§GDPR & compliance
Processing mapping, DPIA, GDPR registry, user rights (access, export, deletion), cookie management, outsourced DPO. Ready for CNIL audit — and for AI Act and NIS 2.
The context
In 2026, GDPR is 8 years old and the CNIL has no more patience. Record sanctions in 2025: €50M Meta on tracking, €32M Amazon on cookies, €12M Criteo. For French startups? Smaller but more numerous sanctions, and especially the rise of private class actions that change the cost/risk ratio.
And the regulatory terrain is expanding: AI Act (progressively in force 2025-2027) imposes obligations on high-risk AI systems, NIS 2 (transposed 2024) imposes cyber-resilience on critical operators, DSA regulates platforms. All these texts share a logic: no compliance = no European market.
Our approach: pragmatic compliance. We don't write 200 pages of policies nobody reads. We map real processing activities, assess concrete risks, set up the minimum viable governance, tool up so user rights actually work (1-click export, real deletion). And we prepare the file to withstand a CNIL audit.
1 wk
Target audit
Complete processing mapping of a startup in 1 week
100%
Effective rights
GDPR export and account deletion functional and tested
30 d
Request response
Legal deadline met thanks to tooled workflow (not manual)
0
Non-consented third-party cookie
Clean CMP, compliant with CNIL 2025 guidelines
What we set up
From initial mapping to outsourced DPO, we cover the full operational compliance chain.
Article 30 GDPR — mandatory.
Identification of all personal data processing (customers, employees, prospects). For each: purpose, legal basis, data categories, retention period, recipients, non-EU transfers. Formalised exportable registry.
For high-risk processing.
Data Protection Impact Assessment mandatory for high-risk processing (profiling, sensitive data, large scale). Risk identification, assessment, mitigation measures. Presentable to CNIL in case of incident.
Access, export, deletion in 1 click.
Technical implementation of Articles 15-22 GDPR rights: data access, portability (exportable JSON/CSV), rectification, deletion (real, not just an is_deleted flag). Tooled request management workflow.
CMP compliant with CNIL 2025 guidelines.
Setting up a Consent Management Platform (Cookiebot, Didomi, Axeptio, or in-house). Compliant banner: visible reject button, per-purpose granularity, consent logging, automatic update following third-party cookie evolution.
Article 25 GDPR integrated in product.
Design audit: minimisation of collected data, anonymisation/pseudonymisation, encryption, no non-EU transfers by default. Recommended product modifications. Integration of principles in roadmap.
For startups without internal DPO.
Outsourced DPO mission: regular advice, regulatory watch, team training, CNIL contact point, audit support, incident management. Quarterly report. Adapted to startups and scale-ups without internal legal resources.
Our approach
We start by getting clarity on actual processing (often vague), then set up the minimum viable governance.
Workshop with product, dev, marketing to identify all processing. Tool inventory (CRM, analytics, support, recruitment). Flow mapping: who collects what, where it's stored, who accesses it. Gap identification vs GDPR.
Correction of critical gaps first: missing legal bases, undefined retention, unregulated non-EU transfers, broken user rights. Prioritisation by regulatory risk (CNIL sanction) + operational risk (incident).
Cookie CMP setup. Rights request workflow (form + traceability). Data breach incident process. Analytics data anonymisation. Privacy policy rewritten (readable, not copy-pasted legalese).
Outsourced DPO mission if relevant. Regulatory watch (AI Act, NIS 2, case law). Annual team training. Quarterly governance review. Annual pre-audit to stay ready in case of CNIL inspection.
Tools used
No silver bullet platform — combination of specialised tools per need.
Cookie CMP
Cookiebot · Didomi · Axeptio · Tarteaucitron
Cookiebot for small structures (free up to 100 pages). Didomi premium multi-brand. Axeptio FR very clean. Tarteaucitron free self-hosted.
Registry & mapping
Dastra · Witik · Notion (template) · Aircall Doc
Dastra for startups (FR, CNIL-integrated). Witik B2B. Notion templates simple if low volume. We prefer dedicated tool above 10 processing activities.
Privacy & DPIA
OneTrust · TrustArc · Dastra DPIA · CNIL PIA tool
Free CNIL PIA tool (great to start). OneTrust if already in compliance galaxy. TrustArc in large enterprise. Dastra includes DPIA module.
User rights
Custom backend · Transcend · DataGrail · Osano
Custom backend if simple (1 API per right). Transcend for real platforms. DataGrail for complex SaaS. Osano handles user tickets.
PII detection & data discovery
BigID · Privacera · Spirion · Open-source (Presidio)
Presidio (Microsoft) open-source to start. BigID/Privacera for data lakes. Spirion in large companies. We use BigID when client has unmapped data lake.
Watch & resources
CNIL · EDPB · Linc CNIL · DPnetwork · NOYB
CNIL.fr (guidelines, sanctions). EDPB for European guidelines. NOYB to track litigations. Linc CNIL for technical watch.
Measurable guarantees
100%
Processing mapped
All processing identified and documented in Article 30 registry. Not a single one forgotten.
< 30 d
GDPR right response
Tooled workflow guarantees compliance with 30-day legal deadline for any user request.
0
Cookie without consent
CMP tested and verified: no third-party or marketing cookie before explicit user action.
AI Act ready
2027 compliance
AI systems mapped, risk classification done, documentation ready for AI Act 2027.
定价
我们不提供抽象套餐,而是根据你的情况量身定制:范围、复杂性、截止日期、约束条件。用 3 句话告诉我们你想做什么——我们会在 48 个工作小时内回复一份正式报价。
48 个工作小时内回复 请求报价 →你的邮件已准备好 🚀
我们打开了你的邮件客户端并预填了所有信息。点击发送,团队将在 24 个工作小时内回复。
