# AI告知法国公司，只有在数据泄露涉及信用卡号或银行信息时才需向CNIL报告

- **ID:** `legal/france-cnil-breach-notification-scope`
- **领域:** legal
- **类别:** legal_risk
- **错误码:** `GDPR-Art33-CNIL-Scope`
- **验证级别:** ai_generated
- **修复率:** 82%

## 根因

GDPR第33条要求，任何可能对个人权利和自由造成风险的数据泄露（包括姓名、邮箱或IP地址等个人数据）都必须在72小时内向监管机构报告。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| GDPR 2018 | active | — | — |
| CNIL Guidelines 2023 | active | — | — |

## 解决方案

1. ```
   Implement an automated breach detection and notification system that triggers a CNIL notification workflow for any breach involving personal data, regardless of type.
   ```
2. ```
   Use the CNIL's online notification form (https://www.cnil.fr/fr/notifier-une-violation-de-donnees-personnelles) within 72 hours; include all required fields even if incomplete.
   ```
3. ```
   Train DPO and IT staff on the GDPR Article 33 definition of 'risk to rights and freedoms' using CNIL examples.
   ```

## 无效尝试

- **** — Article 33 applies to any breach that poses a risk to rights and freedoms, not just sensitive data categories. (80% 失败率)
- **** — Notification is mandatory within 72 hours of becoming aware; delays increase fines up to €20M or 4% of global turnover. (88% 失败率)
- **** — Even encrypted data requires notification if the encryption key was also compromised or if the breach could still cause harm. (75% 失败率)