repeated and emphasised multiple times. |
The CNIL recognises that audience measurement tools are important for legitimate website operations and provides a partial exemption from consent for analytics cookies — but only where strict conditions are met:
Google Analytics, in its standard configuration, does not meet these exemption conditions because data is processed by Google (a third party) and may be used for Google's own purposes. Publishers using Google Analytics must obtain prior consent. Privacy-first analytics tools (such as Matomo in self-hosted configuration, or tools producing only anonymous aggregates) may qualify for the exemption after careful technical assessment.
The explosion of AI tools in the workplace — from ChatGPT to AI-powered CRMs, HR screening tools, customer chatbots, and analytics platforms — has created a new category of data protection risk. When employees or organisations input personal data into AI systems, they become data controllers of that processing and must comply with the GDPR. The AI system's provider may become a data processor or, in some cases, a joint controller.
Key risks associated with AI and personal data include:
Training data leakage : AI models may memorise and reproduce personal data from training sets
Re-identification : apparently anonymised data fed into AI systems may be re-identified through inference
Automated decision-making : Article 22 GDPR restricts decisions based solely on automated processing that significantly affect individuals
Unlawful data transfers : using US-based AI tools may result in personal data being transferred outside the EU without adequate safeguards
Lack of transparency : individuals may not know their data is being processed by an AI system
In January 2024, the CNIL published its first comprehensive recommendations on the application of the GDPR to AI systems, followed by further guidance on data subject rights and informing individuals in early 2025, and recommendations on legitimate interest as a legal basis for AI training in June 2025. These recommendations cover the full AI development lifecycle.
Key requirements from the CNIL's AI guidance:
Organisations deploying AI tools (whether developed internally or procured from third parties) must assess their role in the processing chain. As the deployer, you are typically a data controller and must:
|
REAL-WORLD RISK SCENARIO A French law firm that inputs client names, case details, and financial information into an unvetted AI assistant has created an unlawful data transfer and a potential breach of professional secrecy. GDPR compliance must precede AI tool adoption — not follow it. |
The CNIL has begun a specific reflection process on AI in employment contexts. Organisations must establish clear internal governance frameworks covering:
For businesses in France — from freelancers to growing SMEs — achieving GDPR compliance is a structured process, not a one-time event. The following five-step roadmap draws on CNIL guidance, EDPB recommendations, and established compliance best practices.
Step 1: Conduct a Data Audit (Record of Processing Activities — ROPA)
Before you can protect data, you must know what data you hold, where it comes from, where it goes, and what you do with it. A data audit (also called data mapping) is the foundation of GDPR compliance.
Your audit should document, for each processing activity:
• What personal data is collected (categories, fields)
• The source of the data (directly from individuals, from third parties, from public sources)
• The purpose of the processing and the legal basis invoked
• Who within your organisation has access to the data
• Which third-party processors or service providers receive the data (cloud hosts, CRMs, payment providers, email tools)
• Whether data is transferred outside the EU and under what safeguard mechanism
• How long data is retained before secure deletion
This information forms your Record of Processing Activities (ROPA) — a living document you are obligated to maintain under Article 30 of the GDPR (with the limited SME exception noted above applying only where all three narrow conditions are met).
|
CNIL ENFORCEMENT NOTE The CNIL has sanctioned companies with fewer than 250 employees for failing to maintain a ROPA when their processing activities were not 'occasional' — which is the case for nearly every active business. |
Step 2: Identify a Legal Basis for Each Processing Activity
Once you have mapped your data flows, match each processing activity to one of the six legal bases in Article 6. For marketing, newsletters, and non-essential cookies, consent is typically required. For HR processing, a combination of legal obligation and contract will often apply. For fraud prevention or security logging, legitimate interest may be appropriate after completing a Legitimate Interest Assessment.
Document your chosen legal basis in your ROPA and privacy notice. If you are relying on consent, implement systems to record when, how, and for what specific purpose consent was given, and ensure it can be withdrawn easily.
Step 3: Update Privacy and Cookie Policies
Your privacy notice must be proactively provided to individuals at the point of data collection (or within one month if data is collected indirectly). Under GDPR Articles 13 and 14, it must include:
• Your identity and contact details (and your DPO's, if applicable)
• The purposes and legal basis for each processing activity
• The legitimate interests pursued (if that is the legal basis used)
• Recipients or categories of recipients of the data
• Details of any international data transfers and safeguards in place
• Retention periods for each category of data
• A description of all data subject rights and how to exercise them
• The right to lodge a complaint with the CNIL
• Whether provision of data is a statutory or contractual requirement, and consequences of not providing it
Your cookie policy (typically integrated into or linked from the cookie banner) must describe all cookie categories used, their names, their providers, their purpose, and their lifetime. Vague descriptions such as 'to improve your experience' do not meet CNIL standards.
