Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

29 articles found · #rgpd · Veille Luxgap

AML/CFT information sharing: EDPB and AMLA to issue joint guidelines

The EDPB and AMLA announced joint guidelines on information‑sharing partnerships under AMLR Article 75, applicable from 10 July 2027. Goal: a GDPR‑compatible data‑sharing framework for AML/CFT.

Italy: €100,000 fine against Lepida over LepidaID shortcomings

Italy’s DPA fined Lepida S.c.p.A. €100,000 for GDPR violations in managing LepidaID (>1.5M users). Transparency, data minimization, and excessive log retention were flagged.

Lithuania: €450,000 GDPR fine for lack of MFA at InMedica

Lithuania’s DPA fined InMedica €450,000 over two incidents (2024 breach, 2025 ransomware), citing lack of MFA and poor access controls under GDPR Articles 5(1)(f), 24(1) and 32(1)(b).

GDPR: no automatic damage — French Court of Cassation tightens Article 82

On 24 June 2026, the French Court of Cassation held that a GDPR breach does not, by itself, entitle a claimant to compensation: the claimant must prove damage and causation. A strong signal for data litigation across Europe.

CNIL: vehicle location data — new recommendation

On 30 June 2026, the CNIL issued a recommendation on the use of vehicle location data. It clarifies ePrivacy consent, multi-user rights, security, data minimisation and the need for DPIAs.

ShinyHunters exploits Oracle zero‑day: NAIC hit, 100+ organizations

Oracle confirmed a PeopleSoft zero‑day (CVE‑2026‑35273) exploited by ShinyHunters. NAIC reports unauthorized access; 3.1 TB stolen and 100+ organizations compromised.

EDPB updates its Objection & Erasure digest and launches a form

On 25 June 2026, the EDPB updated its OSS digest on the rights to object (Art. 21) and to erasure (Art. 17) and, on 24 June, launched a form to report divergences in GDPR interpretation.

Cold calling: Constitutional Council ends the triple risk

On 25 June 2026, France’s Constitutional Council struck down parallel CNIL/ARCOM/DGCCRF proceedings for the same electronic marketing (Art. L.34‑5 CPCE). Repeal by 31 Oct 2027, but immediate effect: no more duplicate proceedings.

Italy — AgID fined €55,000 for INAD/INI‑PEC transparency failures

The Italian Garante fined AgID €55,000 for transparency and privacy‑by‑design failures when moving PEC addresses from INI‑PEC to INAD. A warning shot for public registers and data reuse.

EDPB — Scientific research: last chance to comment

On 25 June 2026, the EDPB closes its public consultation on Guidelines 1/2026 for processing personal data for scientific research. Key clarifications on legal basis, broad consent, and GDPR Article 89 safeguards.

Evidence and personal data: France’s Supreme Court draws a clear line

On 17 June 2026, the French Supreme Court allowed an analysis report based on pseudonymised data as evidence, where necessary and strictly proportionate. A green light for carefully run internal investigations.

Novo Nordisk rejects $25M after 1.3 TB data theft

On June 16, 2026, FulcrumSec claimed to have stolen over 1 TB from Novo Nordisk and demanded $25M. The company confirmed a June 11 incident, is investigating, and did not pay.

Page 1 / 3 Older →