Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

14 articles found · #cnil · Expertise Luxgap

Workplace video surveillance: CNIL fine of 2 April 2026

On 02/04/2026, the CNIL imposed a €7,500 fine for CCTV non-compliance. In Luxembourg, the CNPD likewise requires proportionality, frequent DPIAs and two-layer information.

Recording meetings and calls: €250,000 fine — CNPD framework 2026

On 16/10/2025, the CNIL fined a call center €250,000 for poorly governed recordings. Since April 2026, the CNPD has issued a dedicated framework for meeting recordings: legal basis, transparency, retention, security, and DPIA.

Mandatory DPIA: CNPD vs CNIL — geolocation, two thresholds

In Luxembourg, the CNPD requires a DPIA for any systematic tracking of location. In France, the CNIL only mandates it for large-scale processing of location data.

IQVIA fined €5M: pseudonymisation ≠ anonymisation

The CNIL fined IQVIA €5M over shortcomings in two health data warehouses. Key takeaway: pseudonymised data are still personal data and the GDPR applies in full.

France Travail fined €5M: GDPR Article 32 moves from theory to audit

The CNIL fined France Travail €5M for breaches of GDPR Article 32: security measures identified in the DPIA but not implemented. A clear signal for Luxembourg organizations.

GDPR: complaint closure and no Article 78 appeal if not concerned

The French Council of State (20 May 2026) held that a CNIL complaint closure is not a “legally binding decision” triggering an Article 78 GDPR appeal if the complainant is not concretely affected.

Free Mobile/Free fined €42M: lessons for your 72h GDPR response

CNIL fines Free Mobile (€27M) and Free (€15M) after a breach affecting 24M contracts. Priorities: security (Art. 32), content of authority notifications (Art. 33) and of communications to individuals (Art. 34).

CNPD vs CNIL: workplace CCTV, 8 days in LU, up to 30 days in FR

The CNPD sets a default retention of “up to 8 days,” while the CNIL in practice admits up to one month. Entities operating in Luxembourg must adjust their practices and records.

CNPD frames meeting recordings: divergence with the CNIL

As of 01/04/2026, the CNPD tightens meeting audio: strict legitimate interest and deletion once minutes are approved. In France, the CNIL allows call recording for evidential purposes but bans audio paired with CCTV.

Health data: €5M fine against IQVIA — what GDPR Article 9 really requires

On May 26, 2026, the CNIL fined IQVIA €5M over shortcomings in its health data warehouses. The case illustrates GDPR Article 9’s general prohibition and the strict conditions of its exceptions.

DPIA: EDPB template (Apr 2026) and CNPD/CNIL divergences

The EDPB issued an EU DPIA template for consultation (April 2026). Yet CNPD and CNIL still diverge on triggers, with France publishing a “not required” whitelist that Luxembourg does not.

France Travail fined: key lessons from GDPR Article 32

On 22 January 2026, the CNIL fined France Travail €5M for weaknesses in authentication, logging and access rights. In Luxembourg, GDPR Article 32 requires appropriate, demonstrably effective security measures.

Page 1 / 2 Older →