# Data Privacy — AIPD (CNIL Standard) > Conduct a Privacy Impact Assessment (AIPD) under the CNIL standard for France (RGPD). Three-step methodology: Context, Principles, Risks. Validates retention periods against CNIL 'droit à l'oubli' (right to erasure). Tags: RGPD, CNIL, AIPD, Privacy, Data Protection, France, Compliance, Droit à l'oubli ## Example Prompts - Conduct an AIPD for our new customer analytics platform in France - Check our AIPD retention periods against CNIL droit à l'oubli (data_retention_limiter) - Draft an AIPD for health data processing under CNIL methodology (Context, Principles, Risks) URL: https://rakenne.app/skills/cnil-aipd/index.md Try this skill: https://rakenne.app/a/?skill=cnil-aipd ## Overview Conduct a Privacy Impact Assessment (AIPD) under the **CNIL** standard for **France** (RGPD). The skill structures the assessment in three steps — **Context** (processing description, retention, flows), **Principles** (RGPD Art. 5 and measures), and **Risks** (identification, assessment, mitigation) — and validates data retention against CNIL "droit à l'oubli" (right to erasure). Relevant for tech, marketing, and health sectors. ## Tools - **data_retention_limiter** — Scans an AIPD or processing document for retention and storage periods. Flags: (1) indefinite or unlimited retention (incompatible with CNIL droit à l'oubli), (2) missing retention period, (3) durations exceeding a configurable maximum (default 10 years). Use after drafting or updating the AIPD. Optional parameter: `maxYearsGeneral`. ## Getting Started Add your draft AIPD or processing documentation (Markdown or text) to the project workspace, then activate the *Data Privacy — AIPD (CNIL Standard)* skill. The agent will use the CNIL 3-step template and run `data_retention_limiter` to check retention compliance. --- ## Example conversation Session where a user drafts an AIPD for a French marketing platform and validates retention. > **You:** We need an AIPD for our new B2B marketing platform in France. We collect contact and usage data; retention is "until account closure" for now. > > **Agent:** I've created an AIPD from the template at `docs/aipd-marketing-platform.md` and filled step 1 (Contexte) with your finalities and data categories. "Until account closure" is effectively indefinite — CNIL recommends a maximum duration. I've set a placeholder: 3 years after last activity, with a note to confirm. > > **You:** Run the retention checker on the current draft. > > **Agent:** Running `data_retention_limiter` on `docs/aipd-marketing-platform.md`: > > - **Indefinite retention:** OK (no indefinite wording in current draft). > - **Retention stated:** OK. > - **Durations:** 3 years — OK. > > Result: OK — no retention issues detected. I've left a reminder in the AIPD to document retention in the register and in the privacy notice. --- ## Excerpt from data_retention_limiter output Example when the document mentions indefinite retention. ``` ================================================================ Data Retention Limiter — CNIL / Droit à l'oubli File: docs/aipd-draft.md ================================================================ --- Indefinite / unlimited retention --- [ERROR] Document mentions indefinite or unlimited retention. CNIL requires a defined duration. Excerpt: …conservation des données à durée illimitée jusqu'à… --- Retention period stated --- [OK] At least one retention/conservation duration appears in the document. ================================================================ RESULT: INCOMPLETE — fix indefinite retention to comply with CNIL droit à l'oubli. - Indefinite or unlimited retention conflicts with CNIL 'droit à l'oubli'. Define a maximum conservation period. ================================================================ ``` --- Back to [Skill Library](https://rakenne.app/skills/index.md)