Studio Founder
Auditing Our Privacy Policy Against Current GDPR β Found 7 Gaps
Key Takeaway
We uploaded our privacy policy to an AI agent, it scanned against current GDPR text and CNIL guidance, and found 7 compliance gaps β including 2 critical ones our external DPO had missed.
The Problem
Annual GDPR compliance review. Every company with EU customers does this. Most do it badly.
The standard process: hire an external DPO or privacy consultant for a day. They read your privacy policy, compare it against a mental checklist, write a short report. Cost: β¬2,500-β¬4,000. Time: 2-3 weeks turnaround.
The problem with human review: it's only as current as the reviewer's knowledge. GDPR hasn't changed, but CNIL guidance has. The EDPB has issued 47 guidelines since 2018. The CJEU keeps ruling on things. Your reviewer from last year might not know about the Schrems III implications or the latest CNIL position on cookie walls.
Our privacy policy was "last reviewed" 9 months ago. The external DPO signed off. We assumed it was fine.
It wasn't.
The Solution
The Legal Advisor skill on Mr.Chief. Upload your privacy policy. The agent scans it against the full GDPR text (99 articles, 173 recitals), current CNIL dΓ©libΓ©rations, EDPB guidelines, and recent CJEU case law.
It doesn't just check "do you mention data subject rights?" It checks whether you mention all of them, whether your legal bases are correctly matched to processing activities, and whether your language reflects current regulatory interpretation.
The Process
yamlShow code
# mrchief skill: legal-advisor
# Privacy policy GDPR audit
task: gdpr-privacy-policy-audit
input: ./policies/privacy-policy-current.pdf
jurisdiction: france
standards:
- GDPR (Regulation 2016/679)
- CNIL guidelines (current as of scan date)
- EDPB guidelines (all adopted)
- CJEU relevant rulings (2018-present)
language: french
output: gap-report-with-fixes
severity_scoring: true
The agent runs a 43-point checklist:
View details
GDPR PRIVACY POLICY AUDIT β PyratzLabs SAS
ββββββββββββββββββββββββββββββββββββββββββββ
AUDIT DATE: 2026-03-10
POLICY VERSION: v2.3 (last updated: 2025-06-15)
REGULATION VERSION: GDPR + CNIL guidance through Feb 2026
FINDINGS: 7 GAPS IDENTIFIED
βββββββββββββββββββββββββββ
π΄ CRITICAL (2)
βββββββββββββββββ
GAP #1: Incomplete legal bases for processing activities
Section: "Pourquoi traitons-nous vos donnΓ©es"
Issue: Policy states "legitimate interest" for newsletter
sending without balancing test documentation reference.
CNIL Position (2025-09): Legitimate interest for B2C
marketing requires documented balancing test, accessible
to data subjects upon request.
Fix: Add reference to balancing test. Document the test
separately. Include mention of opt-out mechanism in same
paragraph.
GDPR Reference: Art. 6(1)(f), Recital 47
GAP #2: Missing right to lodge complaint with supervisory authority
Section: "Vos droits"
Issue: Lists right of access, rectification, erasure,
portability, restriction, objection. Does NOT mention
right to lodge complaint with CNIL (Art. 77).
This is explicitly required by Art. 13(2)(d).
Fix: Add "Vous disposez Γ©galement du droit d'introduire
une réclamation auprès de la CNIL (www.cnil.fr)."
GDPR Reference: Art. 13(2)(d), Art. 77
β οΈ HIGH (3)
βββββββββββββ
GAP #3: Data retention periods too vague
Section: "DurΓ©e de conservation"
Issue: States "we retain data as long as necessary."
CNIL requires specific periods per processing purpose.
Fix: Add table mapping each purpose to specific retention
period. CNIL reference guide: dΓ©libΓ©ration 2019-160.
GAP #4: International transfers β no mechanism specified
Section: "Transferts de donnΓ©es"
Issue: Mentions "some data may be transferred outside EU"
but doesn't specify transfer mechanism (SCCs, adequacy
decision, or Art. 49 derogation).
