Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

41 articles found · #cnpd

GDPR Article 28: when a vendor is a processor (AEPD SEUR/Citibox)

On 8 June 2026, the AEPD fined SEUR and Citibox for lacking a GDPR Article 28-compliant data processing agreement in a “carrier + smart lockers” setup. Contract labels are not decisive; actual processing reality prevails.

GDPR: complaint closure and no Article 78 appeal if not concerned

The French Council of State (20 May 2026) held that a CNIL complaint closure is not a “legally binding decision” triggering an Article 78 GDPR appeal if the complainant is not concretely affected.

Free Mobile/Free fined €42M: lessons for your 72h GDPR response

CNIL fines Free Mobile (€27M) and Free (€15M) after a breach affecting 24M contracts. Priorities: security (Art. 32), content of authority notifications (Art. 33) and of communications to individuals (Art. 34).

CNPD vs CNIL: workplace CCTV, 8 days in LU, up to 30 days in FR

The CNPD sets a default retention of “up to 8 days,” while the CNIL in practice admits up to one month. Entities operating in Luxembourg must adjust their practices and records.

72 hours or a fine: the Mayor of Myślenice flagged — a reminder for Luxembourg

On 25 May 2026, Poland’s UODO fined the Mayor of Myślenice for failing to notify a data breach within 72 hours (GDPR Art. 33). A useful reminder of what the CNPD expects in Luxembourg.

CJEU (19 March 2026): access may be refused if abusive

The CJEU accepts that a data access request may be rejected as “abusive” if it solely aims at obtaining GDPR compensation. Strong signal for reasoned refusals, burden of proof, and meeting deadlines.

Right of access vs premature deletion: Belgian DPA warns recruiter (37/2026)

On 24 February 2026, the Belgian DPA warned a company for deleting an interview video after an access request. In practice: purge must be suspended until the access right is handled (Arts. 12 and 15 GDPR).

Amazon v. CNPD (12 March 2026): Legitimate interest rejected in AdTech

Luxembourg’s Administrative Court confirms Amazon’s behavioral advertising could not rely on legitimate interest and annuls the fine in light of the CJEU’s fault requirement.

Transfers to the United States: CNPD implements the DPF, EDPB remains cautious

The CNPD confirms “free” transfers to US entities certified under the DPF (Art. 45 GDPR), while the EDPB maintains reservations and calls for ongoing vigilance.

CNPD 1FR/2025: how the DPA calculates a GDPR fine in 5 steps

On 6 January 2025, the CNPD fined a controller for delays in data subject rights and applied the EDPB’s five-step method. Key takeaway: track and document your “time-to-rights”.

AEPD vs AENA: €10,043,002 for a deficient DPIA (Art. 35 GDPR)

On 4 March 2026, the AEPD fined AENA €10,043,002 for a non‑compliant DPIA on biometric boarding. Key takeaway: a “pro forma” DPIA is tantamount to no DPIA.

GDPR fines 2026: direct actions opened against EDPB decisions

On 10/02/2026, the CJEU allowed companies to bring direct actions against the EDPB’s “binding” decisions. The fine calculation method (Art. 83 GDPR) and compliance orders can now be challenged before the EU courts.

← Newer Page 2 / 4 Older →