In the digital economy, personal data is at the heart of value creation and risk. The EU General Data Protection Regulation (GDPR) sets the most demanding global standard on data collection and processing, with fines up to 4 % of worldwide annual turnover. Dreyfus & Associés runs end-to-end GDPR compliance programs for international companies operating in or from France.
Reviewed by Nathalie Dreyfus, European trademark and patent attorney. Last updated : May 2026.
Three reasons GDPR compliance must be a board-level topic.
Massive fines. Since 2018, the EU has issued several billion-euro GDPR fines, with the CNIL alone among the most active supervisory authorities globally. Failure to comply destroys shareholder value and trademark trust.
Extraterritorial reach. The GDPR applies to non-EU companies that offer goods or services to EU residents or monitor their behaviour. A US SaaS or a Chinese e-commerce platform targeting EU customers must comply, with a designated EU representative under Article 27.
Cascading regulations. The GDPR no longer stands alone. It interacts with the AI Act (training data, biometrics), the Data Act (B2B data access), the Digital Services Act (content moderation logs), and the NIS2 Directive (cybersecurity).
Article 83 of the GDPR allows administrative fines up to 4 % of worldwide annual turnover or 20 million euros, whichever is higher, for the most serious violations.
Source: GDPR Article 83.
Non-EU companies processing personal data of EU residents must appoint an EU representative. Failure to do so exposes them to enforcement actions and complaints.
Source: GDPR Article 27, EDPB Guidelines 03/2018.
GDPR requires data controllers to notify the supervisory authority of personal data breaches within 72 hours of becoming aware, with limited exceptions.
Source: GDPR Article 33.
A DPO must be appointed when processing requires large-scale systematic monitoring, large-scale processing of special categories of data, or for public authorities.
Source: GDPR Article 37.
We map your processing activities, identify gaps against GDPR, ePrivacy and sector-specific rules, and benchmark your maturity level.
We deliver a detailed remediation plan with quick wins, medium-term improvements and structural projects, prioritised by risk and effort.
Privacy policy, cookies policy, employee data charter, retention schedule, record of processing activities, data processing agreements, SCCs, BCRs.
Privacy by design and by default, security policy, access controls, encryption, pseudonymisation, breach response plan.
Awareness training for employees, focused training for legal, marketing and engineering teams, ongoing DPO support or outsourced DPO services.
International data transfers. Standard contractual clauses, transfer impact assessments, EU-US Data Privacy Framework certification, binding corporate rules, Article 48 GDPR analysis for foreign law disclosure requests.
AI and biometric data. AI Act and GDPR articulation, biometric categorisation rules, facial recognition compliance, emotion recognition prohibition in workplace and education.
Employee data. Article 88 GDPR, French Labour Code interplay, workplace monitoring limits, BYOD policies, internal investigations data handling.
Marketing and cookies. ePrivacy compliance, cookie banners, consent management platforms, profiling rules, direct marketing opt-in/opt-out.
Children’s data. Specific rules for processing children’s data, parental consent thresholds in France (15 years), digital service providers’ duties.
Gap analysis, maturity assessment, prioritised action plan.
Privacy policies, cookies, employee data, retention, records, DPAs, SCCs, BCRs.
Externalised Data Protection Officer with full reporting and CNIL liaison.
24/7 incident response, regulator notification, communication to data subjects, remediation.
SCC, TIA, BCR, EU-US DPF, ongoing transfer compliance.
Defence before the CNIL and other EU supervisory authorities.
Yes, the GDPR may apply to a non-EU company if it processes personal data in connection with: (i) an establishment in the EU, (ii) offering goods or services to individuals located in the EU, or (iii) monitoring their behaviour where that behaviour takes place in the EU. This is the GDPR’s extraterritorial scope under Article 3. If the company is not established in the EU but falls within Article 3(2), it must generally appoint an EU representative under Article 27, unless an exception applies.
When your core activities involve large-scale systematic monitoring of data subjects (typical of trademark watch, ad tech, employee monitoring), large-scale processing of special categories of data (health, biometrics), or when you are a public authority. A DPO is recommended in many other cases.
A personal data breach is any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data. You must notify the supervisory authority within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to data subjects.
Yes, through three main mechanisms : the EU-US Data Privacy Framework (if your US partner is certified), standard contractual clauses combined with a transfer impact assessment, or binding corporate rules for intra-group transfers.
The AI Act adds obligations specific to AI systems (risk classification, transparency, conformity assessment) on top of the GDPR. When personal data is involved in training, deployment or use of an AI system, both regulations apply jointly.
The CNIL (Commission nationale de l’informatique et des libertés) is the French data protection supervisory authority. It enforces the GDPR and the French Data Protection Act, issues guidelines, conducts inspections and imposes administrative fines. We routinely interact with the CNIL on behalf of our clients.
