Data Protection in France: Legal Framework, Specific Features, and Practical Implications for German Companies

German companies that expand their operations into France or offer their services to French users encounter a data protection system there that is structured quite differently, despite the identical starting point under EU law. These differences lie less in substantive law than in institutional design, the depth of regulatory oversight, and the normative environment. In addition to the “Règlement Général sur la Protection des Données” (RGPD, the French translation of the GDPR), national implementing laws and well-established regulatory practices define the French data protection framework[1]. German companies should be aware of these particularities in order to reliably avoid compliance and reputational risks.

I. The CNIL as the Central and Norm-Setting Supervisory Authority

The Commission nationale de l'informatique et des libertés (CNIL) is the oldest data protection supervisory authority in Europe and functions as the central state supervisory body. As an “autorité administrative indépendante” (independent administrative authority), it is functionally completely independent and is subject to neither political nor ministerial directives. Its distinctive feature lies in the fact that, unlike the system in Germany—which is fragmented due to federalism into state supervisory bodies and the Federal Data Protection Commissioner—it sets a uniform technical standard that applies to all data-processing entities in France.

The CNIL combines regulatory advice with intensive supervisory activities. It informs data controllers and data subjects about their rights and obligations, publishes detailed technical and organizational recommendations, and contributes to legislation through statements. It also certifies certain procedures or systems upon request.

In addition to these advisory powers, it possesses extensive supervisory powers: it conducts both ad hoc and thematic audits, handles complaints, and initiates formal sanction proceedings. The guidelines issued in recent years—such as a guide to information security[2], recommendations on multi-factor authentication[3], or other sector-specific processing activities such as those in the pharmacy sector[4]—represent a de facto concretization of the legal requirements and are considered a binding standard for proper data processing in French oversight.

This has significant practical consequences for German companies, as they encounter a coherent, rigorously enforced, and technically sophisticated supervisory framework in France. This framework is not only based on the GDPR and the “Informatique et Libertés” Act but is also significantly shaped by the CNIL’s numerous publications and sanctioning practices. In contrast to the German enforcement model, in which different state supervisory authorities set different priorities and the frequency of inspections may vary, French supervision is uniform, centralized, and demonstrably stricter in its enforcement. Companies must therefore assume that compliance deficiencies in France are significantly more likely to be identified and sanctioned. The CNIL thus constitutes a clearly structured yet consistently applied regulatory framework that requires careful preparation and adaptation of a company’s own data protection organization.

II. Substantive Legal Features of the French Interpretation

The practical implementation of data protection law in France exhibits several substantive peculiarities that stem less from divergent legal norms than from the detailed and technically oriented interpretation by the CNIL. These peculiarities pertain in particular to three thematic areas that play a prominent role in French supervisory and sanctioning practice and will be used as examples here.

 These are, namely, the requirements for transparency and fair data collection (1), as well as the strict standards for data minimization and storage limitation (2), and, in practical implementation, the heightened focus on IT security standards.

1. Transparency and Fair Collection

France places particular emphasis on “loyauté” (good faith). The CNIL interprets Art. 5 of the GDPR such that personal data should generally be collected directly from the data subject. Indirect collection methods, such as purchasing or merging data, are considered problematic. They are not prohibited but are strictly regulated. The data subject must be informed within one month at the latest, and immediately upon initial contact[5].

2. Data minimization, purpose limitation, and storage limitation

The CNIL interprets Article 5(1)(c) and (e) of the GDPR restrictively. It requires that data collection be limited to what is strictly necessary. Retention periods must be specifically defined and documented. In 2020, the CNIL published guidelines[6] on retention periods, which serve as a reference in enforcement. These requirements have a direct impact on typical business practices such as registration forms, marketing activities, customer data management, or video surveillance.

The handling of cookies and similar tracking technologies is also particularly relevant in practice in France. Individual cookies or categories of cookies must be presented transparently. It is generally insufficient to refer broadly to “marketing” or “analytics” cookies. Rather, the purpose, functionality, and, where applicable, the respective storage or retention period must be specified in a way that is traceable and understandable to the user.

Special attention is paid to cookies that are not strictly technically necessary but serve purposes such as audience measurement, profiling, or personalized advertising. Such cookies are subject to stricter requirements because they are typically not necessary for the operation of the service. A strict classification within the framework of data protection law’s admissibility requirements is then necessary. Companies that adopt their cookie banners or consent management solutions from the German market should therefore verify whether they comply with this French concept of the transparency obligation.

III. Conclusion

France has a mature, coherently structured, and technically oriented data protection system that is characterized by significantly greater centralization and depth of interpretation than the German model. For German companies, this means that the challenges arise less from differing substantive requirements and more from the specific enforcement culture: The CNIL consistently monitors compliance, sets uniform standards, and translates the GDPR into a manageable yet demanding regulatory framework through comprehensive guidelines and established administrative practices. Those who align their data collection and retention limits with the CNIL’s requirements—particularly regarding transparency obligations, retention limits, and cookie regulations—not only reduce the risk of regulatory action but also strengthen their overall compliance in the European market. For companies based in Germany that are expanding into France or providing digital services there, a careful and context-specific implementation of French data protection law is therefore not optional, but a strategic success factor.

Our law firm MARS-IP would be happy to advise you on these matters at contact@mars-ip.eu.

[1] Zentral sind neben dem RGPD auf nationaler Ebene die Loi n° 78-17 « Informatique et Libertés », ihren Reformgesetzen sowie flankierenden Décrets (Verordnungen).

[2] Guide sur la sécurité des systèmes d’information (März 2024)

[3] Recommandations relatives à l’authentification multifacteurs (März 2025)

[4] Référentiel de la CNIL relatif aux traitements des officines de pharmacie (Juli 2022) 

[5] CNIL bezieht sich auf die Leitlinien der G29-Arbeitsgruppe zum Datenschutz, Rn. 27

[6] Guide pratique « Les durées de conservation » (Juli 2020) 

Image: ChatGPT