{ "id": "legal/france-cnil-breach-notification-scope", "signature": "AI tells a French company that a data breach notification to the CNIL is only required if the breach involves credit card numbers or bank details", "signature_zh": "AI告知法国公司，只有在数据泄露涉及信用卡号或银行信息时才需向CNIL报告", "regex": "(?i)(CNIL|breach).*(notification|report).*(credit.card|bank|only.*financial|not.*required)", "domain": "legal", "category": "legal_risk", "subcategory": null, "root_cause": "GDPR Article 33 requires notification to the supervisory authority within 72 hours for any breach likely to result in a risk to rights and freedoms, including personal data like names, emails, or IP addresses.", "root_cause_type": "generic", "root_cause_zh": "GDPR第33条要求，任何可能对个人权利和自由造成风险的数据泄露（包括姓名、邮箱或IP地址等个人数据）都必须在72小时内向监管机构报告。", "versions": [ { "version": "GDPR 2018", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "CNIL Guidelines 2023", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "Article 33 applies to any breach that poses a risk to rights and freedoms, not just sensitive data categories.", "fail_rate": 0.8, "condition": "", "sources": [] }, { "action": "", "why_fails": "Notification is mandatory within 72 hours of becoming aware; delays increase fines up to €20M or 4% of global turnover.", "fail_rate": 0.88, "condition": "", "sources": [] }, { "action": "", "why_fails": "Even encrypted data requires notification if the encryption key was also compromised or if the breach could still cause harm.", "fail_rate": 0.75, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Implement an automated breach detection and notification system that triggers a CNIL notification workflow for any breach involving personal data, regardless of type.", "success_rate": 0.9, "how": "Implement an automated breach detection and notification system that triggers a CNIL notification workflow for any breach involving personal data, regardless of type.", "condition": "", "sources": [] }, { "action": "Use the CNIL's online notification form (https://www.cnil.fr/fr/notifier-une-violation-de-donnees-personnelles) within 72 hours; include all required fields even if incomplete.", "success_rate": 0.85, "how": "Use the CNIL's online notification form (https://www.cnil.fr/fr/notifier-une-violation-de-donnees-personnelles) within 72 hours; include all required fields even if incomplete.", "condition": "", "sources": [] }, { "action": "Train DPO and IT staff on the GDPR Article 33 definition of 'risk to rights and freedoms' using CNIL examples.", "success_rate": 0.82, "how": "Train DPO and IT staff on the GDPR Article 33 definition of 'risk to rights and freedoms' using CNIL examples.", "condition": "", "sources": [] } ], "workarounds_zh": [ "Implement an automated breach detection and notification system that triggers a CNIL notification workflow for any breach involving personal data, regardless of type.", "Use the CNIL's online notification form (https://www.cnil.fr/fr/notifier-une-violation-de-donnees-personnelles) within 72 hours; include all required fields even if incomplete.", "Train DPO and IT staff on the GDPR Article 33 definition of 'risk to rights and freedoms' using CNIL examples." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://www.cnil.fr/fr/notifier-une-violation-de-donnees-personnelles", "official_doc_section": null, "error_code": "GDPR-Art33-CNIL-Scope", "verification_tier": "ai_generated", "confidence": 0.86, "fix_success_rate": 0.82, "resolvable": "true", "first_seen": "2023-09-05", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }