French companies operate under GDPR with French-specific implementation through the Loi Informatique et Libertés (as amended). The Commission Nationale de l’Informatique et des Libertés (CNIL) is the French data protection supervisory authority, and is among the most active enforcement bodies in the EU. For French tech companies, DPO appointment and the practical operation of privacy compliance have CNIL-specific considerations.
Engage Compliance provides DPO externe (external DPO) services for French companies under GDPR Article 37 and the French Data Protection Act, with CNIL registration. “DPO externe” is the dominant search term in France for this service, also referred to internationally as external DPO, virtual DPO, fractional DPO, or DPaaS. Legal standing under GDPR Article 37(6) is identical regardless of which term is used.
This page covers what French companies need to know about DPO requirements and how to engage one.
Key takeaways
- French companies operate under GDPR plus the Loi Informatique et Libertes, supervised by the CNIL.
- The CNIL is among the most active enforcement bodies in the EU.
- DPO appointment and operation carry CNIL-specific and language considerations.
- Engage acts as the external DPO for French companies.
Does a French company need a DPO
Under GDPR Article 37, DPO appointment is required in three circumstances:
- Processing carried out by a public authority or body.
- Core activities consisting of processing operations which require regular and systematic monitoring of data subjects on a large scale.
- Core activities consisting of processing on a large scale of special categories of data or personal data relating to criminal convictions.
For most French tech companies in SaaS, FinTech, HealthTech, and AdTech sectors, the second or third category typically applies as the company scales.
The CNIL has published guidance on DPO appointment that follows EDPB guidelines with French-specific emphasis on:
- Demonstrable expertise in EU and French data protection law.
- Independence from operational decision-making for processing.
- Direct reporting to the highest management level.
- Sufficient resources and access to senior management.
- Notification of DPO appointment to the CNIL through the online dedicated platform.
CNIL-specific considerations
The CNIL has been one of the most active GDPR enforcement authorities in Europe. Companies subject to CNIL jurisdiction face enforcement attention on specific topics:
- Cookie compliance. The CNIL has issued multiple high-profile fines for cookie banner failures, particularly dark patterns making reject options harder than accept options. Google, Facebook, Amazon, Microsoft, and TikTok have all been fined by the CNIL for cookie compliance.
- Marketing communications. The CNIL enforces both GDPR consent for marketing and the French-specific implementation of the ePrivacy Directive.
- Dark patterns. The CNIL has been a leader in identifying and enforcing against dark patterns in privacy interfaces.
- Employee monitoring. The CNIL has specific guidance on employee monitoring including video surveillance, productivity monitoring, and access controls. French labor law adds additional requirements beyond GDPR.
- AI use. The CNIL has issued AI-specific guidance and is actively engaging with AI use cases. The CNIL has been notably active in the development of EU AI Act implementation guidance.
- International transfers. The CNIL applies a strict interpretation of Schrems II requirements.
- Health data. France has French-specific rules on health data including the Hébergeur de Données de Santé (HDS) certification for health data hosting.
Notification to CNIL
DPO appointment must be notified to the CNIL. Notification is made through the CNIL’s online portal and includes:
- DPO name and contact details
- The qualifications of the DPO supporting the appointment
- The activities of the DPO within the organization
- Confirmation of the DPO’s independence and resources
The CNIL maintains a public register of designated DPOs accessible through its website.
Options for French companies
Option 1: Full-time in-house DPO. Fully loaded cost in France: €90,000 to €160,000 per year for senior privacy roles in Paris. Lower in regional French cities. Recruitment typically takes 3 to 6 months.
Option 2: Outsourced DPO. Cost: €500 to €7,500 per month depending on company size and complexity. Engagement typically starts within 1 to 2 weeks.
Option 3: Combined French plus broader EU DPO arrangement. French companies with EU operations beyond France often benefit from a DPO with broader EU expertise rather than France-only focus.
Option 4: EU Representative plus DPO for non-EU companies serving French markets. Non-EU companies offering services to French residents need both EU Representative and DPO functions.
Common French company privacy work
Privacy notices that comply with GDPR plus French-specific requirements including data retention obligations under French law.
Cookie banners that comply with CNIL guidance including equivalent reject and accept options, granular consent, and consent withdrawal as easy as granting.
Marketing communications compliance under both GDPR and French ePrivacy implementation including specific rules for B2B marketing.
Employee monitoring compliance addressing both GDPR and French labor law (Code du Travail) requirements including works council (CSE) consultation for monitoring programs.
Health data handling for HealthTech including HDS certification considerations for data hosting.
CNIL engagement strategy including notification procedures, complaint response, and audit response.
DSAR response in French where appropriate including under French law requirements.
French language considerations
DPOs serving French companies typically need to communicate in French with the CNIL, French employees, and French data subjects. While English is acceptable for some CNIL communications, French is generally expected for formal notifications and most data subject communications.
For non-French-speaking outsourced DPO arrangements, translation and French-language coordination must be addressed.
How Engage Compliance helps
For French companies, Engage Compliance provides outsourced DPO services with broader EU expertise plus coordination with French-specific requirements. For French-language CNIL interactions and French legal questions, we coordinate with French privacy practitioners and counsel.
Coverage:
- GDPR compliance with CNIL-specific enforcement awareness
- Cookie compliance designed against CNIL enforcement patterns
- EU AI Act compliance
- US state privacy laws where applicable
- EU Representative service for non-French companies serving French markets
Pricing: Advisory From €500 per month, DPO Essentials From €2,000 per month, DPO Premium From €5,000 per month.
For French companies prioritizing French-native DPO support, we can recommend local French specialists.
Get started
If you are a French company evaluating DPO needs, book a consultation.