CNIL inspections : 6 mistakes that raise the risk of penalties
The CNIL's investigations does not necessarily lead to a penalty procedure. In 2025, the CNIL conducted 323 audits and issued 83 penalties: nearly one in four audits resulted in a penalty.
Above all, it is the substance of the case that determines the outcome of the audit. However, certain mistakes made by the organisation under inspection can unnecessarily increase the risk of a penalty.
Not all of these mistakes occur during the inspection itself. They can arise in communications with the inspection team, in documents submitted, in statements made at the time — but also in the weeks following the inspection, whilst the CNIL has not yet decided on next steps. Most of them are avoidable, provided one is aware of them.
Before examining the mistakes to avoid, it is worth recalling that a CNIL inspection generally unfolds in three stages: the inspection itself, the drafting of the official report, and an investigation phase during which the CNIL decides on next steps. It is at each of these stages that certain errors can influence how the situation is assessed.
1. Responding without all necessary information
When facing auditors, some employees feel compelled to provide an immediate answer even though they do not have a full grasp of the subject or all the necessary information. They then put forward assumptions that are subsequently recorded as facts.
For example, an employee might answer a question by describing their own way of doing things, without specifying that it is an individual practice. The auditors might then interpret this as reflecting the company's practices as a whole, even though internal procedures exist and are applied by other teams.
When verification is needed, it is preferable to state so rather than respond on the basis of incomplete information. At the end of the audit operations, the delegation usually draws up a list of additional items required, which must be submitted within the timeframe specified in the official report — typically eight or fifteen days.
The report is not intended to transcribe exchanges in a verbatim nor to attribute each statement to a specific speaker. It outlines the inspection proceedings and the understanding the delegation gained from its discussions with the audited entity.
2. Volunteering information beyond the questions asked
Inspections are generally conducted by a small delegation, often comprising a legal expert and an IT systems auditor. This format encourages direct and informal discussions, where participants may sometimes go beyond the questions asked or spontaneously raise matters not addressed by the delegation.
For example, a manager might spontaneously explain that certain security measures have not yet been deployed due to insufficient budget or resources, whilst noting that a remediation project is planned. This explanation, intended to show awareness of the issue, may nonetheless be interpreted as an acknowledgement of an existing breach.
Statements collected during the inspection are not sufficient, on their own, to establish a breach. They do, however, guide the delegation's checks and help to interpret findings made in the organisation's systems, which are subsequently recorded in the report.
3. Providing unsolicited documents
Some companies spontaneously submit documents to the CNIL that have not been requested, such as internal audits, risk analyses, or legal opinions.
This approach often stems from a desire to demonstrate that certain areas of concern have been identified and are already the subject of an action plan.
It may, however, lead to the disclosure of issues that had not been identified during the inspection, or to the submission of documents covered by legal professional privilege.
Cooperating with the CNIL does not mean submitting more than what is requested.
4. Self-qualifying a situation as non-compliant
Statements such as:
« We have a data retention policy, but it is not being applied. »
are sometimes raised during inspections.
The organisation's role is to set out the facts. It has no interest in characterising the situation in legal terms itself, or in spontaneously admitting the existence of a breach.
5. Treating the case as closed once the inspection has ended
The departure of the inspection team does not mark the end of the case.
Several weeks — or even months — generally elapse between the inspection and the CNIL's decision on next steps. During this period, the inspection and sanctions departments analyse the report and documents submitted, assess potential breaches and formulate a proposal for follow-up action, on which the Chair of the CNIL rules.
This phase, often overlooked by audited entities, should not be considered as a mere waiting period.
The organisation can still usefully supplement the file by providing context for the findings made during the inspection: further details on how a processing activity operates, documents correcting a misunderstanding, or evidence that the scope of a practice is more limited than was initially understood.
This is also the time to inform the CNIL of any corrective measures initiated or implemented following the inspection. Without questioning any breaches identified, these steps may be taken into account when assessing the follow-up actions for the case.
6. Remedying a breach without notifying the CNIL
When a breach is identified, the priority is to remedy it as promptly as possible.
However, it is equally important to be able to demonstrate the measures implemented and to communicate them to the CNIL without delay. Failing to do so means they cannot be taken into account when assessing the outcome of the case.
Remediation does not erase past breaches, nor does it preclude a potential sanction. It is, however, a factor the CNIL may take into consideration when determining how to follow up on the inspection.
Be proactive, not reactive
Most of the errors described in this article can be avoided through thorough advance preparation.
A mock inspection places the organisation in conditions closely resembling a real inspection, enabling it to identify areas of concern, prepare staff who may be questioned, and test internal procedures for responding to CNIL requests.
Beyond compliance with data processing obligations, this exercise also helps to identify errors that might be made during the inspection itself and to address them before the CNIL steps in.
Are you anticipating a CNIL audit or have you just been audited ?
Odoné advises organisations before, during and after inspections to define the appropriate strategy, prepare teams, ensure communications with the CNIL are properly managed, and prevent avoidable errors from unnecessarily increasing the risk of sanctions.
Contact us to discuss your situation.
Frequently Asked Questions about CNIL inspections
🔷 Does a CNIL inspection automatically lead to a sanction ?
No. An inspection is, first and foremost, a verification process designed to allow the CNIL to assess compliance with data processing obligations. At the conclusion of the inspection, the Chair of the CNIL may decide to close the case without further action, issue a reminder of legal obligations, serve a formal notice, or — in the most serious cases — initiate sanction proceedings. The outcome depends primarily on the nature and seriousness of any breaches identified, but also on the explanations provided by the organisation and, where applicable, the corrective measures it has implemented.
🔷 What happens after a CNIL inspection ?
The departure of the inspection team does not mark the end of the case. The inspection and sanctions departments analyse the report, the documents submitted and any supplementary information provided by the organisation. They assess which breaches are likely to be upheld and propose next steps. This phase can last several weeks or several months. The organisation may still submit further information to clarify certain findings or to inform the CNIL of corrective measures it has put in place.
🔷 Can documents be submitted after the inspection ?
Yes. In addition to the documents expressly requested by the inspection team, the audited organization may submit supplementary information intended to clarify how a processing activity operates, correct a misunderstanding, or demonstrate the implementation of corrective measures. Such submissions should be targeted, relevant and well-documented. The aim is not to submit documents indiscriminately, but to add to the file where it is genuinely useful to do so.
🔷 Should a breach be acknowledged during a CNIL inspection ?
The audited organization should respond accurately and transparently to the questions asked. However, it is generally not advisable to legally characterize a situation oneself or to spontaneously admit to the existence of a breach. Its role is to present the facts and provide the necessary explanations. The legal assessment then falls to the CNIL.
🔷 How to prepare for a CNIL inspection ?
Preparation isn't just about checking processing compliance with data processing obligations. It also involves identifying documents that might be requested, preparing employees who could be interviewed, and defining how to respond to the delegation's inquiries. A mock inspection replicates the main stages of a real inspection and helps to identify any difficulties before the CNIL visits.
🔷 Should you be assisted by a lawyer during a CNIL inspection ?
Legal assistance is not mandatory, but it can prove valuable before, during and after an inspection. In the run-up to an inspection, a lawyer can help prepare teams and documents. During the inspection, they can monitor proceedings and assist the organisation in its dealings with the delegation. Following the inspection, they can help define the appropriate strategy, prepare supplementary responses and ensure that corrective measures are properly communicated and taken into account.
