Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

64 articles found · #reglementaire

Information duty (Art. 14 GDPR): the legal exception clarified in 2026

The French Court of Cassation (Jan 29, 2026) confirms the Art. 14(5)(c) GDPR exception where a law mandates disclosure and provides appropriate safeguards. Useful for tax/social flows and certain B2G sharing in Luxembourg.

Ex-employee mailbox: €176,000 fine and a short-lived legitimate interest

Belgian DPA (Decision 101/2026): keeping an ex-employee’s mailbox active for over a year is unlawful. Legitimate interest only covers a very short redirection (~1 month), with transparency, LIA and offboarding procedures.

IQVIA fined €5M: pseudonymisation ≠ anonymisation

The CNIL fined IQVIA €5M over shortcomings in two health data warehouses. Key takeaway: pseudonymised data are still personal data and the GDPR applies in full.

GDPR Article 28: Belgian DPA fines SWDE — your DPA must be rock-solid

On 12 May 2026, the Belgian DPA fined SWDE €86,000, including €1,000 for lacking an Article 28-compliant DPA. Key takeaway: without a complete DPA, any outsourced processing leaves the controller non-compliant.

CNPD — Employee vehicle geolocation: 2 months by default, DPIA often required

CNPD clarifies: retention “2 months by default,” no tracking outside working hours if private use is allowed, and DPIA when there is regular/systematic monitoring. Measures to implement immediately.

France Travail fined €5M: GDPR Article 32 moves from theory to audit

The CNIL fined France Travail €5M for breaches of GDPR Article 32: security measures identified in the DPIA but not implemented. A clear signal for Luxembourg organizations.

GDPR Article 28: when a vendor is a processor (AEPD SEUR/Citibox)

On 8 June 2026, the AEPD fined SEUR and Citibox for lacking a GDPR Article 28-compliant data processing agreement in a “carrier + smart lockers” setup. Contract labels are not decisive; actual processing reality prevails.

GDPR: complaint closure and no Article 78 appeal if not concerned

The French Council of State (20 May 2026) held that a CNIL complaint closure is not a “legally binding decision” triggering an Article 78 GDPR appeal if the complainant is not concretely affected.

Free Mobile/Free fined €42M: lessons for your 72h GDPR response

CNIL fines Free Mobile (€27M) and Free (€15M) after a breach affecting 24M contracts. Priorities: security (Art. 32), content of authority notifications (Art. 33) and of communications to individuals (Art. 34).

AI Act — Prohibited practices (Art. 5): the Commission’s 2025 clarifications

On 4 February 2025, the Commission issued guidelines on prohibited AI practices (Art. 5 AI Act). Eight uses are banned as of 02/02/2025, with fines up to €35m or 7% of global turnover.

CNPD vs CNIL: workplace CCTV, 8 days in LU, up to 30 days in FR

The CNPD sets a default retention of “up to 8 days,” while the CNIL in practice admits up to one month. Entities operating in Luxembourg must adjust their practices and records.

72 hours or a fine: the Mayor of Myślenice flagged — a reminder for Luxembourg

On 25 May 2026, Poland’s UODO fined the Mayor of Myślenice for failing to notify a data breach within 72 hours (GDPR Art. 33). A useful reminder of what the CNPD expects in Luxembourg.

← Newer Page 2 / 6 Older →