GDPR Audit Guide — Complete CNIL-Ready Documentation

GDPR: The Foundation of EU Data Protection

The General Data Protection Regulation(GDPR), Regulation (EU) 2016/679, has been the cornerstone of European data protection law since May 25, 2018. It replaced the 1995 Data Protection Directive and established a unified framework across all EU member states. In France, the CNIL (Commission Nationale de l'Informatique et des Libertés) is the supervisory authority responsible for enforcement.

GDPR applies to any organization that processes personal data of individuals in the EU, regardless of where the organization is established. "Personal data" means any information relating to an identified or identifiable natural person: names, email addresses, IP addresses, cookie identifiers, location data, and even pseudonymized data if re-identification is possible.

Since 2018, EU data protection authorities have imposed over EUR 4.5 billion in fines. The CNIL alone has issued fines totaling over EUR 700 million, including landmark decisions against Google (EUR 150 million for cookie consent violations in 2022), Meta (EUR 405 million for children's data processing in 2023), and Criteo (EUR 40 million in 2023).

The Seven Key Principles (Article 5)

Article 5 establishes the foundational principles that govern all personal data processing. Every decision about data collection, storage, and use must align with these principles, and you must be able to demonstrate compliance (the accountability principle).

1. Lawfulness, Fairness, and Transparency

Personal data must be processed lawfully (under one of the six legal bases in Article 6), fairly (no deception or unexpected use), and transparently (clear, plain-language information provided to data subjects). The six legal bases are: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests.

In practice: Maintain a privacy notice that explains in clear language what data you collect, why, under which legal basis, how long you keep it, and who you share it with. Avoid legal jargon. The CNIL requires that privacy information be accessible in no more than two clicks from any page.

2. Purpose Limitation

Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. You cannot collect data for "analytics" and then use it for "targeted advertising" without a separate legal basis.

In practice: Document every processing purpose in your Article 30 registry. When you want to use existing data for a new purpose, conduct a compatibility assessment (Article 6(4)) or obtain fresh consent.

3. Data Minimization

Only collect personal data that is adequate, relevant, and limited to what is necessary for the stated purpose. If you do not need a date of birth to provide your service, do not collect it.

In practice:Audit your forms and databases. Remove fields that are not strictly necessary. Challenge every data point: "Do we need this? What happens if we do not collect it?" The CNIL specifically flags excessive data collection in audit findings.

4. Accuracy

Personal data must be accurate and kept up to date. Inaccurate data must be erased or rectified without delay. This principle becomes critical when data is used for automated decision-making or shared with third parties.

In practice: Provide easy mechanisms for users to update their data. Implement data quality checks. When notified of inaccuracies, correct the data within the timeframes required by Articles 16 and 19.

5. Storage Limitation

Personal data must be kept in a form that permits identification of data subjects for no longer than necessary for the stated purpose. Define retention periods for every category of data and enforce them.

In practice: Create a data retention policy with specific periods for each data category. Implement automated deletion or anonymization processes. The CNIL publishes sector-specific retention guidelines (e.g., 3 years after last contact for commercial prospecting, duration of contract plus legal retention periods for customer data).

6. Integrity and Confidentiality (Security)

Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage. This requires "appropriate technical and organisational measures."

In practice: Implement encryption (TLS for transit, AES-256 for storage), access controls (RBAC, MFA), regular security audits, and incident response procedures. The CNIL evaluates security measures during audits and has fined organizations for inadequate password hashing, unencrypted databases, and missing access controls.

7. Accountability

The controller must be able to demonstrate compliance with all of the above principles. This is not just about being compliant; it is about being able to prove it. Documentation is everything.

In practice: Maintain the Article 30 processing registry, document DPIAs, keep records of consent, log data subject requests and responses, document security measures, and retain audit trails. If you cannot demonstrate it, the CNIL considers it non-compliant.

Article 30 Processing Registry

The processing registry is the single most important GDPR document. It is the first thing the CNIL requests during any audit. Article 30 requires both data controllers and data processors to maintain written records of their processing activities.

For each processing activity, the registry must include:

• Name and contact details of the controller (and DPO if applicable)
• Purposes of the processing
• Categories of data subjects (customers, employees, visitors, etc.)
• Categories of personal data (identity, contact, financial, behavioral, etc.)
• Categories of recipients (internal departments, subprocessors, public authorities)
• Transfers to third countries and the safeguards applied (SCCs, adequacy decisions)
• Retention periods for each data category
• A general description of technical and organizational security measures

Organizations with fewer than 250 employees are exempt only if their processing is occasional, does not include sensitive data, and is unlikely to result in a risk to rights and freedoms. In practice, virtually every organization that processes customer data on a website must maintain a registry.

