Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
107 articles found · #rgpd
Charter/Spectrum: vishing, Entra, Salesforce — FIDO2 MFA as the GDPR/NIS2 countermeasure
ShinyHunters allegedly vished a Charter/Spectrum employee, took over a Microsoft Entra account, and exfiltrated Salesforce data. Phishing‑resistant MFA (FIDO2/WebAuthn) meets GDPR Art. 32 and blocks the initial access.
Recording meetings and calls: €250,000 fine — CNPD framework 2026
On 16/10/2025, the CNIL fined a call center €250,000 for poorly governed recordings. Since April 2026, the CNPD has issued a dedicated framework for meeting recordings: legal basis, transparency, retention, security, and DPIA.
EDPB updates its Objection & Erasure digest and launches a form
On 25 June 2026, the EDPB updated its OSS digest on the rights to object (Art. 21) and to erasure (Art. 17) and, on 24 June, launched a form to report divergences in GDPR interpretation.
Mandatory DPIA: CNPD vs CNIL — geolocation, two thresholds
In Luxembourg, the CNPD requires a DPIA for any systematic tracking of location. In France, the CNIL only mandates it for large-scale processing of location data.
Cold calling: Constitutional Council ends the triple risk
On 25 June 2026, France’s Constitutional Council struck down parallel CNIL/ARCOM/DGCCRF proceedings for the same electronic marketing (Art. L.34‑5 CPCE). Repeal by 31 Oct 2027, but immediate effect: no more duplicate proceedings.
Extra-EU transfers: EDPB vs ICO on transfer risk assessment (TRA)
On 15 Jan 2026, the ICO eased its Transfer Risk Assessment, diverging from the EDPB’s strict “essential equivalence” test. For Luxembourg controllers, maintaining an EDPB-compliant assessment remains key.
Italy — AgID fined €55,000 for INAD/INI‑PEC transparency failures
The Italian Garante fined AgID €55,000 for transparency and privacy‑by‑design failures when moving PEC addresses from INI‑PEC to INAD. A warning shot for public registers and data reuse.
Romania: €125,000 fine against Renault for security failures (GDPR Art. 32)
On 25 March 2026, Romania’s ANSPDCP fined Renault Commercial Romania (~€125,000) for GDPR Article 32 failures and processor governance. Modern DLP evidences “appropriate” measures and curbs uncontrolled data transfers.
GDPR Article 6: the Intesa/Isybank lesson on legitimate interest vs consent
Italy’s DPA fined Intesa €17.6M for transferring ~2.4M customers to Isybank without a valid legal basis. Key takeaway: legitimate interest cannot replace valid consent or strict contractual necessity.
Clinical Diagnostics (NL): gynecological records leak — GDPR-aligned DLP
After the massive leak at Clinical Diagnostics, a modern DLP aligned with GDPR (Art. 32 and 44–49) reduces exfiltration and provides the evidence authorities expect.
CJEU SCHUFA vs ICO: Is GDPR Article 22 a ban or a right?
The CJEU classified credit scoring as automated individual decision-making under GDPR Article 22. The EDPB reads it as a general ban with exceptions, while the ICO frames it as a right to be activated.
EDPB — Scientific research: last chance to comment
On 25 June 2026, the EDPB closes its public consultation on Guidelines 1/2026 for processing personal data for scientific research. Key clarifications on legal basis, broad consent, and GDPR Article 89 safeguards.