France

Non-compliance with personal data security measures may be subject to an administrative fine by the CNIL of up to €3 million in accordance with Data Protection Act of 1978. Additionally, and pursuant to article 226-17 of the Criminal Code, contraveners may face up to five years of imprisonment and be fined up to €300,000 (multiplied by five for organisations). As a reminder, and upon the entry into force of the EU General Data Protection Regulation, data controllers and processors may face an administrative fine of up to 2 per cent of the total worldwide annual turnover of the preceding financial year or €10 million, whichever is higher, in case of failure to report and adopt appropriate security measures. Additionally, and pursuant to article 226-17 of the Criminal Code, contraveners may face up to five years of imprisonment and be fined up to €300,000. This amount is multiplied by five for organisations, pursuant to article 131-38 of the Criminal Code.