Lesson 1Rights of data subjects (access, rectification, erasure, restriction, portability, objection, automated decision-making) and operational processes to complyThis section details each GDPR right, how they apply to SaaS and AI, and how to design intake, verification, response, and logging processes so that legal, product, and engineering teams can reliably handle data subject requests at scale.
Catalog of GDPR rights and legal scopeIdentity verification and fraud prevention stepsStandard operating procedures for DSR handlingAutomation, ticketing, and response templatesLogging, metrics, and continuous process reviewLesson 2Penalties, enforcement trends, and recent landmark GDPR/CNIL decisions affecting analytics and AI implementationsThis section reviews GDPR and CNIL enforcement powers, fine calculation criteria, and recent landmark decisions affecting analytics, cookies, tracking, and AI, drawing practical lessons for SaaS providers on risk appetite and compliance priorities.
Administrative powers and sanction typesFine calculation criteria and aggravating factorsRecent CNIL cases on cookies and trackingEU decisions on AI, profiling, and scoringUsing case law to guide product risk choicesLesson 3Record-keeping and accountability: Records of Processing Activities (RoPA), internal policies, and evidence for supervisory authoritiesThis section explains accountability obligations, how to maintain Records of Processing Activities, and how to build internal policies, governance, and evidence that demonstrate compliance to supervisory authorities during audits or investigations.
Core elements of a compliant RoPA entryMapping data flows and systems for recordsDesigning internal privacy policies and chartersEvidence files, dashboards, and audit trailsGovernance roles: DPO, legal, and productLesson 4French Data Protection Act (Loi Informatique et Libertés) and CNIL guidance relevant to analytics and AIThis section presents the French Data Protection Act and CNIL guidance relevant to analytics and AI, highlighting national specificities, sectoral rules, and practical expectations for cookies, audience measurement, and algorithmic systems.
Structure of the French Data Protection ActCNIL powers, soft law, and recommendationsCNIL guidance on cookies and audience metricsNational rules on biometrics and sensitive dataCNIL positions on AI, scoring, and profilingLesson 5Data Protection by Design and by Default: technical and organisational measures for SaaS productsThis section explains Data Protection by Design and by Default obligations and how to translate them into concrete technical and organisational measures for SaaS, including architecture, access control, defaults, and secure development practices.
Embedding privacy in product lifecycle stagesData minimization and privacy-friendly defaultsRole-based access control and logging designSecure development and code review practicesVendor selection and integration risk controlsLesson 6Overview of GDPR structure and key principles (lawfulness, purpose limitation, minimisation, accuracy, storage limitation, integrity, confidentiality, accountability)This section introduces GDPR's structure and key principles, including lawfulness, fairness, purpose limitation, minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability, with examples tailored to SaaS and AI.
Regulation structure, scope, and key actorsLawfulness, fairness, and transparency dutiesPurpose limitation and compatibility analysisData minimization and accuracy in practiceStorage limits, security, and accountabilityLesson 7Special categories of data, pseudonymisation, anonymisation standards and re-identification riskThis section clarifies special categories of data under GDPR, how pseudonymisation and anonymisation should be implemented in SaaS and AI, and how to assess, document, and mitigate re-identification risks in analytics and machine learning.
Defining special categories and sensitive dataPseudonymization techniques in SaaS databasesAnonymization standards and risk-based approachesRe-identification risk assessment and controlsContractual and policy safeguards for high-risk dataLesson 8Legal bases for processing personal data: consent, contract, legitimate interest, public interest — tests and documentationThis section analyses lawful bases for processing, including consent, contract, legitimate interest, and public interest, and explains how to choose, document, and defend the appropriate basis for SaaS and AI use cases and behavioural analytics.
Overview of lawful bases and exclusivity rulesWhen consent is required and validly obtainedContract necessity in B2B SaaS scenariosLegitimate interest tests and balancingDocumenting legal basis choices and changesLesson 9Data Protection Impact Assessments (DPIAs): when required, methodology, templates, and mitigating measures for large-scale behavioural analyticsThis section details when DPIAs are mandatory, how to scope and conduct them for large-scale analytics and AI, which templates to use, and how to identify and implement effective mitigating measures and residual risk approvals.
Triggers for DPIA and high-risk criteriaStep-by-step DPIA methodology and rolesTemplates, tools, and documentation tipsIdentifying risks in profiling and trackingMitigation plans and DPO or CNIL consultationLesson 10Transparency and information duties toward data subjects: privacy notices, layered notices, and behavioural tracking disclosuresThis section covers transparency duties, including privacy notices, layered notices, and behavioural tracking disclosures, and shows how to draft, structure, and deliver them in SaaS and AI interfaces while meeting GDPR and CNIL expectations.
Mandatory information under GDPR Articles 12–14Designing layered and just-in-time noticesDisclosing cookies, SDKs, and tracking toolsCommunicating AI use, logic, and key impactsTesting clarity and comprehension with users
