Case Studies

Case studies

High-stakes work for leading clients.

01. GDPR & Data

Strategic data advisory for an S&P 500 real estate group

Advisory to the European Privacy/Data/AI Officer of one of the world's largest real estate managers (~$100B market cap). Triple GDPR / Data Act / AI Act scope. Complete AI governance (4 tools evaluated), application to an EU AI regulator sandbox, deployment of Data Act contractual standards ahead of EU standard clauses.

Multi-mission engagement for a CAC40 food industry group

4-year relationship, from one-off DPO support to group sparring partner. Internal social network deployment post-CNIL audit, clinical research with health data access (SNDS), AI-enabled HR tools compliance, CNIL audit simulation across France HR perimeter.

Outsourced DPO for a sensitive public data operator

Taking over the DPO function in a post-CNIL sanction context (€250K) and national security crisis (kidnappings facilitated by personal data disclosure in public registries). Balancing registry transparency with personal protection.

02. Cybersecurity

Crisis management — massive data breach

Complete management of the response to a data breach affecting 4 to 12 million individuals. Data disseminated on the darknet. CNIL notification, crisis communication, technical remediation.

03. Artificial Intelligence

AI governance for a global logistics group

Assessment of 4 AI tools (logistics optimization, recruitment, autonomous buildings, HR/IT support AI agent) with different AI Act risk profiles. Full deployment: internal policies, supplier evaluation grid, risk analysis process, contractual clauses.

Contractual innovation on the AI value chain

Advisory to a sovereign MLOps platform publisher. Contractual structuring of the 3-tier chain (model provider → platform → end client) — unprecedented issue with no case law or market standard clauses.

Privacy by design for embedded AI (medical device)

Compliance for a medical device with embedded AI — connected airbag belt detecting falls in real time. Triple regulatory layer: medical device, GDPR (health data), AI Act.

04. IT Contracts & Intellectual Property

Privacy due diligence on transatlantic M&A transactions

Recurring sub-advisory mandates from French M&A firms on transatlantic transactions (led by US/UK Magic Circle firms). Privacy has become a strategic and systematic workstream on deals.

BCR-P for an international consulting group

Advisory to an international consulting group in obtaining its Binding Corporate Rules for Processors — lengthy process with direct CNIL exchanges over several months.

Digital compliance for a luxury resort

Complex digital project (ticketing, cancellation insurance, donations) for an entity linked to a global food industry group.