Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

20 articles found · #edpb · Expertise Luxgap

GDPR: first access request may be refused for abuse (CJEU 19/03/2026)

The CJEU (C‑526/24) holds that a first GDPR access request may be refused for abuse under Article 12(5). Practical key: document abusive intent and a two‑pronged proportionality test.

Legitimate interest vs consent: CNPD/EDPB tighten, ICO remains looser

Luxembourg’s Administrative Court backed the CNPD in the Amazon case: legitimate interest was not justified. While the EDPB tightens Article 6(1)(f), the UK ICO still calls it the most flexible basis.

Recording meetings and calls: €250,000 fine — CNPD framework 2026

On 16/10/2025, the CNIL fined a call center €250,000 for poorly governed recordings. Since April 2026, the CNPD has issued a dedicated framework for meeting recordings: legal basis, transparency, retention, security, and DPIA.

Extra-EU transfers: EDPB vs ICO on transfer risk assessment (TRA)

On 15 Jan 2026, the ICO eased its Transfer Risk Assessment, diverging from the EDPB’s strict “essential equivalence” test. For Luxembourg controllers, maintaining an EDPB-compliant assessment remains key.

Information duty (Art. 14 GDPR): the legal exception clarified in 2026

The French Court of Cassation (Jan 29, 2026) confirms the Art. 14(5)(c) GDPR exception where a law mandates disclosure and provides appropriate safeguards. Useful for tax/social flows and certain B2G sharing in Luxembourg.

72 hours or a fine: the Mayor of Myślenice flagged — a reminder for Luxembourg

On 25 May 2026, Poland’s UODO fined the Mayor of Myślenice for failing to notify a data breach within 72 hours (GDPR Art. 33). A useful reminder of what the CNPD expects in Luxembourg.

Transfers to the United States: CNPD implements the DPF, EDPB remains cautious

The CNPD confirms “free” transfers to US entities certified under the DPF (Art. 45 GDPR), while the EDPB maintains reservations and calls for ongoing vigilance.

CNPD 1FR/2025: how the DPA calculates a GDPR fine in 5 steps

On 6 January 2025, the CNPD fined a controller for delays in data subject rights and applied the EDPB’s five-step method. Key takeaway: track and document your “time-to-rights”.

GDPR Article 6: the Poste Italiane fine clarifies legitimate interest vs consent

Italy’s DPA fined Poste Italiane/PostePay €12.5m for intrusive device access via apps without a valid legal basis. Key message: anything beyond what is strictly necessary often requires valid consent, not legitimate interest.

Workplace video surveillance: the Hanako case rules out consent

Italy’s Garante (12/03/2026) fined Hanako s.r.l. for in-store video surveillance without proper notice and labor authorization. EU-wide message: in employment, employee consent is not a convenient legal basis.

GDPR fines 2026: direct actions opened against EDPB decisions

On 10/02/2026, the CJEU allowed companies to bring direct actions against the EDPB’s “binding” decisions. The fine calculation method (Art. 83 GDPR) and compliance orders can now be challenged before the EU courts.

Intra-group sharing: CNIL accepts legitimate interest, CNPD treats it as a transfer

In Luxembourg in 2026, legitimate interest may ground intra-group administrative sharing, but the CNPD qualifies it as a transfer between controllers, requiring strong transparency and, outside the EEA, a Chapter V mechanism.

Page 1 / 2 Older →