A DGCCRF formal notice — how a fashion marketplace responded in 30 days

A French fashion marketplace (anonymised) receives a formal notice from the DGCCRF in March 2026. Response deadline: 30 days. No panic, but no time to waste either. Here's the procedure followed day by day, and what really made the difference to the outcome.

Days 1-3 — diagnosis

A full audit ordered the very day it was received. Result delivered in 18 minutes: 67% compliance, 22 blocking issues, of which 14 matched exactly the criteria cited in the formal notice. Knowing precisely where you stand, from day one, turns a vague threat into a concrete action plan.

Days 4-20 — action plan

12 of the 14 blocking issues fixed in 16 days by a team of 2 developers. An automatic re-verification audit every evening, to confirm each fix held and no regression appeared. The 2 remaining issues depended on a third-party module, beyond their immediate control.

Days 21-30 — response file

A file submitted to the DGCCRF, comprising: the initial audit (timestamped PDF), the list of fixes (closed tickets as evidence), the final audit (12/14 resolved, the last 2 documented as depending on a third-party module being updated) and the accessibility statement updated with the new rate.

What made the defence

• →Dated proof of a starting point and of progress (initial vs final audit)
• →Traceability of the fixes (closed tickets, not mere assertions)
• →Honesty about the 2 unresolved issues, with a cause and a deadline
• →An updated accessibility statement, consistent with the file

The lesson: prepare before you receive

The decisive factor wasn't the speed of fixing — fast, granted — but the ability to document. A company that already has a recent audit on the day the formal notice arrives starts three weeks ahead. The one that discovers its level that day is racing the clock.

Frequently asked questions

How long does a formal notice usually give?

The deadline is set by the authority and generally counted in weeks (30 days here). It's short to fix from scratch — hence the value of already having an audit and a plan to hand.

Do you have to fix everything to avoid the sanction?

No. What matters is demonstrating an active, good-faith approach: fix the essentials, document the rest with a credible deadline. This case was dismissed with 2 issues still open.

Is a non-compliant third-party module my responsibility?

The responsibility stays yours, but documenting that a non-conformity depends on a third party being updated is an admissible circumstance — provided you show it and chase the vendor.