RGPD
The General Data Protection Regulation (GDPR), which came into force on 25 May 2018, is a European text that is directly applicable in all Member States of the European Union. It is codified under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. Under Fr
Reading time:
15 min
The General Data Protection Regulation (GDPR), which came into force on 25 May 2018, is a European text that is directly applicable in all Member States of the European Union. It is codified under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. Under French law, it is supplemented by Act No. 78-17 of 6 January 1978 on information technology, data files and civil liberties, known as the “French Data Protection Act” (loi Informatique et Libertés), as amended.
Contrary to a persistent misconception, the GDPR does not concern only large companies or digital giants. It applies to any organisation, regardless of its size, as soon as it collects, processes or stores personal data of natural persons located in the European Union. This includes:
the first and last names of customers or prospects, e-mail addresses, telephone numbers, IP addresses collected by a website, geolocation data, data linked to loyalty programmes, or information relating to employees.
For a Paris-based VSE that simply manages a mailing list, a contact form on its website, or a customer file in a spreadsheet, the GDPR is fully applicable. Ignorance of the text does not constitute a mitigating circumstance for the CNIL, as recent case law demonstrates.
The CNIL has extensive powers of investigation and sanction. Pursuant to Article 83 of the GDPR and Article 20 of the French Data Protection Act, it may impose administrative fines of up to:
20 million euros or 4% of total annual worldwide turnover, whichever is higher, for the most serious breaches (breach of consent, failure to comply with the fundamental principles of processing, failure to respect the rights of individuals).
10 million euros or 2% of total annual worldwide turnover for second-level breaches (absence of a record of processing activities, failure to notify a data breach, etc.).
The CNIL's restricted committee, in its deliberation SAN-2025-017 of 30 December 2025, imposed a fine of 3.5 million euros on a retail company operating a loyalty programme with more than 10 million members, sanctioning in particular the absence of valid consent for targeted advertising on a social network, the failure to inform data subjects, an insufficient password policy, and the absence of a prior data protection impact assessment (DPIA). This decision is a reminder that even partial compliance achieved during the proceedings does not remove liability for past conduct.
Beyond the financial fine, GDPR non-compliance exposes the manager to concrete and often underestimated consequences:
The publication of the sanction decision (what the profession calls “name and shame”), which directly harms the company's commercial reputation, its customer relationships and its partnerships.
The loss of trust of customers and partners, which is particularly sensitive in a context where the protection of personal data has become a selection criterion for many buyers and clients.
The litigation risk, with the possibility for data subjects to exercise their rights before the CNIL or the civil courts and to obtain compensation for the harm suffered.
The compliance order accompanied by a periodic penalty payment, which can reach up to 100,000 euros per day of delay.
Any processing of personal data must rest on one of the six legal bases provided for in Article 6 of the GDPR:
the consent of the data subject, the performance of a contract, compliance with a legal obligation, the protection of vital interests, the performance of a task carried out in the public interest, or the legitimate interest of the data controller.
Consent is often misunderstood. To be valid, it must be freely given, specific, informed and unambiguous, and must be expressed through a clear affirmative action (Article 4, point 11 of the GDPR). A pre-ticked box, a notice buried in general terms and conditions, or a user's silence do not constitute valid consent. The Court of Justice of the European Union confirmed this in its Planet49 GmbH judgment of 1 October 2019 (C-673/17), and the CNIL systematically reiterates it in its sanction decisions.
Article 13 of the GDPR requires the data controller, at the time the data is collected, to provide clear and complete information covering in particular: the identity of the data controller, the purposes and legal bases of each processing operation, the recipients or categories of recipients, the data retention period, and all the rights available to the individual (access, rectification, erasure, objection, portability, withdrawal of consent).
The information must be provided by purpose, not globally. The aforementioned deliberation SAN-2025-017 specifically sanctions a company that listed its legal bases on one side and its purposes on the other, without establishing any correspondence between the two, rendering the information unusable for the user.
Article 32 of the GDPR requires the data controller to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In practice, this covers:
the password policy (minimum recommended entropy of 80 bits according to CNIL deliberation No. 2022-100 of 21 July 2022), the encryption of sensitive data, access control, the traceability of operations on the data, the management of authorisations, or the securing of exchanges with processors.
An overly permissive password policy constitutes a breach of Article 32 of the GDPR, as illustrated by deliberation SAN-2025-017, which sanctions a company that accepted passwords with only 26 bits of entropy (against the recommended minimum of 50 bits), and that stored these passwords using the SHA256 function, which is unsuitable for secure storage.
