GDPR Emergency 10 min read·

CNIL Formal Notice: What to Do in 30 Days?

You've just received a CNIL formal notice. The clock is ticking: 30 days to comply, or risk a public sanction. Here's exactly what to do, in what order, and the mistakes that turn a manageable procedure into a disaster.

What you're really risking

A CNIL formal notice is not a courtesy letter. It's the signal that your organization has been identified as non-compliant and that the CNIL has decided to act. In 2025, the CNIL issued 72 sanctions totaling €101 million — a 37% increase over 2024. The vast majority of financial sanctions started with a formal notice that was ignored or insufficiently addressed.

The mechanism is simple but brutal: you generally have 30 days (sometimes 15 or 60 depending on severity) to demonstrate compliance. If you don't, the case automatically goes to the CNIL's restricted formation, the chamber that issues sanctions. It can impose up to €20 million or 4% of global annual revenue — whichever is higher.

For an SME with €5 million in revenue, that's a theoretical maximum exposure of €200,000. In practice, CNIL sanctions for SMEs observed between 2022 and 2025 range from €20,000 to €150,000 — and come with a public naming on the CNIL website, visible to your customers, partners and investors.

The CNIL procedure: texts and mechanisms

The formal notice is governed by Article 20-I of the French Data Protection Act (LIL), amended to transpose the GDPR. Two types coexist:

  • Simple formal notice (Art. 20-I-b LIL)Most common. Sets a deadline (15 to 90 days) for compliance. Can remain confidential if the CNIL decides. Leads to sanction if not complied with.
  • Public formal noticeThe CNIL makes the formal notice public to send a sector signal. Used when the breach affects many organizations or a specific sector. Rarer but devastating for reputation.

The CNIL can issue a formal notice following: a complaint from an individual (most frequent source), an online check by its agents (automated monitoring), an on-site inspection, or cooperation with another European authority under the one-stop-shop mechanism.

The crucial difference from a sanction: the formal notice is a last chance to correct before the restricted formation is seized. It does not in itself carry a fine. It's the escalation that costs — provided you take it seriously.

Identify your breaches before responding to the CNIL

RGPDScan detects in 60 seconds illegal cookies, non-compliant banners and unframed non-EU transfers on your site.

Documented cases: what really happens

2022 — Cdiscount
€100,000 — Cookies without consent

Formal notice not complied with for depositing advertising and analytics cookies without prior consent. CNIL noted the continuation of breaches after the deadline. Deliberation SAN-2022-016 published with names. Initial case: user complaints about an insufficient cookie banner.

2023 — Anonymized e-commerce site
€30,000 — Lack of legal basis

Anonymized French SME sanctioned after formal notice for absence of compliant privacy policy and third-party cookies deposited without legal basis. The partial response provided within 30 days did not convince the CNIL. Lesson: an incomplete response is almost as damaging as no response.

2024 — Medical practice
Formal notice closed without sanction

Medical practice received a formal notice for storing patient records outside a certified HDS host. Within 30 days: migration to a certified HDS host, DPA updates, CNIL notification with evidence. Case closed. Example of exemplary response: fast, documented, complete.

Action plan: the 30 days hour by hour

Days 1–3: understand and mobilize

  • Read the formal notice carefully: identify precisely the alleged breaches (violated article, concerned processing)
  • Assemble a crisis team: management, DPO or external GDPR consultant, IT, possibly specialized lawyer
  • Launch an immediate technical audit on the cited points: cookies, privacy policy, processing register, DPAs
  • Archive the initial state (screenshots, logs) before any modification — evidence of your good faith

Days 4–20: correction and documentation

  • Correct each identified breach, in order of severity: cookies before consent as top priority
  • Document each correction: date, nature of modification, before/after screenshots, responsible person
  • Update the processing register, sign missing DPAs with processors
  • Check related points not cited in the notice: CNIL may raise them during the compliance check

Days 21–30: draft and send the response

  • Draft a structured response: for each cited breach, description of correction made + attached proof
  • Attach evidence: dated screenshots, technical logs, copies of signed DPAs, updated privacy policy
  • Send by registered mail with acknowledgment AND by email to the address indicated in the notice
  • Keep the acknowledgment of receipt — it proves you responded within the deadline

The 4 fatal mistakes to avoid at all costs

  • Ignoring the formal noticeautomatic escalation to sanction, recognized aggravating factor
  • Responding without evidence"we've corrected it" without documentation = response considered insufficient
  • Partial correctionaddressing only cited points without checking the global context gives CNIL grounds for a second procedure
  • Contesting without complyingyou can legally contest the notice, but in parallel, not instead of compliance

Going further

Frequently asked questions

Is a CNIL formal notice public?
Not automatically. The CNIL may choose to make a formal notice public to send a sector-wide signal, but it's not systematic. However, if a financial sanction follows the notice, it is published on the CNIL website. The formal notice itself often remains confidential for SMEs.
Can you negotiate the 30-day deadline with the CNIL?
Yes, in some cases. If compliance requires complex technical developments, you can send a reasoned letter to the CNIL requesting an extension. The CNIL sometimes grants it, but don't count on it: prioritize visible actions (cookie banner, privacy policy) within 30 days and document the plan for the rest.
What happens if you ignore a CNIL formal notice?
It's the most serious mistake. Without a response within the deadline, the case is automatically referred to the CNIL's restricted formation (sanction chamber). It can impose a financial penalty up to €20 million or 4% of global revenue, make the decision public and order an injunction to cease processing.
Do I need to appoint a DPO to respond to a formal notice?
Not mandatory unless your organization is already required to (large-scale processing of sensitive data, public body). However, appointing or mandating an external DPO or GDPR consultant is strongly recommended: they know which evidence to document and how to structure the written response.
What's the difference between a formal notice and a reprimand?
A reprimand (Art. 20-I-a LIL) is a corrective measure without a mandatory deadline, often issued for minor or technical breaches. A formal notice (Art. 20-I-b LIL) is more formal: it sets a deadline for compliance and can lead to sanctions.
How do I know if my site is compliant before responding to the CNIL?
Start with an automated audit (cookies deposited before consent, compliant banner, up-to-date privacy policy). RGPDScan detects technical breaches in 60 seconds. Supplement with a manual review: processing register, DPAs with processors, retention periods. Gather screenshots and documents as evidence for your CNIL response.

Don't let a formal notice become a sanction

Audit your site in 60 seconds. Identify breaches before the CNIL does. Respond with solid evidence.