Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
14 articles found · #cnil · Expertise Luxgap
Workplace video surveillance: CNIL fine of 2 April 2026
On 02/04/2026, the CNIL imposed a €7,500 fine for CCTV non-compliance. In Luxembourg, the CNPD likewise requires proportionality, frequent DPIAs and two-layer information.
Recording meetings and calls: €250,000 fine — CNPD framework 2026
On 16/10/2025, the CNIL fined a call center €250,000 for poorly governed recordings. Since April 2026, the CNPD has issued a dedicated framework for meeting recordings: legal basis, transparency, retention, security, and DPIA.
Mandatory DPIA: CNPD vs CNIL — geolocation, two thresholds
In Luxembourg, the CNPD requires a DPIA for any systematic tracking of location. In France, the CNIL only mandates it for large-scale processing of location data.
IQVIA fined €5M: pseudonymisation ≠ anonymisation
The CNIL fined IQVIA €5M over shortcomings in two health data warehouses. Key takeaway: pseudonymised data are still personal data and the GDPR applies in full.
France Travail fined €5M: GDPR Article 32 moves from theory to audit
The CNIL fined France Travail €5M for breaches of GDPR Article 32: security measures identified in the DPIA but not implemented. A clear signal for Luxembourg organizations.
GDPR: complaint closure and no Article 78 appeal if not concerned
The French Council of State (20 May 2026) held that a CNIL complaint closure is not a “legally binding decision” triggering an Article 78 GDPR appeal if the complainant is not concretely affected.
Free Mobile/Free fined €42M: lessons for your 72h GDPR response
CNIL fines Free Mobile (€27M) and Free (€15M) after a breach affecting 24M contracts. Priorities: security (Art. 32), content of authority notifications (Art. 33) and of communications to individuals (Art. 34).
CNPD vs CNIL: workplace CCTV, 8 days in LU, up to 30 days in FR
The CNPD sets a default retention of “up to 8 days,” while the CNIL in practice admits up to one month. Entities operating in Luxembourg must adjust their practices and records.
CNPD frames meeting recordings: divergence with the CNIL
As of 01/04/2026, the CNPD tightens meeting audio: strict legitimate interest and deletion once minutes are approved. In France, the CNIL allows call recording for evidential purposes but bans audio paired with CCTV.
Health data: €5M fine against IQVIA — what GDPR Article 9 really requires
On May 26, 2026, the CNIL fined IQVIA €5M over shortcomings in its health data warehouses. The case illustrates GDPR Article 9’s general prohibition and the strict conditions of its exceptions.
DPIA: EDPB template (Apr 2026) and CNPD/CNIL divergences
The EDPB issued an EU DPIA template for consultation (April 2026). Yet CNPD and CNIL still diverge on triggers, with France publishing a “not required” whitelist that Luxembourg does not.
France Travail fined: key lessons from GDPR Article 32
On 22 January 2026, the CNIL fined France Travail €5M for weaknesses in authentication, logging and access rights. In Luxembourg, GDPR Article 32 requires appropriate, demonstrably effective security measures.