Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS North Macedonia
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Back to main
Publication

GDPR Enforcement in France

Deep dive into relevant data protection enforcement cases and insights from France

21 May 2026 North Macedonia 9 min read

On this page

    Main takeaways

    Cookies and other trackers: rules that can no longer be ignored.
    Simplified sanction proceedings: repeated breaches will be penalised.
    A total fine amount 8 times higher than in 2024, for almost the same number of sanctions.
    Information and transparency: hot topic for 2026.
    Limited transparency regarding the publication of fines (however, there is an annual report with aggregated figures).
    Fines > Damages: Focus on fines, limited litigation.

    Fining practice

    Trend: Have the national data protection authorities in France focused on certain types of non-compliance... Do you see a focus on certain industries/sectors? If so, which ones?

    The French data protection authority (the “Commission nationale de l’informatique et des libertés” or the “CNIL”) focuses part of its investigations on certain specific sectors and themes.

    For 2025, the CNIL’s enforcement actions focused on data collected through mobile applications, cybersecurity measures taken by local authorities, data processing by the prison administration and data subjects’ right to erasure.

    In 2026, the CNIL announced that its enforcement actions will focus on:

    1. Recruitment,
    2. The Single Electoral Register (SER),
    3. Sports federations,
    4. Information and transparency
      (This topic forms part of the “theme for 2026” announced by the EDPS, which focuses on “compliance with the transparency and information obligations laid down in the General Data Protection Regulation”).

    In past years, the enforcement actions performed by the CNIL and its sanctions have mostly concerned the following sectors/areas: Advertising and e-commerce, security, vehicle geolocation, employee rights and health data processing.

    In 2025:

    • 83 sanctions were imposed by the CNIL, for a total of EUR 486,839,500. Among these 83 sanctions: 78 of these were fines (including 27 accompanied by injunctions subject to a daily penalty); 10 of these decisions have been made public; and 4 decisions were published in cooperation with the CNIL’s European counterparts.
    • 143 formal notices have been issued by the CNIL. These formal notices also concerned a variety of sectors and issues, which overlap with those addressed in sanction procedures, such as the child welfare sector, political sector, CCTV monitoring of employees and e-commerce (commercial solicitation and websites that allowed cookies and other trackers to be saved without obtaining users’ consent) and sub-processors’ obligations. The CNIL also emphasises that several mobile apps and online games, a significant proportion of whose users are minors, have been served with formal notices to tighten age verification procedures and improve transparency in order to better protect minors’ data.

    The year 2025 presented a similar picture to previous years in terms of the simplified sanction procedure. 67 sanctions were issued (69 in 2024), on the grounds of:

    1. failure to cooperate with the CNIL, affecting 14 organisations – including companies and independent professionals — that failed to respond to the authority’s requests,
    2. non-compliance with data subjects’ rights, with 14 decisions addressing failures to honour requests for data erasure, opposition or access,
    3. inappropriate security level, affecting 14 organisations that had not implemented all the necessary measures to ensure data security and confidentiality,
    4. non-compliance with commercial and political solicitations, with 10 decisions addressing failure to justify their legal basis.

    Overall, what was the most significant fine in [Country] to date (recipient, amount, violation, sector, short summary)? Has it been challenged in court?

    The highest GDPR fine in France to date was imposed on GOOGLE LLC and GOOGLE IRELAND LIMITED on 1 September 2025 for a total amount of EUR 325 million (EUR 200 million on GOOGLE LLC and EUR 125 million on GOOGLE IRELAND LIMITED).

    The CNIL found that within the Gmail email service, advertisements in the form of emails were displayed among the emails in the “Promotions” and “Social” tabs. According to the CNIL, the display of such advertisements required the consent of Gmail users. The CNIL also considered that, when creating a Google account, users were encouraged to select trackers linked to the display of personalised adverts, to the detriment of those linked to the display of generic adverts, and that they are not clearly informed that access to Google’s services is conditional upon the placement of trackers for advertising purposes. Their consent was therefore considered by the CNIL to be not valid.

    Organisation of authorities and course of fine proceedings in France

    Place De La Bourse and colourful sky in Bordeaux, France

    How is the data protection authority organised in France? Budget, staff, assignment to a ministry?

    The CNIL is an independent administrative authority; it does not report to the government nor to a specific ministry. It is composed of 298 staff members and a college of 18 members, composed of:

    • 4 members of parliament (2 deputies, 2 senators).
    • 2 members of the Economic, Social and Environmental Council.
    • 6 representatives of the highest courts (2 Counsels from the Conseil d’Etat, 2 Counsels from the Cour de Cassation, 2 Counsels from the Cour des Comptes).
    • 5 qualified persons appointed by the President of the National Assembly (1 person), the President of the Senate (1 person) and the Council of Ministers (3 persons).
    • The President of the CADA (Commission for Access to Administrative Documents).

    The CNIL has an annual budget of EUR 28 million.

    How does a fine procedure work in France? Can the authority impose fines itself? Procedural steps? Legal remedies?

    • Fines may be directly imposed by the CNIL as part of administrative proceedings.
    • Following inspections or complaints, in the event of non-compliance with the provisions of the GDPR or the French Data Protection Act, the CNIL may impose sanctions on companies which do not comply with these legal provisions.
    • The CNIL may impose a fine without providing a prior notice on compliance.
    • If the CNIL decides to initiate fine proceedings following audits or inspections, the company will be notified to this effect. Any report proposing that an enforcement measure be imposed will be sent to the company and the latter may submit its observations to the CNIL.
    • The fines may be made public or not.
    • Companies are able to appeal decisions to the Council of State (Conseil d’Etat) within two months following the notification date for the decision made by the CNIL.

