Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

51 articles found · #rgpd · Expertise Luxgap

GDPR rights at work: only the individual has standing (Cass. crim., Jan 13, 2026)

France’s Supreme Court held that a company cannot invoke employees’ GDPR rights to challenge a seizure: only the data subjects themselves have standing. A key takeaway for DSAR and DPO response workflows.

Workplace video surveillance: CNIL fine of 2 April 2026

On 02/04/2026, the CNIL imposed a €7,500 fine for CCTV non-compliance. In Luxembourg, the CNPD likewise requires proportionality, frequent DPIAs and two-layer information.

GDPR: first access request may be refused for abuse (CJEU 19/03/2026)

The CJEU (C‑526/24) holds that a first GDPR access request may be refused for abuse under Article 12(5). Practical key: document abusive intent and a two‑pronged proportionality test.

AEPD vs AENA: €10.04M for a deficient DPIA in biometrics

On 20 March 2026, the AEPD published in the BOE a €10,043,002 fine against AENA for a non-compliant DPIA related to biometric boarding. Key signal: a DPIA must now be complete, evidence-based and traceable.

Legitimate interest vs consent: CNPD/EDPB tighten, ICO remains looser

Luxembourg’s Administrative Court backed the CNPD in the Amazon case: legitimate interest was not justified. While the EDPB tightens Article 6(1)(f), the UK ICO still calls it the most flexible basis.

Recording meetings and calls: €250,000 fine — CNPD framework 2026

On 16/10/2025, the CNIL fined a call center €250,000 for poorly governed recordings. Since April 2026, the CNPD has issued a dedicated framework for meeting recordings: legal basis, transparency, retention, security, and DPIA.

Mandatory DPIA: CNPD vs CNIL — geolocation, two thresholds

In Luxembourg, the CNPD requires a DPIA for any systematic tracking of location. In France, the CNIL only mandates it for large-scale processing of location data.

Extra-EU transfers: EDPB vs ICO on transfer risk assessment (TRA)

On 15 Jan 2026, the ICO eased its Transfer Risk Assessment, diverging from the EDPB’s strict “essential equivalence” test. For Luxembourg controllers, maintaining an EDPB-compliant assessment remains key.

GDPR Article 6: the Intesa/Isybank lesson on legitimate interest vs consent

Italy’s DPA fined Intesa €17.6M for transferring ~2.4M customers to Isybank without a valid legal basis. Key takeaway: legitimate interest cannot replace valid consent or strict contractual necessity.

CJEU SCHUFA vs ICO: Is GDPR Article 22 a ban or a right?

The CJEU classified credit scoring as automated individual decision-making under GDPR Article 22. The EDPB reads it as a general ban with exceptions, while the ICO frames it as a right to be activated.

Information duty (Art. 14 GDPR): the legal exception clarified in 2026

The French Court of Cassation (Jan 29, 2026) confirms the Art. 14(5)(c) GDPR exception where a law mandates disclosure and provides appropriate safeguards. Useful for tax/social flows and certain B2G sharing in Luxembourg.

Ex-employee mailbox: €176,000 fine and a short-lived legitimate interest

Belgian DPA (Decision 101/2026): keeping an ex-employee’s mailbox active for over a year is unlawful. Legitimate interest only covers a very short redirection (~1 month), with transparency, LIA and offboarding procedures.

Page 1 / 5 Older →