RGPD

GDPR Compliance Support for SMEs/VSEs in Paris: Method and Key Steps

The General Data Protection Regulation (GDPR), which came into force on 25 May 2018, is a European text that is directly applicable in all Member States of the European Union. It is codified under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. Under Fr

Contents
Schedule a discussion

Reading time:

15 min

What is the GDPR and why does it apply to your SME or VSE?

The General Data Protection Regulation (GDPR), which came into force on 25 May 2018, is a European text that is directly applicable in all Member States of the European Union. It is codified under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. Under French law, it is supplemented by Act No. 78-17 of 6 January 1978 on information technology, data files and civil liberties, known as the “French Data Protection Act” (loi Informatique et Libertés), as amended.

Contrary to a persistent misconception, the GDPR does not concern only large companies or digital giants. It applies to any organisation, regardless of its size, as soon as it collects, processes or stores personal data of natural persons located in the European Union. This includes:

the first and last names of customers or prospects, e-mail addresses, telephone numbers, IP addresses collected by a website, geolocation data, data linked to loyalty programmes, or information relating to employees.

For a Paris-based VSE that simply manages a mailing list, a contact form on its website, or a customer file in a spreadsheet, the GDPR is fully applicable. Ignorance of the text does not constitute a mitigating circumstance for the CNIL, as recent case law demonstrates.

What are the risks of GDPR non-compliance for an SME or VSE?

What sanctions can the CNIL impose?

The CNIL has extensive powers of investigation and sanction. Pursuant to Article 83 of the GDPR and Article 20 of the French Data Protection Act, it may impose administrative fines of up to:

20 million euros or 4% of total annual worldwide turnover, whichever is higher, for the most serious breaches (breach of consent, failure to comply with the fundamental principles of processing, failure to respect the rights of individuals).

10 million euros or 2% of total annual worldwide turnover for second-level breaches (absence of a record of processing activities, failure to notify a data breach, etc.).

The CNIL's restricted committee, in its deliberation SAN-2025-017 of 30 December 2025, imposed a fine of 3.5 million euros on a retail company operating a loyalty programme with more than 10 million members, sanctioning in particular the absence of valid consent for targeted advertising on a social network, the failure to inform data subjects, an insufficient password policy, and the absence of a prior data protection impact assessment (DPIA). This decision is a reminder that even partial compliance achieved during the proceedings does not remove liability for past conduct.

What other practical consequences for your business?

Beyond the financial fine, GDPR non-compliance exposes the manager to concrete and often underestimated consequences:

The publication of the sanction decision (what the profession calls “name and shame”), which directly harms the company's commercial reputation, its customer relationships and its partnerships.

The loss of trust of customers and partners, which is particularly sensitive in a context where the protection of personal data has become a selection criterion for many buyers and clients.

The litigation risk, with the possibility for data subjects to exercise their rights before the CNIL or the civil courts and to obtain compensation for the harm suffered.

The compliance order accompanied by a periodic penalty payment, which can reach up to 100,000 euros per day of delay.

What are the fundamental GDPR obligations that an SME or VSE must comply with?

What legal bases allow personal data to be processed?

Any processing of personal data must rest on one of the six legal bases provided for in Article 6 of the GDPR:

the consent of the data subject, the performance of a contract, compliance with a legal obligation, the protection of vital interests, the performance of a task carried out in the public interest, or the legitimate interest of the data controller.

Consent is often misunderstood. To be valid, it must be freely given, specific, informed and unambiguous, and must be expressed through a clear affirmative action (Article 4, point 11 of the GDPR). A pre-ticked box, a notice buried in general terms and conditions, or a user's silence do not constitute valid consent. The Court of Justice of the European Union confirmed this in its Planet49 GmbH judgment of 1 October 2019 (C-673/17), and the CNIL systematically reiterates it in its sanction decisions.

What information must be provided to data subjects?

Article 13 of the GDPR requires the data controller, at the time the data is collected, to provide clear and complete information covering in particular: the identity of the data controller, the purposes and legal bases of each processing operation, the recipients or categories of recipients, the data retention period, and all the rights available to the individual (access, rectification, erasure, objection, portability, withdrawal of consent).

The information must be provided by purpose, not globally. The aforementioned deliberation SAN-2025-017 specifically sanctions a company that listed its legal bases on one side and its purposes on the other, without establishing any correspondence between the two, rendering the information unusable for the user.

What are the obligations regarding data security?

Article 32 of the GDPR requires the data controller to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In practice, this covers:

the password policy (minimum recommended entropy of 80 bits according to CNIL deliberation No. 2022-100 of 21 July 2022), the encryption of sensitive data, access control, the traceability of operations on the data, the management of authorisations, or the securing of exchanges with processors.