    The CNIL also carries out enforcement actions via its simplified sanction proceedings for cases of lower complexity. The maximum amount of a penalty imposed under this procedure is EUR 20,000. The fines imposed to date range between EUR 5,000 and EUR 20,000, half of which were imposed for injunctions under penalty (i.e. financial penalties for late compliance). They target various actors (for example, a university and doctors). They also deal with a variety of issues and concern the use of administrative files for political communication purposes, video surveillance of employees, disregard of data subject’s rights or failure to cooperate with the CNIL.

    When fines are imposed: Where does the money go? (state treasury / authority budget / other)

    The CNIL does not collect fine amounts; these are paid directly into the state treasury.

    Is there an official calculation methodology for fines in France?

    There is no common official calculation methodology for fines. Fines are calculated in light of the criteria mentioned in Article 83 (5) and (6) GDPR.

    Can public authorities be fined in France? If yes: Where does this money go?

    Enforcement action may be taken against public authorities, but no administrative fines may be imposed for the processing of personal data carried out by the State.

    Does the authority publish information on individual fine cases (website/annual report)? Are companies identifiable?

    The CNIL does not publish all imposed fines pending proceedings or investigations. The CNIL decides, taking into consideration the facts and violations, whether or not to publish its decisions or enforcement actions.

    If no individual publication: aggregated figures? Provide annual figures from 2019 onwards (if available).

    Each year, the CNIL publishes an activity report in which it details all key numbers.

    For 2025:

    • The CNIL conducted 259 investigations.
    • The CNIL issued 83 penalties including 78 fines totalling EUR 486,839,500; 27 of which were associated with injunctions subject to financial penalty and 3 liquidations under penalty.
    • The CNIL issued 143 orders to comply.
    • The CNIL issued 2 reminders.

    For 2024:

    • The CNIL conducted 331 investigations.
    • The CNIL issued 87 penalties including 75 fines totalling EUR 55,212,400; 14 of which were associated with injunctions subject to financial penalty and 8 liquidations under penalty.
    • The CNIL issued 180 orders to comply.
    • The CNIL issued 4 reminders.

    For 2023:

    • The CNIL conducted 340 investigations.
    • The CNIL issued 42 penalties including 36 fines totalling EUR 89,179,500; 14 of which were associated with injunctions subject to financial penalty and 2 liquidations under penalty.
    • The CNIL issued 168 orders to comply.
    • The CNIL issued 4 reminders.

    For 2022:

    • The CNIL conducted 345 investigations.
    • The CNIL issued 21 penalties including 19 fines totalling EUR 101,277,900; 7 of which were associated with injunctions subject to financial penalty and 2 liquidations under penalty.
    • The CNIL issued 147 orders to comply.
    • The CNIL issued 29 reminders.

    For 2021:

    • The CNIL conducted 384 investigations.
    • The CNIL issued 18 penalties including 15 fines totalling EUR 214,106,000; 5 of which were associated with injunctions subject to financial penalty.
    • The CNIL issued 135 orders to comply, including 2 public notices.
    • The CNIL issued 45 reminders.

    For 2020:

    • The CNIL conducted 247 investigations.
    • The CNIL issued 14 penalties including 11 fines totalling EUR 138,489,300 and one injunction under penalty not associated with a fine.
    • The CNIL issued 49 orders to comply including 3 public notices and 4 in cooperation with other European data protection authorities.
    • The CNIL issued 38 reminders and 2 warnings, notably following complaints.

    For 2019:

    • The CNIL conducted 300 investigations.
    • The CNIL-restricted committee issued 8 penalties including 7 fines totalling EUR 51,370,000 and 5 injunctions.
    • The CNIL issued 42 orders to comply, including 2 public notices.
    • The CNIL issued 2 reminders and 2 warnings.

    The CNIL also provides aggregate sets of data (open data) on its activity including fines from earlier periods.

    Other legal consequences of non-compliance in France

    Does France have model declaratory proceedings/class actions in data protection law?

    Yes, several data subjects placed in similar situations and affected by damages resulting from a breach of data protection laws may file a complaint against the same data controller or data processor. A class action (“action de groupe”) may be filed before civil or administrative courts (Article 37 II of the French Data Protection Act).

    A class action can only be filed by:

    • associations that have been active in the field of privacy and data protection for at least five years,
    • accredited consumer associations that are representative at the national level;
    • trade unions.

    There have been very few class actions to date, most of these being against major tech companies.

    What is more relevant: fines from authorities or court proceedings (damages/injunctions)? Outlook for the coming 12 months?

    To date, fines from data protection authorities are much more prevalent than claims for damages or injunctions, which are very rare in practice.

    previous page

    20. GDPR Enforcement in Czech Republic

    next page

    22. GDPR Enforcement in Germany

    More insights
    GDPR

    Explore more

    Event North Macedonia

    IP Insights webinar series 2026

    03 Jun 2026
    Expert Guide International

    AI laws and regulation in North Macedonia

    2 min read
    Podcast North Macedonia

    CMS Employment Snack

    05 May 2026 1 min read
    Back to top Back to top
    Warning: Fraudulent emails and messages
    Find out more
    If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.