GDPR reference & code-audit checklist with FRANCE/CNIL focus. Use when reviewing or building features that collect/process/store personal data (consent, PII, authentication, forms, cookies, cookies/trackers, data-subject rights, retention, DPIA, cross-border transfers, breach notification). Multi-source verified facts with live-source pointers for evolving areas. Read alongside gdpr-specialist agent.
Installation
Installer avec Codex ou Claude Copiez ce prompt, collez-le dans Codex, Claude ou un autre assistant, puis laissez-le vérifier la page du skill et l'installer pour vous.
GDPR reference & code-audit checklist with FRANCE/CNIL focus. Use when reviewing or building features that collect/process/store personal data (consent, PII, authentication, forms, cookies, cookies/trackers, data-subject rights, retention, DPIA, cross-border transfers, breach notification). Multi-source verified facts with live-source pointers for evolving areas. Read alongside gdpr-specialist agent.
GDPR Compliance Reference & Code Audit Checklist
FRANCE / CNIL-Focused Edition
This skill provides foundational GDPR knowledge, actionable CNIL compliance requirements, and a concrete code-audit checklist for auditing data-protection compliance in French companies. Reference this alongside the gdpr-specialist agent when reviewing code or building data-processing features.
Jurisdiction: France (EU member state); primary authority = CNIL (Commission Nationale de l'Informatique et des Libertés). Supplementary French law: Loi n°2018-493 (Code de la Protection des Données Personnelles); French Penal Code (Art. 226-16 to 226-24).
Legal Disclaimer: This is informational guidance, not legal advice. For jurisdiction-specific requirements or contested interpretations, consult a DPO, legal counsel, or CNIL (Phone: +33 1 53 73 22 22; Web: https://www.cnil.fr/).
1. Applicability
GDPR applies to:
Any organization (any size, any industry) established in France/EU OR targeting EU residents
Processing of both computerized AND paper data
Any personal data (Art. 4(1)): any information relating to an identified or identifiable natural person
French Supplementary Law:
Loi Informatique et Libertés (Art. 82 onwards): cookie/tracker consent rules (stricter than GDPR baseline)
French Penal Code (Art. 226-16 to 226-24): criminal penalties for unauthorized processing, failure to inform, misuse of personal data
Marketing emails, non-essential cookies, secondary data use
YES — must be freely given, informed, unambiguous
Must be explicit affirmative action; inaction/scrolling is NOT consent
Contract (Art. 6(1)(b))
Processing necessary to perform a contract
User email for order fulfillment, payment processing, account management
NO (if truly necessary for contract performance)
Must be objectively necessary, not just convenient
Legal Obligation (Art. 6(1)(c))
Law requires processing
Tax records (7 years), payroll (per employment law), anti-money-laundering checks
NO
Document the legal requirement (Art. reference, law name)
Vital Interest (Art. 6(1)(d))
Protect someone's life or physical safety
Emergency contact during health crisis, lifeguard rescue coordination
NO (but rare in commercial context)
Narrowest basis; only when life/safety at immediate risk
Public Task (Art. 6(1)(e))
Government/public authority processing
Census, public health records
NO (if you are a public body)
Not applicable to private commercial entities
Legitimate Interest (Art. 6(1)(f))
Balancing test: your interest vs. subject's rights (only if contract/consent/obligation don't apply)
Fraud detection, direct marketing (with objection right), internal analytics, server security logs
Objection right required; may need consent in some cases (see EDPB 1/2024)
Most legally contested basis. Mandatory: document balancing test (LIA) showing (1) legitimate interest, (2) necessity, (3) balancing = your interest does not override data subject's rights/freedoms. EDPB Guidelines 1/2024
Timeline: Respond within 1 MONTH of receipt; extendable by 2 further MONTHS for complexity or volume, BUT must inform the data subject of the extension + reasons within the initial 1 month. [Art. 12(3)]
Right
What They Get
Code Implementation
Timeline
Access (Art. 15)
Copy of their data; structured, machine-readable format (CSV/JSON/XML); logic/consequences of automated decisions
GET /api/v1/subject/data → JSON export; includes profile, activity logs, inferred categories/scores; no derived data (profiling) unless necessary
1 month (extendable +2)
Rectification (Art. 16)
Correct inaccurate/incomplete data
PATCH /api/v1/subject/data/{field} → update name, email, address; audit log the change; notify 3rd parties if shared
1 month
Erasure/"Right to be Forgotten" (Art. 17)
Delete when: no longer needed, consent withdrawn, unlawful processing, legal obligation, child's data
DELETE /api/v1/subject/data → soft-delete + archive for retention period; anonymize logs; hard-delete after retention expires
1 month
Portability (Art. 20)
Data in structured, commonly-used, machine-readable format (CSV/JSON/XML); automated processing only (not derived/inferred); direct controller-to-controller transfer where technically feasible
GET /api/v1/subject/export → include all user-declared data + activity-generated data; exclude derived profiling; support direct transfer API if recipient available
1 month
Objection (Art. 21)