An overly permissive password policy constitutes a breach of Article 32 of the GDPR, as illustrated by deliberation SAN-2025-017, which sanctions a company that accepted passwords with only 26 bits of entropy (against the recommended minimum of 50 bits), and that stored these passwords using the SHA256 function, which is unsuitable for secure storage.

Is it necessary to appoint a Data Protection Officer (DPO)?

The appointment of a DPO is mandatory in three cases provided for in Article 37 of the GDPR: where the processing is carried out by a public authority, where the controller's core activities involve regular and systematic monitoring on a large scale, or where they relate to sensitive data on a large scale. For most SMEs and VSEs, appointment is not mandatory, but it remains strongly recommended as soon as the activity involves a significant volume of customer or employee data, or high-risk processing.

What are the concrete steps of GDPR compliance for an SME or VSE in Paris?

GDPR Compliance
The steps of a GDPR compliance process (SME / VSE)
StepWhat it involvesDeliverable / key point
Initial audit and mapping of processing activitiesIdentify all processing activities, analyse the legal bases and assess GDPR maturity.A prerequisite for any serious compliance process.
Drafting of contractual and regulatory documentsDraft/update the privacy policy, information notices, GTC/GTU and GDPR clauses.Processor agreements (Art. 28) and clauses for transfers outside the EU.
Operational complianceRecord of processing activities, cookie policy and internal procedures.Management of rights, breaches and team training.
Cookie managementObtain consent before any tracker that is not strictly necessary (Art. 82 French Data Protection Act).Banner with “Accept” and “Reject” equally visible.
Risk prevention and CNIL defenceAnalyse breaches, prepare the defence and draft observations in the event of an investigation.Support during the procedure to limit injunctions and fines.
Provided for information purposes; does not constitute legal advice.

Interactive module title

Why is cookie management a major point of vigilance?

Article 82 of the French Data Protection Act (transposing the ePrivacy Directive 2002/58/EC) requires that any tracker not strictly necessary for the operation of the service be placed on the user's terminal only after their prior consent has been obtained. This applies to advertising cookies, browsing analytics cookies (including certain Google Analytics configurations), personalisation cookies and chat tools.

Placing a cookie before obtaining the user's consent is a breach of Article 82, even if the purpose of that cookie is deemed not very intrusive by the data controller. The CNIL reiterated this in December 2025 in its recommendation on multi-terminal consent (deliberation No. 2025-131 of 18 December 2025), which specifies that consent must be validly obtained regardless of the terminal used.

A compliant consent banner must offer an “Accept” button and a “Reject” button (or an equivalent option) that are equally visible. A “Learn more” button followed by an “Accept and close” button without an easily accessible refusal option does not meet the CNIL's requirements.

When must a Data Protection Impact Assessment (DPIA) be carried out?

A DPIA is mandatory before the implementation of any processing likely to result in a high risk to the rights and freedoms of individuals (Article 35 of the GDPR). The CNIL considers that any processing meeting at least two of the criteria of the European Data Protection Board (in particular: large-scale processing, data matching, use of new technologies, sensitive data, profiling) must be subject to a prior DPIA.

The absence of a prior DPIA for targeted advertising processing involving the transmission of data of several million people to a social platform was sanctioned in deliberation SAN-2025-017. For an SME deploying a CRM, a digital loyalty programme, or a customer scoring tool, the question of the DPIA must be raised before launch.

What must your processor contracts contain within the meaning of the GDPR?

Article 28 of the GDPR requires that any use of a processor processing data on your behalf be the subject of a contract or binding legal act. This document must precisely govern: the subject matter and duration of the processing, the nature and purpose of the data processed, the type of data and the categories of data subjects, the obligations and rights of the data controller, and the security measures implemented by the processor.

In practice, this concerns your hosting providers, SaaS software publishers, marketing agencies managing your e-mail campaigns, HR or accounting service providers accessing your employee data, e-commerce platforms, or videoconferencing tools.

The absence of a processing clause compliant with Article 28 constitutes a standalone sanctionable breach, independently of any other breach. The CNIL considers that the data controller is responsible for the choice of its processors and must ensure that they provide sufficient guarantees.

Table 2: Summary of the most common GDPR breaches and associated risks

GDPR Compliance
Summary of common GDPR breaches and associated risks
BreachRisk / sanction
Breach of consent, infringement of the principles or rights of individualsFine of up to €20M or 4% of annual worldwide turnover (whichever is higher).
Absence of a record of processing activities or of a breach notificationFine of up to €10M or 2% of annual worldwide turnover.
Placement of non-necessary cookies without prior consentBreach of Article 82 of the French Data Protection Act.
Overly permissive password policyBreach of Article 32 of the GDPR (recommended min. entropy of 80 bits).
Absence of a prior DPIA for high-risk processingBreach of Article 35; see deliberation SAN-2025-017.
Absence of a processing clause compliant with Article 28Standalone sanctionable breach.
Failure to comply with a compliance orderPeriodic penalty payment of up to €100,000 per day of delay.
Source: CNIL & GDPR. The amounts indicated are statutory maximums.