The appointment of a DPO is mandatory in three cases provided for in Article 37 of the GDPR: where the processing is carried out by a public authority, where the controller's core activities involve regular and systematic monitoring on a large scale, or where they relate to sensitive data on a large scale. For most SMEs and VSEs, appointment is not mandatory, but it remains strongly recommended as soon as the activity involves a significant volume of customer or employee data, or high-risk processing.
Article 82 of the French Data Protection Act (transposing the ePrivacy Directive 2002/58/EC) requires that any tracker not strictly necessary for the operation of the service be placed on the user's terminal only after their prior consent has been obtained. This applies to advertising cookies, browsing analytics cookies (including certain Google Analytics configurations), personalisation cookies and chat tools.
Placing a cookie before obtaining the user's consent is a breach of Article 82, even if the purpose of that cookie is deemed not very intrusive by the data controller. The CNIL reiterated this in December 2025 in its recommendation on multi-terminal consent (deliberation No. 2025-131 of 18 December 2025), which specifies that consent must be validly obtained regardless of the terminal used.
A compliant consent banner must offer an “Accept” button and a “Reject” button (or an equivalent option) that are equally visible. A “Learn more” button followed by an “Accept and close” button without an easily accessible refusal option does not meet the CNIL's requirements.
A DPIA is mandatory before the implementation of any processing likely to result in a high risk to the rights and freedoms of individuals (Article 35 of the GDPR). The CNIL considers that any processing meeting at least two of the criteria of the European Data Protection Board (in particular: large-scale processing, data matching, use of new technologies, sensitive data, profiling) must be subject to a prior DPIA.
The absence of a prior DPIA for targeted advertising processing involving the transmission of data of several million people to a social platform was sanctioned in deliberation SAN-2025-017. For an SME deploying a CRM, a digital loyalty programme, or a customer scoring tool, the question of the DPIA must be raised before launch.
Article 28 of the GDPR requires that any use of a processor processing data on your behalf be the subject of a contract or binding legal act. This document must precisely govern: the subject matter and duration of the processing, the nature and purpose of the data processed, the type of data and the categories of data subjects, the obligations and rights of the data controller, and the security measures implemented by the processor.
In practice, this concerns your hosting providers, SaaS software publishers, marketing agencies managing your e-mail campaigns, HR or accounting service providers accessing your employee data, e-commerce platforms, or videoconferencing tools.
The absence of a processing clause compliant with Article 28 constitutes a standalone sanctionable breach, independently of any other breach. The CNIL considers that the data controller is responsible for the choice of its processors and must ensure that they provide sufficient guarantees.
The GDPR grants natural persons a set of rights that the data controller must be able to honour within one month of receipt of the request (Article 12 of the GDPR):
the right of access (Article 15), allowing the person to know what data concerns them and how it is processed; the right to rectification (Article 16); the right to erasure, known as the “right to be forgotten” (Article 17); the right to restriction of processing (Article 18); the right to portability (Article 20); and the right to object (Article 21).
For an SME or VSE, the practical organisation of handling these requests is often neglected. A dedicated internal contact should be appointed, a specific contact mailbox set up (for example dpo@nomdelastructure.fr), each request and the response provided traced, and the data held mapped beforehand in order to be able to respond within the time limits set.
The Mirabile Avocat firm, specialising in digital law and business law, offers structured and operational support for GDPR compliance, tailored to the constraints of Paris-based VSEs, SMEs and startups. Our approach is based on four pillars.
The first step is a GDPR compliance audit, during which our lawyers identify all personal data processing activities implemented within your organisation, analyse the legal bases used, review the existing contractual documents and information policies, and assess your organisation's level of GDPR maturity. This audit is the prerequisite for any serious compliance process.
The firm intervenes to draft or update all the documents required by the GDPR and the French Data Protection Act: privacy policy, information notices, general terms and conditions of sale and use incorporating GDPR clauses, processor agreements within the meaning of Article 28, clauses for data transfers outside the EU, and any other contractual or regulatory document necessary for your digital or commercial activity.
Beyond the documents, GDPR compliance requires concrete organisational changes. Our lawyers support you in setting up the record of processing activities, defining your cookie management policy, implementing internal procedures for managing individuals' rights and data breaches, and training your teams on GDPR obligations.
In the event of an investigation or proceedings initiated by the CNIL, the Mirabile firm intervenes to analyse the extent of the alleged breaches, prepare the defence, draft observations in response to the sanction report, and support compliance during the procedure to limit the risks of injunction and fine. Our in-depth knowledge of CNIL case law and the proportionality criteria of sanctions enables us to build an effective and documented defence.
