Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

25 articles found · #luxembourg · Expertise Luxgap

GDPR rights at work: only the individual has standing (Cass. crim., Jan 13, 2026)

France’s Supreme Court held that a company cannot invoke employees’ GDPR rights to challenge a seizure: only the data subjects themselves have standing. A key takeaway for DSAR and DPO response workflows.

DORA vs NIS 2 in Luxembourg: which regime prevails in an incident?

On 18/09/2023, the European Commission confirmed that sectoral acts prevail over NIS 2 as lex specialis where requirements are equivalent. DORA is one of them: in Luxembourg, the CSSF oversees incident notifications for financial entities.

NIS 2 in Luxembourg: ILR expectations on the 10 measures (Art. 21)

Since the 5 May 2026 law, the ILR details the 10 minimum NIS 2 Article 21 measures and related supervision. Management must approve, implement and evidence these measures, including MFA and supply chain controls.

Extra-EU transfers: EDPB vs ICO on transfer risk assessment (TRA)

On 15 Jan 2026, the ICO eased its Transfer Risk Assessment, diverging from the EDPB’s strict “essential equivalence” test. For Luxembourg controllers, maintaining an EDPB-compliant assessment remains key.

CNPD — Employee vehicle geolocation: 2 months by default, DPIA often required

CNPD clarifies: retention “2 months by default,” no tracking outside working hours if private use is allowed, and DPIA when there is regular/systematic monitoring. Measures to implement immediately.

France Travail fined €5M: GDPR Article 32 moves from theory to audit

The CNIL fined France Travail €5M for breaches of GDPR Article 32: security measures identified in the DPIA but not implemented. A clear signal for Luxembourg organizations.

GDPR: complaint closure and no Article 78 appeal if not concerned

The French Council of State (20 May 2026) held that a CNIL complaint closure is not a “legally binding decision” triggering an Article 78 GDPR appeal if the complainant is not concretely affected.

AI Act — Prohibited practices (Art. 5): the Commission’s 2025 clarifications

On 4 February 2025, the Commission issued guidelines on prohibited AI practices (Art. 5 AI Act). Eight uses are banned as of 02/02/2025, with fines up to €35m or 7% of global turnover.

CJEU (19 March 2026): access may be refused if abusive

The CJEU accepts that a data access request may be rejected as “abusive” if it solely aims at obtaining GDPR compensation. Strong signal for reasoned refusals, burden of proof, and meeting deadlines.

DORA Art. 28: CSSF turns up the heat on the ICT dependencies register

As of 16 March 2026, only 40% of entities had filed their DORA Art. 28 register. CSSF warns: ESAs’ quality checks, potential rejections and tight resubmission windows, with a 30 June “best effort” for some branches.

CNPD 1FR/2025: how the DPA calculates a GDPR fine in 5 steps

On 6 January 2025, the CNPD fined a controller for delays in data subject rights and applied the EDPB’s five-step method. Key takeaway: track and document your “time-to-rights”.

Workplace video surveillance: the Hanako case rules out consent

Italy’s Garante (12/03/2026) fined Hanako s.r.l. for in-store video surveillance without proper notice and labor authorization. EU-wide message: in employment, employee consent is not a convenient legal basis.

Page 1 / 3 Older →