TODAY: 1 NEW BREACH·LAST 30 DAYS: 4·RECORDS THIS YEAR: 5.6M·MOST TARGETED: GOVERNMENT·TOP ORIGIN: France·LARGEST BREACH: MedCore Systems — S3 Bucket Exposure (4.2M)·GLOBAL THREAT LEVEL: NORMAL·TODAY: 1 NEW BREACH·LAST 30 DAYS: 4·RECORDS THIS YEAR: 5.6M·MOST TARGETED: GOVERNMENT·TOP ORIGIN: France·LARGEST BREACH: MedCore Systems — S3 Bucket Exposure (4.2M)·GLOBAL THREAT LEVEL: NORMAL
🇫🇷

France Data Privacy Regulations

General Data Protection Regulation (GDPR) & Loi Informatique et Libertés
Critical Severity
Enacted: 2018 (Amended: 2019)

Overview

The GDPR is the primary law regulating how companies protect EU citizens' personal data.France adapts it locally through the amended French Data Protection Act(Loi Informatique et Libertés), enforced rigorously by the CNIL.

Scope of Application:

Any organization worldwide that processes the personal data of individuals residing in France.

Key Rules & Obligations

Breach Notification

Within 72 hours of becoming aware of the breach.

Maximum Penalties

Up to €20 million or 4% of total global annual turnover, whichever is higher.

Data Transfers

Transfers outside the EEA require adequate safeguards like Standard Contractual Clauses (SCCs) or an adequacy decision.

Individual Rights

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights regarding automated decision-making

Enforcement Authority

Commission Nationale de l'Informatique et des Libertés(CNIL)

Contact: Contact via online forms at cnil.fr

Visit Authority Website

Notable Breaches in France

CompanyYearRecords ExposedRegulation Violated
Criteo2023Unknown (tracker data)GDPR (consent tracking)
Dedalus Biologie2022491,939GDPR (medical data security)
Clearview AI2022Billions of imagesGDPR (facial recognition without consent)

Official Sources

Frequently Asked Questions

Is the French data protection law the same as GDPR?

Yes, France operates under the EU GDPR, supplemented by its domestic Data Protection Act which specifies rules on national security, health data, and employees' rights.

What happens if a company breaches the GDPR in France?

The CNIL can issue warnings, order operations to cease, or impose administrative fines up to €20M or 4% of global turnover.

How do I report a data breach in France?

Organizations must notify the CNIL via their specific online tele-service for breach notifications within 72 hours.

Last updated: March 5, 2026

Notice an error? Report a correction