GDPR compliance, data protection, cybersecurity, IT contracts and technology law.
Filter by specialisation
International law and immigration specialist
GDPR applies to any organisation that processes personal data of EU residents, regardless of where the organisation is based. A data protection lawyer can advise on compliance.
Fines can reach €20 million or 4% of global annual turnover (whichever is higher). A data protection lawyer can help implement compliant processes to minimise risk.
Browse our verified directory of law firms across France's major cities. All listed firms offer English-language legal services to expats and foreign nationals.
Find My Lawyer in 60 SecondsFrance implements the RGPD (Règlement général sur la protection des données — GDPR) through the loi Informatique et Libertés (loi n° 78-17, as amended by loi n° 2018-493 of 20 June 2018). The supervisory authority is the CNIL (Commission nationale de l'informatique et des libertés).
| Tier | Maximum Fine | Key Violations |
|---|---|---|
| Standard (art. 83§4) | €10M or 2% of global annual turnover | DPIA, DPO obligations, processor contracts (art. 28), privacy by design |
| Upper (art. 83§5) | €20M or 4% of global annual turnover | Legal basis, data subject rights, international transfers, consent |
| Company | Fine | Year | Violation |
|---|---|---|---|
| Google LLC | €150M | 2022 | Cookie consent mechanism — impossible to refuse as easy as to accept |
| Facebook (Meta) | €60M | 2022 | Cookie consent — refusal not as simple as acceptance |
| Amazon Europe | €35M | 2021 | Advertising cookies deposited without valid consent |
| Clearview AI | €20M | 2022 | No legal basis for processing facial recognition data |
| Doctissimo | €380,000 | 2022 | Health data processing — no valid consent, excessive retention |
Under RGPD art. 37, DPO is mandatory for: (1) public authorities, (2) large-scale systematic monitoring of individuals, (3) large-scale special category data processing.
France has NOT imposed a lower employee-count threshold (unlike Germany's BDSG §38 — 20 employees). The CNIL uses the "large-scale" test. Practically, any company processing health, biometric, or criminal data at scale needs a DPO; pure SMEs with no systematic monitoring generally do not.
Cost of DPO service: Internal DPO (employee): €40,000–80,000/yr salary. External DPO-as-a-service: €500–3,000/month depending on company size.
| Rule | French Specificity |
|---|---|
| Cookies — ePrivacy | CNIL requires equal ease to accept and refuse cookies; pre-ticked boxes invalid; banner must appear on first visit |
| Droit à l'effacement (Right to erasure) | 30 days to respond; CNIL mediates disputes; refusal must give reasons |
| Mineurs (children) | Parental consent required under 15 (RGPD art. 8; France chose 15, not 16) |
| NIR (numéro de sécurité sociale) | Processing of national ID number requires specific CNIL authorisation (loi 78-17 art. 27) |
| Breach notification | 72-hour rule to CNIL (RGPD art. 33); notification to individuals if high risk (art. 34) |
