Identify the breach
Free assessment of your case: nature of the data exposed, breach context, evidence gathering. Confidentiality from the first contact.
— The reality
Mass data breaches have become a quiet industrial crisis. Most victims never know.
+450
major data breaches reported to the CNIL in 2025
€20M
maximum fine under GDPR — or 4% of worldwide turnover
<3%
of victims who actually obtain compensation without legal counsel
— Legal framework
A French legal mechanism, finally usable.
The class action introduced by the 2014 Hamon Act and extended in 2016 to data protection allows multiple victims of the same company to be represented in a single proceeding. The reform of 11 March 2025 broadened its scope and simplified its activation.
In data protection matters, victims may seek both an injunction (forcing the company to comply) and full compensation for material and moral harm.
The procedure relies on three pillars: a qualified plaintiff (lawyer or accredited association), a clearly identified group of victims, and a common factual or legal basis.
— How we act
Constitute the group
Locate other victims of the same incident, structure the legal group, define the litigation strategy and the common harm.
Take legal action
File before the competent court (Paris first, then specialised courts). Negotiate or litigate until full compensation.
— Cases we handle
Six recurring violations that justify a collective action.
Mass data leaks
Customer databases compromised — names, emails, phone numbers, banking data exposed without notification or with delayed notification.
GDPR consent violations
Cookies, tracking, profiling without informed consent. Misleading privacy policies. Unlawful data sale.
Unlawful biometric data
Facial recognition, fingerprints, behavioural data collected outside the legal framework — Article 9 GDPR.
Cross-border transfers
Personal data transferred outside the EU without proper safeguards (post-Schrems II violations, US Cloud Act).
Data retention abuse
Personal data retained well beyond the necessary period. Refusal of erasure requests under Article 17 GDPR.
Children's data
Targeted advertising, profiling and processing of minors' data on social networks, gaming platforms or apps.
— FAQ
Frequently asked questions
How do I know if my data was exposed?+
You can check on services like Have I Been Pwned, but most exposures remain undisclosed. The CNIL publishes major incidents. Voltaire & Associés monitors known leaks and notifies affected groups when an action becomes possible.
What does it cost to join a class action?+
Joining an existing action is free for victims. Voltaire & Associés works on a results-based fee structure, in compliance with bar association rules. The first consultation and case assessment are always free of charge.
How long does a class action take?+
Counting from the formal filing, between 18 and 36 months on average. Negotiated settlements may shorten this period. Group constitution itself takes 3 to 6 months.
What compensation can I expect?+
Compensation depends on the harm proven (financial loss, identity theft risk, emotional distress). For mass GDPR violations, individual compensation has ranged from €100 to several thousand euros per victim.
Can I act alone instead?+
Yes, but a class action multiplies the leverage against the company, reduces the cost burden per victim, and increases the chances of obtaining significant compensation. Both routes can be combined.
Your data was breached.
You are not alone.
Free, confidential case review. Find out within 48 hours if a class action is open or feasible for your case.
Report a breach →