CNIL approves a GDPR code of conduct for retail

On 28 April 2026, the CNIL approved a GDPR code of conduct for apparel/footwear retailers in France. A strong signal for cross-border retailers and groups established in France, with auditable requirements and third-party oversight. cnil.fr

Lead (who, what, where, when)

France’s data protection authority (CNIL) approved, on 28 April 2026, the first national code of conduct for the retail sector (apparel/footwear), led by the Alliance du Commerce. This framework translates GDPR requirements into operational rules for in-store and online activities, with an external monitoring body responsible for verifying compliance once accredited. cnil.fr

Regulatory context

Codes of conduct are instruments provided for in Articles 40 and 41 GDPR: they turn compliance into sectoral practices and allow members to demonstrate, with auditable evidence, the lawfulness of processing, data minimisation, retention periods, transparency, security, and the governance of processors and transfers. The code validated by the CNIL specifically covers B2C activities in the personal equipment retail sector (excluding supplier/employee relations) and becomes binding for signatory retailers, under the supervision of a third-party body that must obtain CNIL accreditation to perform checks. This is the first national code approved by the CNIL and the third sectoral code after CISPE (cloud) and EUCROF (clinical trials). The full text sets out governance (membership, audits, follow-up, publication, revision) and includes a toolbox of document templates. cnil.fr

What changes for companies in Luxembourg

• Luxembourg groups with an “establishment” in France or a French decision-making centre: joining the code becomes a lever for compliance and customer trust in this market, with a commercially valuable compliance indicator. Management should anticipate the ramp-up of audits by the monitoring body (once accredited) and alignment of practices across countries. cnil.fr
• Luxembourg retailers selling online into France without an establishment: although membership is limited to entities established in France, the code provides a pragmatic “checklist” to harmonise privacy notices, retention periods, marketing legal bases, security, and processor management. It is an opportunity to align omnichannel journeys (e-shop, click & collect in Belgium/France/Germany) and reduce cross-border compliance gaps. cnil.fr
• Spillover effect in the Greater Region: publishing an auditable code with third-party supervision sets a useful precedent for other sectors (specialty retail, health/beauty, sports) and could inspire similar initiatives at CNPD/CERP (Luxembourg) or neighbouring authorities. For multi-country groups, it becomes strategic to industrialise evidence of compliance (records, DPIAs, processor clauses, consent logs, restoration tests) using a common blueprint. cnil.fr

Concrete actions to take this week

• Map your France-exposed retail data flows (stores, FR e-commerce, FR marketing) and benchmark your practices against the code’s table of contents: purposes/lawfulness, cookies/tracking, retention, data subject rights (access/objection), security (encryption, access control), processors, transfers. Prioritise gaps with high customer impact (marketing, cookies, payment security). cnil.fr
• Prepare a reusable “membership pack”: up-to-date records of processing, evidence of marketing legal bases, rights-handling procedures, processor contract templates (Art. 28), retention matrix, internal audit plan. Anticipate monitoring by the supervisory body (initial audit, periodic audits) once accredited. cnil.fr
• Harmonise omnichannel across the Greater Region: align cookie banners and CMP, notices and marketing preferences across Luxembourg, Belgian, French and German sites. Update incident playbooks (notification to CNIL/APD/CNPD depending on the responsible establishment), and strengthen security evidence (access logs, customer-journey-focused penetration tests, reviews of “retail back-office” privileges). cnil.fr

Sources

• CNIL – Retail: code of conduct approved, 28 April 2026
• Alliance du Commerce Code of Conduct – full text

Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.