What are the rights of data subjects and how to manage them concretely?

The GDPR grants natural persons a set of rights that the data controller must be able to honour within one month of receipt of the request (Article 12 of the GDPR):

the right of access (Article 15), allowing the person to know what data concerns them and how it is processed; the right to rectification (Article 16); the right to erasure, known as the “right to be forgotten” (Article 17); the right to restriction of processing (Article 18); the right to portability (Article 20); and the right to object (Article 21).

For an SME or VSE, the practical organisation of handling these requests is often neglected. A dedicated internal contact should be appointed, a specific contact mailbox set up (for example dpo@nomdelastructure.fr), each request and the response provided traced, and the data held mapped beforehand in order to be able to respond within the time limits set.

How does the Mirabile firm support Paris SMEs and VSEs in their GDPR compliance?

The Mirabile Avocat firm, specialising in digital law and business law, offers structured and operational support for GDPR compliance, tailored to the constraints of Paris-based VSEs, SMEs and startups. Our approach is based on four pillars.

Initial audit and mapping of processing activities

The first step is a GDPR compliance audit, during which our lawyers identify all personal data processing activities implemented within your organisation, analyse the legal bases used, review the existing contractual documents and information policies, and assess your organisation's level of GDPR maturity. This audit is the prerequisite for any serious compliance process.

Drafting and updating contractual and regulatory documents

The firm intervenes to draft or update all the documents required by the GDPR and the French Data Protection Act: privacy policy, information notices, general terms and conditions of sale and use incorporating GDPR clauses, processor agreements within the meaning of Article 28, clauses for data transfers outside the EU, and any other contractual or regulatory document necessary for your digital or commercial activity.

Support for operational compliance

Beyond the documents, GDPR compliance requires concrete organisational changes. Our lawyers support you in setting up the record of processing activities, defining your cookie management policy, implementing internal procedures for managing individuals' rights and data breaches, and training your teams on GDPR obligations.

Risk prevention and defence in the event of a CNIL investigation

In the event of an investigation or proceedings initiated by the CNIL, the Mirabile firm intervenes to analyse the extent of the alleged breaches, prepare the defence, draft observations in response to the sanction report, and support compliance during the procedure to limit the risks of injunction and fine. Our in-depth knowledge of CNIL case law and the proportionality criteria of sanctions enables us to build an effective and documented defence.

Case studies: what situations do Paris SMEs and VSEs most often encounter?

First case: the e-commerce site that collects data without a compliant cookie banner. A Paris-based SME operating an online sales site uses Google Analytics, an advertising retargeting pixel, and an integrated chat tool. These three tools place trackers on the user's terminal. If these placements occur before the user has clicked “Accept” in the cookie banner, the company breaches Article 82 of the French Data Protection Act. The Mirabile firm intervenes to audit the configuration of the CMP (Consent Management Platform), reconfigure the order of placements, and update the cookie policy.

**Second case: the startup that transmits customer data to a partner platform without valid consent.**A Paris-based startup developing a digital loyalty programme transmits the e-mail addresses of its members to an advertising network to carry out targeting on social networks. If these members have not explicitly consented to this transmission (consent to receive commercial e-mails is not sufficient), the processing lacks a legal basis within the meaning of Article 6(1)(a) of the GDPR. This is exactly the scheme sanctioned in deliberation SAN-2025-017. The firm intervenes to restructure the consent collection mechanisms and secure the contractual relationships with the advertising network.

Third case: the industrial SME that does not have GDPR processor contracts. A mid-sized manufacturer based in the Île-de-France region entrusts the management of its payroll to an external service provider and the hosting of its ERP to an American cloud provider. No contract contains a GDPR clause compliant with Article 28, and the transfer of data to the United States is not governed. The Mirabile firm drafts the necessary contractual amendments, implements the standard contractual clauses for transfers outside the EU, and secures the entire processing chain.

What are the specificities of GDPR compliance in Paris and the Île-de-France region for managers?

Paris concentrates an exceptional density of digital players, startups, digital platforms and distribution networks. This density is accompanied by increased vigilance from the CNIL and greater exposure to individual complaints and sector-specific investigations. The CNIL regularly conducts investigation campaigns targeting specific sectors (e-commerce, healthcare, real estate, HR), which primarily affect players in the Paris region.