Data Protection Impact Assessment (DPIA) — Article 35

A DPIA is required when processing is "likely to result in a high risk to the rights and freedoms of natural persons." The CNIL has published a list of processing operations that require a DPIA, including:

• Large-scale processing of sensitive data (health, biometric, genetic data)
• Systematic monitoring of publicly accessible areas (CCTV, tracking)
• Automated decision-making with legal or similarly significant effects (credit scoring, recruitment filtering)
• Cross-referencing or combining datasets from different sources
• Processing data of vulnerable persons (children, patients, employees)
• Innovative use of new technologies (AI, IoT, biometrics)
• Large-scale profiling
• Processing that prevents data subjects from exercising a right or using a service

A DPIA must contain: a systematic description of the processing operations and purposes, an assessment of necessity and proportionality, an assessment of risks to rights and freedoms of data subjects, and the measures envisaged to address those risks. The CNIL provides a free tool (PIA software) to conduct DPIAs.

Data Subject Rights (Articles 15-22)

GDPR grants eight rights to data subjects. You must be able to respond to requests within one month (extendable to three months for complex requests), free of charge.

Right of Access (Article 15)

Data subjects can request confirmation of whether their personal data is being processed and, if so, access to the data and supplementary information (purposes, categories, recipients, retention periods, source of data). You must provide a copy of the data in a commonly used electronic format.

Right to Rectification (Article 16)

Data subjects can request correction of inaccurate personal data or completion of incomplete data. You must rectify the data without undue delay and inform any recipients to whom the data was disclosed.

Right to Erasure (Article 17)

Also known as the "right to be forgotten." Data subjects can request deletion of their data when: the data is no longer necessary, consent is withdrawn, they object to processing, the data was unlawfully processed, or deletion is required by law. Exceptions apply for legal obligations, public interest, and legal claims.

Right to Restriction of Processing (Article 18)

Data subjects can request that processing be restricted (data stored but not used) while accuracy is contested, processing is unlawful, or they have objected to processing pending verification.

Right to Data Portability (Article 20)

Data subjects can request their personal data in a structured, commonly used, machine-readable format (JSON, CSV) and have it transmitted directly to another controller where technically feasible. This applies only to data provided by the data subject and processed by automated means based on consent or contract.

Right to Object (Article 21)

Data subjects can object to processing based on legitimate interests or public task, including profiling. For direct marketing purposes, the right to object is absolute — no balancing test is required.

Right Not to Be Subject to Automated Decision-Making (Article 22)

Data subjects have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. Exceptions exist for contract performance, legal authorization, and explicit consent, but safeguards (human intervention, right to contest) must be in place.

Right to Be Informed (Articles 13-14)

The foundation of transparency: data subjects must be informed at the time of data collection about the identity of the controller, purposes, legal basis, recipients, retention periods, their rights, and whether data provision is a statutory or contractual requirement.

Common GDPR Violations and Fines

The most frequently sanctioned violations by the CNIL include:

• Non-compliant cookie consent (EUR 150M Google, EUR 60M Facebook, 2022): Consent must be as easy to refuse as to accept. Pre-checked boxes and dark patterns are prohibited.
• Inadequate legal basis for processing (EUR 405M Meta, 2023): Using "contract performance" as a legal basis for behavioral advertising was rejected.
• Insufficient security measures (EUR 1.5M Dedalus Biologie, 2022): Storing passwords in cleartext, inadequate access controls, and missing encryption are common findings.
• Excessive data retention (EUR 800K Carrefour, 2020): Retaining customer data for 4+ years after the last interaction violated storage limitation.
• Failure to respond to data subject requests (numerous smaller fines): Not responding within the one-month deadline triggers enforcement action.
• Inadequate data breach notification (Article 33): Failure to notify the CNIL within 72 hours of becoming aware of a personal data breach.

Technical Compliance Measures

The CNIL evaluates technical security measures as part of the "integrity and confidentiality" principle. Key technical requirements include:

• Encryption in transit: TLS 1.2 minimum (TLS 1.3 recommended) for all connections. HSTS header with minimum 12-month max-age.
• Encryption at rest: AES-256 for databases containing personal data. Key management procedures documented.
• Password security: bcrypt, scrypt, or Argon2 hashing. Minimum 12 characters. Account lockout after failed attempts. The CNIL published updated password guidelines in 2022 (Deliberation 2022-100).
• Access control: Role-based access control (RBAC). Least privilege principle. MFA for administrative access. Regular access reviews.
• Logging: Authentication events, access to personal data, data modifications. Log retention aligned with security needs (minimum 6 months). No PII in logs.
• Data breach detection: Intrusion detection systems. Anomaly detection. 72-hour notification capability. Breach response procedure.

Getting Started with GDPR Compliance

GDPR compliance is not a one-time project but an ongoing process. For organizations starting their compliance journey, the recommended approach is:

1. Map your data: Identify what personal data you collect, where it is stored, who has access, and how long you keep it. This becomes your Article 30 registry.
2. Assess your legal bases: For each processing activity, determine the legal basis. Consent requires special attention: it must be freely given, specific, informed, and unambiguous.
3. Secure your data: Run a security audit to identify technical gaps: missing encryption, weak authentication, inadequate logging. Many of these can be detected automatically.
4. Document everything: The accountability principle requires documentation. Create templates for privacy notices, DPAs, breach notifications, and data subject request responses.

CNIL Audit Preparation Checklist

The CNIL can conduct four types of audits: on-site inspections, online (remote technical) checks, document-based requests, and formal hearings. Here is what you need to have ready: