Under what circumstance must a data controller notify a data breach to the CNIL?

The correct answer is that a data controller must notify a data breach to the CNIL only under certain conditions. Under the General Data Protection Regulation (GDPR), a data controller is required to report a personal data breach to the relevant supervisory authority (such as CNIL in France) when it is likely to result in a risk to the rights and freedoms of individuals.

This notification must occur without undue delay and, where feasible, within 72 hours after the controller becomes aware of the breach. However, if the breach is unlikely to pose any risk to the individuals affected, the data controller is not obliged to notify the CNIL.

This nuanced requirement ensures that data controllers focus on significant breaches that could impact personal data privacy while allowing flexibility for lower-risk incidents that do not necessitate regulatory involvement.