Step 4: Implement Data Security Measures
Article 32 requires appropriate technical and organisational measures proportionate to the risk. For most SMEs, this means at minimum:
• Encrypting personal data at rest and in transit (TLS/HTTPS for all web traffic, encrypted database storage)
• Implementing role-based access control — staff should only access data necessary for their role
• Using strong, unique passwords and multi-factor authentication for all systems holding personal data
• Maintaining an up-to-date inventory of software, patching vulnerabilities promptly
• Establishing a data breach response procedure — you have 72 hours from discovery to notify the CNIL of any breach likely to affect individuals' rights (Article 33)
• Signing Data Processing Agreements (DPAs) with all third-party vendors who process data on your behalf
• Pseudonymising data where possible to reduce risk in the event of a breach
Step 5: Prepare for Data Subject Rights Requests
Individuals have the right to contact you at any time to exercise their GDPR rights. You must respond within one month (extendable to three months in complex cases, with notification to the requester). Prepare by:
• Designating a clear point of contact for data requests (an email address such as privacy@ or dpo@)
• Documenting your internal process for verifying identity, locating data, and responding within the deadline
• Building the technical capability to export data in a machine-readable format (for portability requests)
• Training frontline staff to recognise and escalate incoming data rights requests without delay
Every individual has the right to obtain confirmation of whether their personal data is being processed, and if so, to receive a copy of that data along with supplementary information including: the processing purposes, data categories, recipients, retention periods, the existence of automated decision-making, and the data's source if not collected from the individual directly. The first copy must be provided free of charge.
Individuals can request correction of inaccurate personal data and completion of incomplete data. Organisations must act without undue delay — in practice, within one month — and must notify any third parties to whom the data was disclosed of the correction, unless this is impossible or disproportionate. The CNIL received a significant volume of complaints in 2024 relating to organisations ignoring rectification requests.
The right to erasure requires organisations to delete personal data without undue delay when one of the following grounds applies:
• The data is no longer necessary for the purpose for which it was collected
• The individual withdraws consent (where consent was the legal basis) and there is no other legal basis
• The individual successfully exercises the right to object and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Erasure is required by EU or French law
• Data was collected from a minor in relation to an online service
The right to erasure is not absolute. It does not apply where processing is necessary for the exercise of freedom of expression, compliance with legal obligations, public health purposes, archiving in the public interest, or the establishment or defence of legal claims.
Where processing is based on consent or a contract, and is carried out by automated means, individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format (such as CSV or JSON), and to transmit that data to another controller. This right applies to data the individual has 'provided' — which includes not just forms they completed, but data generated by their observed activity (search history, location data, purchase history).
Individuals have the right to object, at any time, to processing based on legitimate interests or public task, including profiling. Upon receiving an objection, the organisation must stop processing unless it can demonstrate compelling legitimate grounds that override the individual's interests. For direct marketing specifically, the right to object is absolute — organisations must stop processing for marketing purposes immediately upon receiving an objection, with no exceptions.
Individuals can request that processing be restricted (i.e., paused rather than deleted) in specific circumstances — such as when they contest the accuracy of the data, when processing is unlawful but they prefer restriction to erasure, or when they have objected and a decision is pending.
The most common compliance gap for SMEs is an absent, outdated, or incomprehensible privacy policy. Simply copying a policy from another website does not constitute compliance — your privacy notice must accurately reflect your own processing activities, name your specific data sub-processors, and be updated whenever your data practices change. The CNIL expects privacy notices to be available before or at the moment of data collection, written in plain language, and easily accessible from every page of your website.
Pre-loading analytics or advertising scripts before consent is obtained remains the most frequently cited cookie violation. This includes sites that display a banner but allow tag manager scripts to fire before user action, and sites whose 'reject' option is hidden, requires multiple clicks, or uses ambiguous language. The CNIL's enforcement in this area is relentless: it has fined Google (€150M), Facebook (€60M), TikTok, Orange, Shein, and many others for cookie violations.
Asking website visitors to provide their phone number, date of birth, or job title in exchange for a free ebook is a data minimisation violation if those fields are not genuinely necessary for the stated purpose. Similarly, retaining customer data indefinitely — rather than applying defined retention periods — is a storage limitation violation. Audit your forms and data collection points regularly and apply the 'minimum necessary' test to every field.
