# AI tells a French company that a data breach notification to the CNIL is only required if the breach involves credit card numbers or bank details - **ID:** `legal/france-cnil-breach-notification-scope` - **Domain:** legal - **Category:** legal_risk - **Error Code:** `GDPR-Art33-CNIL-Scope` - **Verification:** ai_generated - **Fix Rate:** 82% ## Root Cause GDPR Article 33 requires notification to the supervisory authority within 72 hours for any breach likely to result in a risk to rights and freedoms, including personal data like names, emails, or IP addresses. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | GDPR 2018 | active | — | — | | CNIL Guidelines 2023 | active | — | — | ## Workarounds 1. **Implement an automated breach detection and notification system that triggers a CNIL notification workflow for any breach involving personal data, regardless of type.** (90% success) ``` Implement an automated breach detection and notification system that triggers a CNIL notification workflow for any breach involving personal data, regardless of type. ``` 2. **Use the CNIL's online notification form (https://www.cnil.fr/fr/notifier-une-violation-de-donnees-personnelles) within 72 hours; include all required fields even if incomplete.** (85% success) ``` Use the CNIL's online notification form (https://www.cnil.fr/fr/notifier-une-violation-de-donnees-personnelles) within 72 hours; include all required fields even if incomplete. ``` 3. **Train DPO and IT staff on the GDPR Article 33 definition of 'risk to rights and freedoms' using CNIL examples.** (82% success) ``` Train DPO and IT staff on the GDPR Article 33 definition of 'risk to rights and freedoms' using CNIL examples. ``` ## Dead Ends - **** — Article 33 applies to any breach that poses a risk to rights and freedoms, not just sensitive data categories. (80% fail) - **** — Notification is mandatory within 72 hours of becoming aware; delays increase fines up to €20M or 4% of global turnover. (88% fail) - **** — Even encrypted data requires notification if the encryption key was also compromised or if the breach could still cause harm. (75% fail)