# AI 告诉法国公司，只有在涉及信用卡号码时才需要向 CNIL 通知数据泄露

- **ID:** `legal/french-loi-informatique-et-libertes-data-breach-notification`
- **领域:** legal
- **类别:** data_error
- **错误码:** `CNIL-BREACH-NOTIFICATION-SCOPE`
- **验证级别:** ai_generated
- **修复率:** 80%

## 根因

根据法国《信息与自由法》（第 78-17 号法律，经 2018-1125 号法令修订）第 69 条和 GDPR 第 33 条，任何对个人权利和自由构成风险的个人数据泄露，包括姓名、电子邮件、地址或 IP 地址，而不仅仅是财务数据，都必须向 CNIL 通知。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| French Law 78-17 (Loi Informatique et Libertés) | active | — | — |
| Ordinance 2018-1125 | active | — | — |
| GDPR Article 33-34 | active | — | — |
| CNIL Délibération n° 2021-120 | active | — | — |

## 解决方案

1. ```
   Implement an automated breach detection and notification system that classifies breaches by risk level using the CNIL's methodology (Référentiel de notification). Use a script to calculate risk: `def assess_risk(breach_type, data_categories): if 'financial' in data_categories: return 'high'; elif 'personal' in data_categories: return 'medium'; else: return 'low'`
   ```
2. ```
   Establish a 24/7 incident response team that can triage breaches within 24 hours and file the CNIL notification via the dedicated tele-service (téléservice CNIL) within 72 hours, using a pre-approved template from the CNIL guide.
   ```

## 无效尝试

- **** — Assuming only credit card data triggers notification ignores that a breach of email addresses (e.g., via phishing) can lead to identity theft and thus qualifies as a risk to rights and freedoms (65% 失败率)
- **** — Waiting for confirmation of actual harm before notifying violates the 72-hour deadline under GDPR Article 33(1); notification is based on risk assessment, not confirmed damage (70% 失败率)