Opt-out of legitimate-interest processing (solicitation, profiling, direct marketing); can withdraw consent to entire processing
POST /api/v1/subject/object → unchecked opt-in checkbox on profile; flag in DB; stop processing; notify 3rd parties
1 month
Restrict Processing (Art. 18)
Mark data "restricted" — no processing except storage/legal claims while accuracy/lawfulness disputed
POST /api/v1/subject/restrict → flag in DB; stop automated processing; resume on resolution
Companies <250 employees: only if processing is non-occasional (payroll, customer management) OR risky (geolocation, video surveillance) OR involves sensitive/criminal data
Companies ≥250 employees: always mandatory
All processors must keep one too
Keep a ROPA.md or ropa.json in your repo documenting each processing activity:
{"processing_activities":[{"name":"Customer CRM","legal_basis":"Contract (Art. 6(1)(b))","data_categories":["name","email","phone","company"],"data_subject_categories":["customers","prospects"],"purposes":["order fulfillment","customer service"],"retention":"3 years after last order","security_measures":"TLS in-transit; AES-256 at-rest; access logs; MFA on admin console","recipients":["internal sales team","payment processor (Stripe — DPA signed 2025-01-15)"],"non_eu_transfers":"Stripe (US) — SCCs in place (v2021-03); supplementary measures: encryption; legal analysis: https://stripe.com/docs/security/legal"}]}
9. Data Protection Officer (DPO) Appointment (Art. 37)
Notify CNIL (France's supervisory authority) without undue delay and, where feasible, not later than 72 HOURS after the controller becomes aware
Exception: If breach is unlikely to result in a risk to rights/freedoms, notification NOT required
If notifying AFTER 72h: Must state reasons for the delay
"Aware" = reasonable degree of certainty a security incident occurred leading to personal data compromise. Short investigation before certainty is allowed, but wilful blindness/no detection measures cannot defer awareness. [EDPB Guidelines 09/2022]
DATA SUBJECT NOTIFICATION (Art. 34(1)):
Communicate to affected data subjects without undue delay ONLY IF breach likely = HIGH RISK (higher threshold than authority notification)
HIGH RISK examples: financial loss, identity theft, discrimination, loss of control, reputational harm, physical harm
Exemptions (Art. 34(3)):
Data encrypted/unintelligible (cannot be read by unauthorized party)
Mitigating measures taken that reduce risk
Disproportionate effort (then CNIL may compel public communication instead, Art. 34(4))
Notification Content (Art. 33(3))
Minimum required in CNIL notification:
(a) Nature of breach incl. categories of data subjects + approximate number of subjects/records affected
(b) DPO/contact point name + contact info
(c) Likely consequences
(d) Measures taken/proposed to mitigate
Runbook / Checklist
## Breach Incident Response**Phase 1: Detect & Contain** (hours 0-4)
- [ ] Intrusion Detection System (IDS) / monitoring alerts
- [ ] Immediate containment (isolate affected system; block unauthorized access)
- [ ] Preserve evidence (logs, forensics)
**Phase 2: Investigate** (hours 4-48)
- [ ] Determine what happened (data exfiltration? unauthorized access? loss?)
- [ ] Determine which data categories affected
- [ ] Estimate number of data subjects affected
- [ ] Root cause analysis
- [ ] Risk assessment (is there HIGH risk to subjects?)
**Phase 3: Notify CNIL** (within 72 hours of awareness)
- [ ] If HIGH RISK → prepare CNIL notification
- [ ] Include: (a) nature + categories, (b) DPO contact, (c) consequences, (d) mitigation measures
- [ ] Submit via https://www.cnil.fr/ (online form for incident reporting)
- [ ] If breaching 72h deadline → document reasons for delay
**Phase 4: Notify Data Subjects** (within 72h if HIGH RISK)
- [ ] If risk is HIGH → send email/SMS to all affected subjects
- [ ] Include: what happened, which data affected, mitigation measures, subjects' rights
- [ ] Keep proof of notification (timestamp, recipient list)
**Phase 5: Post-Incident** (days 3-30)
- [ ] Root cause remediation
- [ ] Security patch deployment
- [ ] Breach registry entry (for audit trail & future CNIL requests)
- [ ] Communication to stakeholders (legal, exec, insurance)
15. Data Retention Durations (CNIL Guidance + French Law)
Sensitive Categories (Art. 9): Consent/legal basis verified for racial/ethnic, political, religious, union, sexual orientation, genetic, biometric, health data
Encryption at Rest: Sensitive columns encrypted (pgcrypto, field-level, or transparent DB encryption)
Retention Policy: TTL/deletion dates defined in schema comments; automated cleanup jobs running
Access Control: Row-level security (RLS) for PII; role-based column access
Audit Logging: Who accessed/modified PII? When? Logged with user ID, timestamp, action
Infrastructure & Stack
Data Residency: Document where data is stored geographically (EU? US? China?)
Cross-Border Transfers: If non-EU: SCC/DPF documented; supplementary measures defined
Processor/Vendor DPAs: Cloud provider, payment processor, analytics → DPA signed
This skill provides informational guidance based on GDPR articles, EDPB guidelines, and CNIL interpretations. It is NOT legal advice. Data protection law is jurisdiction-specific, complex, and rapidly evolving. For your specific situation:
Consult a DPO (Data Protection Officer) or qualified privacy counsel