Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
64 articles found · Expertise Luxgap
GDPR rights at work: only the individual has standing (Cass. crim., Jan 13, 2026)
France’s Supreme Court held that a company cannot invoke employees’ GDPR rights to challenge a seizure: only the data subjects themselves have standing. A key takeaway for DSAR and DPO response workflows.
Workplace video surveillance: CNIL fine of 2 April 2026
On 02/04/2026, the CNIL imposed a €7,500 fine for CCTV non-compliance. In Luxembourg, the CNPD likewise requires proportionality, frequent DPIAs and two-layer information.
GDPR: first access request may be refused for abuse (CJEU 19/03/2026)
The CJEU (C‑526/24) holds that a first GDPR access request may be refused for abuse under Article 12(5). Practical key: document abusive intent and a two‑pronged proportionality test.
DORA vs NIS 2 in Luxembourg: which regime prevails in an incident?
On 18/09/2023, the European Commission confirmed that sectoral acts prevail over NIS 2 as lex specialis where requirements are equivalent. DORA is one of them: in Luxembourg, the CSSF oversees incident notifications for financial entities.
AEPD vs AENA: €10.04M for a deficient DPIA in biometrics
On 20 March 2026, the AEPD published in the BOE a €10,043,002 fine against AENA for a non-compliant DPIA related to biometric boarding. Key signal: a DPIA must now be complete, evidence-based and traceable.
Legitimate interest vs consent: CNPD/EDPB tighten, ICO remains looser
Luxembourg’s Administrative Court backed the CNPD in the Amazon case: legitimate interest was not justified. While the EDPB tightens Article 6(1)(f), the UK ICO still calls it the most flexible basis.
NIS 2 in Luxembourg: ILR expectations on the 10 measures (Art. 21)
Since the 5 May 2026 law, the ILR details the 10 minimum NIS 2 Article 21 measures and related supervision. Management must approve, implement and evidence these measures, including MFA and supply chain controls.
Recording meetings and calls: €250,000 fine — CNPD framework 2026
On 16/10/2025, the CNIL fined a call center €250,000 for poorly governed recordings. Since April 2026, the CNPD has issued a dedicated framework for meeting recordings: legal basis, transparency, retention, security, and DPIA.
Mandatory DPIA: CNPD vs CNIL — geolocation, two thresholds
In Luxembourg, the CNPD requires a DPIA for any systematic tracking of location. In France, the CNIL only mandates it for large-scale processing of location data.
Extra-EU transfers: EDPB vs ICO on transfer risk assessment (TRA)
On 15 Jan 2026, the ICO eased its Transfer Risk Assessment, diverging from the EDPB’s strict “essential equivalence” test. For Luxembourg controllers, maintaining an EDPB-compliant assessment remains key.
GDPR Article 6: the Intesa/Isybank lesson on legitimate interest vs consent
Italy’s DPA fined Intesa €17.6M for transferring ~2.4M customers to Isybank without a valid legal basis. Key takeaway: legitimate interest cannot replace valid consent or strict contractual necessity.
CJEU SCHUFA vs ICO: Is GDPR Article 22 a ban or a right?
The CJEU classified credit scoring as automated individual decision-making under GDPR Article 22. The EDPB reads it as a general ban with exceptions, while the ICO frames it as a right to be activated.