Failing to respond to a Subject Access Request (SAR), erasure request, or objection to direct marketing within the one-month deadline is both a GDPR breach and a common subject of CNIL complaints. In 2024, 23 of the CNIL's simplified procedure sanctions specifically concerned failures to honour data access requests, and 16 of those were purely access-related. Implement a clear internal process with a tracked workflow for receiving, verifying, and responding to all data rights requests on time.
GDPR compliance is not solely the DPO's responsibility. Every employee who handles personal data — including salespeople using CRM tools, customer service staff handling inquiries, HR managing payroll, and IT managing systems — must understand their basic data protection obligations. A data breach caused by an untrained employee clicking a phishing link or sending data to the wrong recipient is still the organisation's responsibility. Implement annual GDPR training, documented attendance records, and role-specific briefings for high-risk functions.
Every third-party vendor that processes personal data on your behalf — your cloud hosting provider, your email marketing platform, your accounting software, your HR system — must be covered by a written Data Processing Agreement (DPA) that meets the requirements of GDPR Article 28. Many SMEs overlook this requirement, particularly for tools added informally by individual team members without legal review. Maintain a processor register and ensure DPAs are in place and regularly reviewed.
To learn more about how to navigate these common mistakes and protect your company from GDPR compliance risks, consider enrolling in our RGPD Essentials for Non-Technical Managers course. This course will provide you with a comprehensive understanding of GDPR basics, offering insights for managers to apply the right practices within their organization.
A Consent Management Platform automates the collection, recording, and management of user consent for cookies and tracking technologies. For French/EU compliance, your CMP must be configurable to meet CNIL standards — including equal prominence for accept/reject buttons, granular consent by purpose, automatic blocking of scripts before consent, and consent log storage. Leading CMPs include Axeptio, Didomi, Cookiebot, OneTrust, and CookieYes — though always verify the specific configuration meets CNIL requirements, as out-of-the-box setups are not always compliant.
The CNIL's free PIA (Privacy Impact Assessment) software includes a ROPA module. Commercial tools such as OneTrust, TrustArc, and DataGrail offer automated data discovery, dynamic ROPA generation, and integration with vendor management systems. For smaller organisations, a well-structured spreadsheet using the CNIL's model ROPA template is a valid starting point.
The CNIL provides model privacy notice templates tailored to French legal requirements (available at cnil.fr in French). Iubenda, Termly, and Privacypolicies.com offer English-language generators that can be customised for French-market requirements — though any generated policy must be reviewed to ensure it accurately reflects your actual data processing activities and meets CNIL's plain-language standards.
• CNIL website: cnil.fr — enforcement actions, guidance sheets, ROPA templates, DPIA tools
• CNIL LINC: linc.cnil.fr — research on AI, data brokers, privacy engineering
• EDPB website: edpb.europa.eu — pan-European guidance documents, consistency decisions
• gdpr-info.eu — annotated full text of the GDPR with linked recitals
• gdpr.eu — practical SME-oriented guidance co-funded by the EU Horizon 2020 programme
The intersection of GDPR and artificial intelligence is the defining compliance challenge of the mid-2020s. The EU AI Act (Regulation EU 2024/1689, published July 2024) and the GDPR now operate in parallel: for AI systems processing personal data, both apply simultaneously. The CNIL has explicitly stated that misconceptions that 'GDPR prevents AI innovation in Europe' are false — but compliance cannot be an afterthought. The PANAME project (Privacy Auditing of AI Models), launched by the CNIL in partnership with ANSSI, will produce tools allowing developers to assess whether their models process personal data, with early release expected in late 2025.
In response to ongoing criticism about GDPR's compliance burden on small businesses, the European Commission proposed targeted amendments in Q4 2025 that include expanded ROPA exemptions for micro and small enterprises, simplified consent mechanisms in certain lower-risk contexts, and clearer rules for cookie walls. These changes are expected to be formally adopted by 2027, but the core principles — lawfulness, transparency, security, and respect for individual rights — remain unchanged. Simplification of process does not mean reduction of obligation.
Enforcement across the EU is becoming more coordinated and more aggressive. New procedural rules agreed in May 2025 aim to accelerate GDPR enforcement in large cross-border cases, eliminating the delays caused by divergent national procedures. Fines issued in 2025 across the EU reached new records, with the cumulative total since GDPR took effect in 2018 surpassing €5.88 billion. The era of regulatory forbearance is definitively over.
Install PewDiePie’s Odysseus AI with this beginner-friendly guide. Step-by-step Docker setup, Ollama config, system requirements, and troubleshooting tips.
Best practices for third-party due diligence under Sapin II. Strengthen anti-corruption controls and ensure compliance in France.
Learn what PewDiePie’s Odysseus AI is, how the self-hosted AI workspace works, why it matters for privacy, and whether it can replace ChatGPT.