For managers of Paris SMEs and VSEs, GDPR compliance is also a competitive advantage: an e-commerce site displaying a readable privacy policy and a transparent cookie banner generates greater trust, improves the conversion rate and reduces the unsubscribe rate. It is also often required as a prerequisite in the tenders of large accounts and public-sector clients.

Conclusion: why anticipate rather than endure GDPR compliance?

GDPR compliance is not a one-off administrative exercise: it is a continuous process that accompanies the life of the company, its technological developments and its new data processing activities. The texts evolve (the CNIL recommendation of 18 December 2025 on multi-terminal consent is the latest illustration), sanction decisions clarify the expected standards, and the rights of data subjects are exercised to an increasing extent.

Anticipating by calling on a specialised firm is always less costly than enduring a CNIL sanction procedure. The Mirabile Avocat firm, with its expertise in digital law and business law, supports you at every stage: from the initial audit to the drafting of contractual documents, from training your teams to defence in the event of an investigation.

Would you like to review your GDPR compliance or undertake a compliance process tailored to your organisation? Contact the Mirabile firm for an initial discussion.

This article is written for general information purposes and does not constitute personalised legal advice. It is based on the texts in force at the date of its writing, in particular Regulation (EU) 2016/679 of 27 April 2016, Act No. 78-17 of 6 January 1978 as amended, and recent CNIL case law.

Cabinet Mirabile Avocat — Digital law, commercial law, distribution law — Paris

To learn more

Does the GDPR apply to SMEs and VSEs?

Yes. Contrary to a common misconception, the GDPR does not concern only large companies. It applies to any organisation, regardless of its size, as soon as it collects, processes or stores personal data of persons located in the European Union.

What is the GDPR?

The GDPR is a directly applicable European regulation, which came into force on 25 May 2018, codified under Regulation (EU) 2016/679. In France, it is supplemented by the French Data Protection Act of 6 January 1978 as amended. It governs the processing of personal data.

Which data is covered by the GDPR?

The GDPR applies to the personal data of natural persons: first and last names of customers or prospects, addresses, e-mails and other identifying information. As soon as an organisation processes such data, it is subject to the regulation.

What are the key steps of GDPR compliance?

The process includes mapping the processing activities, keeping a record, defining the legal bases, informing individuals, securing the data and managing their rights. This structured method makes it possible to achieve lasting compliance.

Must a VSE keep a record of processing activities?

Yes, in most cases. The record of processing activities lists the activities involving personal data. This obligation applies broadly, including to small organisations, as soon as they regularly process data or sensitive data.

Where to start with GDPR compliance?

Compliance starts with mapping the data processing activities and keeping a record. This inventory makes it possible to identify the legal bases, the information and security obligations, and to prioritise compliance actions.

Is GDPR compliance a one-off project?

No. GDPR compliance is a continuous process: it requires maintaining the record, updating the processing activities, securing the data and managing individuals' rights over time. An ongoing approach is necessary to remain compliant.

Is a lawyer useful for an SME's GDPR compliance?

A lawyer helps SMEs and VSEs structure their GDPR compliance, keep their record, define the legal bases and secure their processing activities. This methodical support secures data protection and limits the risk of sanction.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

13 min

Franchisee vs independent: a comparative legal and financial analysis for entrepreneurs
Franchisee vs independent? Our comparative analysis sheds light on each status and helps you make an informed choice.

5 min

DORA Lawyer - Cybersecurity
The European regulation on digital operational resilience for the financial sector, also known as the “DORA Regulation” (Digital Operational Resilience Act), is a European Union initiative aimed at strengthening the digital resilience of financial sector players.

2 min

Influencer contracts - Explanations
The digital age has given rise to a new form of commerce, commercial influence, with the need for a compliant influencer contract. Law no. 2023-451 of 9 June 2023 was established to regulate this practice and to combat possible abuses in influencer contracts. It

7 min

Real estate agent: the rules of the profession
The profession of real estate agent plays a crucial role in the property sector, acting as an indispensable intermediary between buyers, sellers and tenants. To ensure the security of transactions and the protection of consumers, strict regulations govern this prof

14 min

Selective distribution: can sales on marketplaces be prohibited?
The question is one of the most debated in distribution law over the past decade: can a manufacturer or supplier validly prohibit its approved distributors from selling its products on platforms such as Amazon, Cdiscount or Fnac Marketplace? The answer is yes, subject to condi

4 min

Database consultation and exploitation contracts by a lawyer - Romain Mirabile
In the current state of information technology, database consultation and exploitation contracts have become common practice. However, these processes involve complex legal agreements that must be incorporated into a database contract.
Prendre rendez-vous
Book an appointment