First case: the e-commerce site that collects data without a compliant cookie banner. A Paris-based SME operating an online sales site uses Google Analytics, an advertising retargeting pixel, and an integrated chat tool. These three tools place trackers on the user's terminal. If these placements occur before the user has clicked “Accept” in the cookie banner, the company breaches Article 82 of the French Data Protection Act. The Mirabile firm intervenes to audit the configuration of the CMP (Consent Management Platform), reconfigure the order of placements, and update the cookie policy.
**Second case: the startup that transmits customer data to a partner platform without valid consent.**A Paris-based startup developing a digital loyalty programme transmits the e-mail addresses of its members to an advertising network to carry out targeting on social networks. If these members have not explicitly consented to this transmission (consent to receive commercial e-mails is not sufficient), the processing lacks a legal basis within the meaning of Article 6(1)(a) of the GDPR. This is exactly the scheme sanctioned in deliberation SAN-2025-017. The firm intervenes to restructure the consent collection mechanisms and secure the contractual relationships with the advertising network.
Third case: the industrial SME that does not have GDPR processor contracts. A mid-sized manufacturer based in the Île-de-France region entrusts the management of its payroll to an external service provider and the hosting of its ERP to an American cloud provider. No contract contains a GDPR clause compliant with Article 28, and the transfer of data to the United States is not governed. The Mirabile firm drafts the necessary contractual amendments, implements the standard contractual clauses for transfers outside the EU, and secures the entire processing chain.
Paris concentrates an exceptional density of digital players, startups, digital platforms and distribution networks. This density is accompanied by increased vigilance from the CNIL and greater exposure to individual complaints and sector-specific investigations. The CNIL regularly conducts investigation campaigns targeting specific sectors (e-commerce, healthcare, real estate, HR), which primarily affect players in the Paris region.
For managers of Paris SMEs and VSEs, GDPR compliance is also a competitive advantage: an e-commerce site displaying a readable privacy policy and a transparent cookie banner generates greater trust, improves the conversion rate and reduces the unsubscribe rate. It is also often required as a prerequisite in the tenders of large accounts and public-sector clients.
GDPR compliance is not a one-off administrative exercise: it is a continuous process that accompanies the life of the company, its technological developments and its new data processing activities. The texts evolve (the CNIL recommendation of 18 December 2025 on multi-terminal consent is the latest illustration), sanction decisions clarify the expected standards, and the rights of data subjects are exercised to an increasing extent.
Anticipating by calling on a specialised firm is always less costly than enduring a CNIL sanction procedure. The Mirabile Avocat firm, with its expertise in digital law and business law, supports you at every stage: from the initial audit to the drafting of contractual documents, from training your teams to defence in the event of an investigation.
Would you like to review your GDPR compliance or undertake a compliance process tailored to your organisation? Contact the Mirabile firm for an initial discussion.
This article is written for general information purposes and does not constitute personalised legal advice. It is based on the texts in force at the date of its writing, in particular Regulation (EU) 2016/679 of 27 April 2016, Act No. 78-17 of 6 January 1978 as amended, and recent CNIL case law.
Cabinet Mirabile Avocat — Digital law, commercial law, distribution law — Paris
To learn more
Yes. Contrary to a common misconception, the GDPR does not concern only large companies. It applies to any organisation, regardless of its size, as soon as it collects, processes or stores personal data of persons located in the European Union.
The GDPR is a directly applicable European regulation, which came into force on 25 May 2018, codified under Regulation (EU) 2016/679. In France, it is supplemented by the French Data Protection Act of 6 January 1978 as amended. It governs the processing of personal data.
The GDPR applies to the personal data of natural persons: first and last names of customers or prospects, addresses, e-mails and other identifying information. As soon as an organisation processes such data, it is subject to the regulation.
The process includes mapping the processing activities, keeping a record, defining the legal bases, informing individuals, securing the data and managing their rights. This structured method makes it possible to achieve lasting compliance.
Yes, in most cases. The record of processing activities lists the activities involving personal data. This obligation applies broadly, including to small organisations, as soon as they regularly process data or sensitive data.
Compliance starts with mapping the data processing activities and keeping a record. This inventory makes it possible to identify the legal bases, the information and security obligations, and to prioritise compliance actions.
No. GDPR compliance is a continuous process: it requires maintaining the record, updating the processing activities, securing the data and managing individuals' rights over time. An ongoing approach is necessary to remain compliant.
A lawyer helps SMEs and VSEs structure their GDPR compliance, keep their record, define the legal bases and secure their processing activities. This methodical support secures data protection and limits the risk of sanction.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin