Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
64 articles found · #expertise
Information duty (Art. 14 GDPR): the legal exception clarified in 2026
The French Court of Cassation (Jan 29, 2026) confirms the Art. 14(5)(c) GDPR exception where a law mandates disclosure and provides appropriate safeguards. Useful for tax/social flows and certain B2G sharing in Luxembourg.
Ex-employee mailbox: €176,000 fine and a short-lived legitimate interest
Belgian DPA (Decision 101/2026): keeping an ex-employee’s mailbox active for over a year is unlawful. Legitimate interest only covers a very short redirection (~1 month), with transparency, LIA and offboarding procedures.
IQVIA fined €5M: pseudonymisation ≠ anonymisation
The CNIL fined IQVIA €5M over shortcomings in two health data warehouses. Key takeaway: pseudonymised data are still personal data and the GDPR applies in full.
GDPR Article 28: Belgian DPA fines SWDE — your DPA must be rock-solid
On 12 May 2026, the Belgian DPA fined SWDE €86,000, including €1,000 for lacking an Article 28-compliant DPA. Key takeaway: without a complete DPA, any outsourced processing leaves the controller non-compliant.
CNPD — Employee vehicle geolocation: 2 months by default, DPIA often required
CNPD clarifies: retention “2 months by default,” no tracking outside working hours if private use is allowed, and DPIA when there is regular/systematic monitoring. Measures to implement immediately.
France Travail fined €5M: GDPR Article 32 moves from theory to audit
The CNIL fined France Travail €5M for breaches of GDPR Article 32: security measures identified in the DPIA but not implemented. A clear signal for Luxembourg organizations.
GDPR Article 28: when a vendor is a processor (AEPD SEUR/Citibox)
On 8 June 2026, the AEPD fined SEUR and Citibox for lacking a GDPR Article 28-compliant data processing agreement in a “carrier + smart lockers” setup. Contract labels are not decisive; actual processing reality prevails.
GDPR: complaint closure and no Article 78 appeal if not concerned
The French Council of State (20 May 2026) held that a CNIL complaint closure is not a “legally binding decision” triggering an Article 78 GDPR appeal if the complainant is not concretely affected.
Free Mobile/Free fined €42M: lessons for your 72h GDPR response
CNIL fines Free Mobile (€27M) and Free (€15M) after a breach affecting 24M contracts. Priorities: security (Art. 32), content of authority notifications (Art. 33) and of communications to individuals (Art. 34).
AI Act — Prohibited practices (Art. 5): the Commission’s 2025 clarifications
On 4 February 2025, the Commission issued guidelines on prohibited AI practices (Art. 5 AI Act). Eight uses are banned as of 02/02/2025, with fines up to €35m or 7% of global turnover.
CNPD vs CNIL: workplace CCTV, 8 days in LU, up to 30 days in FR
The CNPD sets a default retention of “up to 8 days,” while the CNIL in practice admits up to one month. Entities operating in Luxembourg must adjust their practices and records.
72 hours or a fine: the Mayor of Myślenice flagged — a reminder for Luxembourg
On 25 May 2026, Poland’s UODO fined the Mayor of Myślenice for failing to notify a data breach within 72 hours (GDPR Art. 33). A useful reminder of what the CNPD expects in Luxembourg.