Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

64 articles found · Expertise Luxgap

CJEU (19 March 2026): access may be refused if abusive

The CJEU accepts that a data access request may be rejected as “abusive” if it solely aims at obtaining GDPR compensation. Strong signal for reasoned refusals, burden of proof, and meeting deadlines.

Right of access vs premature deletion: Belgian DPA warns recruiter (37/2026)

On 24 February 2026, the Belgian DPA warned a company for deleting an interview video after an access request. In practice: purge must be suspended until the access right is handled (Arts. 12 and 15 GDPR).

Amazon v. CNPD (12 March 2026): Legitimate interest rejected in AdTech

Luxembourg’s Administrative Court confirms Amazon’s behavioral advertising could not rely on legitimate interest and annuls the fine in light of the CJEU’s fault requirement.

Transfers to the United States: CNPD implements the DPF, EDPB remains cautious

The CNPD confirms “free” transfers to US entities certified under the DPF (Art. 45 GDPR), while the EDPB maintains reservations and calls for ongoing vigilance.

DORA Art. 28: CSSF turns up the heat on the ICT dependencies register

As of 16 March 2026, only 40% of entities had filed their DORA Art. 28 register. CSSF warns: ESAs’ quality checks, potential rejections and tight resubmission windows, with a 30 June “best effort” for some branches.

CNPD 1FR/2025: how the DPA calculates a GDPR fine in 5 steps

On 6 January 2025, the CNPD fined a controller for delays in data subject rights and applied the EDPB’s five-step method. Key takeaway: track and document your “time-to-rights”.

GDPR Article 6: the Poste Italiane fine clarifies legitimate interest vs consent

Italy’s DPA fined Poste Italiane/PostePay €12.5m for intrusive device access via apps without a valid legal basis. Key message: anything beyond what is strictly necessary often requires valid consent, not legitimate interest.

Workplace video surveillance: the Hanako case rules out consent

Italy’s Garante (12/03/2026) fined Hanako s.r.l. for in-store video surveillance without proper notice and labor authorization. EU-wide message: in employment, employee consent is not a convenient legal basis.

AEPD vs AENA: €10,043,002 for a deficient DPIA (Art. 35 GDPR)

On 4 March 2026, the AEPD fined AENA €10,043,002 for a non‑compliant DPIA on biometric boarding. Key takeaway: a “pro forma” DPIA is tantamount to no DPIA.

GDPR fines 2026: direct actions opened against EDPB decisions

On 10/02/2026, the CJEU allowed companies to bring direct actions against the EDPB’s “binding” decisions. The fine calculation method (Art. 83 GDPR) and compliance orders can now be challenged before the EU courts.

CNPD frames meeting recordings: divergence with the CNIL

As of 01/04/2026, the CNPD tightens meeting audio: strict legitimate interest and deletion once minutes are approved. In France, the CNIL allows call recording for evidential purposes but bans audio paired with CCTV.

Intra-group sharing: CNIL accepts legitimate interest, CNPD treats it as a transfer

In Luxembourg in 2026, legitimate interest may ground intra-group administrative sharing, but the CNPD qualifies it as a transfer between controllers, requiring strong transparency and, outside the EEA, a Chapter V mechanism.

← Newer Page 3 / 6 Older →