Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
80 articles found · #luxembourg
ShinyHunters exploits Oracle zero‑day: NAIC hit, 100+ organizations
Oracle confirmed a PeopleSoft zero‑day (CVE‑2026‑35273) exploited by ShinyHunters. NAIC reports unauthorized access; 3.1 TB stolen and 100+ organizations compromised.
EDPB updates its Objection & Erasure digest and launches a form
On 25 June 2026, the EDPB updated its OSS digest on the rights to object (Art. 21) and to erasure (Art. 17) and, on 24 June, launched a form to report divergences in GDPR interpretation.
Extra-EU transfers: EDPB vs ICO on transfer risk assessment (TRA)
On 15 Jan 2026, the ICO eased its Transfer Risk Assessment, diverging from the EDPB’s strict “essential equivalence” test. For Luxembourg controllers, maintaining an EDPB-compliant assessment remains key.
Italy — AgID fined €55,000 for INAD/INI‑PEC transparency failures
The Italian Garante fined AgID €55,000 for transparency and privacy‑by‑design failures when moving PEC addresses from INI‑PEC to INAD. A warning shot for public registers and data reuse.
DORA — Third-country branches: ICT register due by June 30
DORA’s final stretch in Luxembourg: third‑country bank branches must submit their ICT register to the CSSF by June 30, 2026 at the latest. Here is how to get it done this week.
EDPB — Scientific research: last chance to comment
On 25 June 2026, the EDPB closes its public consultation on Guidelines 1/2026 for processing personal data for scientific research. Key clarifications on legal basis, broad consent, and GDPR Article 89 safeguards.
Stand-up paddle team building at Lake Haute-Sûre (Éislek)
A day of stand-up paddle (SUP) on Lake Haute-Sûre builds cohesion: coordinated moves, mutual support and constant communication in a calm setting, just 1 hour from Luxembourg City.
Evidence and personal data: France’s Supreme Court draws a clear line
On 17 June 2026, the French Supreme Court allowed an analysis report based on pseudonymised data as evidence, where necessary and strictly proportionate. A green light for carefully run internal investigations.
AI Act: Code of Practice signing — D‑41 before your AI labels
On 22 June 2026, the Commission unveiled the Code of Practice for labelling AI-generated content. Transparency duties (Art. 50) apply from 2 August 2026, with penalties for non-compliance.
Novo Nordisk rejects $25M after 1.3 TB data theft
On June 16, 2026, FulcrumSec claimed to have stolen over 1 TB from Novo Nordisk and demanded $25M. The company confirmed a June 11 incident, is investigating, and did not pay.
CNPD — Employee vehicle geolocation: 2 months by default, DPIA often required
CNPD clarifies: retention “2 months by default,” no tracking outside working hours if private use is allowed, and DPIA when there is regular/systematic monitoring. Measures to implement immediately.
Kodak hacked: ShinyHunters claims 2.2M records
Kodak confirms an intrusion as ShinyHunters claims 2.2M records. Here’s how RGPD-compliant DLP (Art. 32 and 44‑49) reduces exfiltration and builds evidence.