Post-Schrems II: must specify mechanism + supplementary
measures if applicable.
Fix: List each non-EU processor, applicable mechanism,
and link to relevant SCC version.
GAP #5: Cookie consent mechanism not referenced
Section: (Missing)
Issue: No mention of cookie policy or consent mechanism.
CNIL guidelines on cookies (2020, updated 2024) require
clear information in privacy policy + separate cookie banner.
Fix: Add cookie section or clear cross-reference to
separate cookie policy.
βΉοΈ MEDIUM (2)
ββββββββββββββ
GAP #6: DPO contact incomplete
Section: "Contact"
Issue: Lists generic privacy@pyratzlabs.com but Art. 37-39
requires published DPO contact details if DPO appointed.
If no DPO appointed: must clarify who handles privacy.
Fix: Either publish DPO name/contact or clarify privacy
contact role and authority.
GAP #7: No mention of automated decision-making
Section: (Missing)
Issue: Art. 13(2)(f) requires disclosure of automated
decision-making including profiling, with meaningful
information about logic, significance, and consequences.
If no automated decision-making: state this explicitly.
Fix: Add section β either disclosing ADM practices or
confirming none exist.
COMPLIANT AREAS (36/43): β
ββββββββββββββββββββββββββ
β
Controller identity and contact details (Art. 13(1)(a))
β
Processing purposes clearly stated (Art. 13(1)(c))
β
Categories of personal data (Art. 14(1)(d))
β
Recipients/categories of recipients (Art. 13(1)(e))
... [36 total passing checks]
The Results
| Metric | External DPO Review | AI Agent Audit |
|---|---|---|
| Cost | β¬3,000 | ~β¬0.40 |
| Turnaround | 2-3 weeks | 4 minutes |
| Checklist depth | ~15-20 items (typical) | 43 items |
| CNIL guidance current to | Reviewer's last training | Scan date (real-time) |
| Gaps found (same policy) | 0 ("looks good") | 7 (including 2 critical) |
| Fix language provided | "You should update X" | Exact replacement text |
| Severity scoring | Informal | Structured (Critical/High/Medium) |
The external DPO missed Gap #2 β the right to lodge a complaint with CNIL. It's literally one sentence. Article 13(2)(d) explicitly requires it. This is the kind of thing a human skips because it seems obvious. The agent doesn't skip anything.
Try It Yourself
bashShow code
mrchief run legal-advisor \
--task gdpr-privacy-policy-audit \
--input ./your-privacy-policy.pdf \
--jurisdiction france \
--severity-scoring true
Works with privacy policies in French, English, German, Spanish, and Italian. Jurisdiction-specific checks available for France (CNIL), Germany (BfDI), UK (ICO), and EU-wide (EDPB).
Run it quarterly, not annually. The agent costs cents. Regulatory guidance changes monthly.
The CNIL doesn't send warnings anymore. They send fines. We'd rather find the gaps ourselves.
Related case studies
Studio Founder
Terms of Service, Cookie Policy, and DPA β All Three in One Session
We generated a complete, cross-referenced legal document stack β Terms of Service, Cookie Policy, and Data Processing Agreement β in one 15-minute session, consistent and launch-ready.
Studio Founder
We Generated a GDPR Privacy Policy in 4 Minutes β Our Lawyer Said Keep It
An AI agent drafted a complete GDPR-compliant privacy policy for a new product in 4 minutes β our lawyer reviewed it, made 3 minor edits, and approved it. Legal bill: β¬200 review instead of β¬2,000 from scratch.
Studio Founder
The Self-Generating Board Calendar β Regulatory Dates, Filings, and Meetings All in One
Our AI agent generates an annual board calendar combining AGO, AGE, regulatory filings, financial deadlines, and shareholder commitments β syncing to Google Calendar with automated reminders.
Want results like these?
Start free with your own AI team. No credit card required.