Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
41 articles found · #cnpd
CNPD frames meeting recordings: divergence with the CNIL
As of 01/04/2026, the CNPD tightens meeting audio: strict legitimate interest and deletion once minutes are approved. In France, the CNIL allows call recording for evidential purposes but bans audio paired with CCTV.
Intra-group sharing: CNIL accepts legitimate interest, CNPD treats it as a transfer
In Luxembourg in 2026, legitimate interest may ground intra-group administrative sharing, but the CNPD qualifies it as a transfer between controllers, requiring strong transparency and, outside the EEA, a Chapter V mechanism.
Ireland — Permanent TSB fined: GDPR arts. 32/33 tested at call centers
The Irish DPC fined Permanent TSB €277,500 for call center authentication failures and late notification. Lesson for Luxembourg: Article 32 and the 72h rule (Art. 33) also apply to human processes.
DPIA: EDPB template (Apr 2026) and CNPD/CNIL divergences
The EDPB issued an EU DPIA template for consultation (April 2026). Yet CNPD and CNIL still diverge on triggers, with France publishing a “not required” whitelist that Luxembourg does not.
Belgian DPA fines SWDE €86,000 and rebukes missing Article 28 contract
Belgium’s DPA fines SWDE over call recording and monitoring: transparency, retention and a missing processor contract. A clear signal for Luxembourg: an incomplete Article 28 DPA is costly.
CNPD 16/12/2025: insufficient GDPR Article 30 record sanctioned
On 16/12/2025, the CNPD imposed a €7,000 fine for an incomplete Article 30 record. The decision clarifies required fields (recipients, transfers, categories, retention, security) and the EDPB fine calculation method.
CNPD — Vehicle geolocation: what the 2023–2025 guidance requires
The CNPD updated its vehicle geolocation guidance. Key points: structured legitimate interest, purpose limitation, off-duty deactivation, dual transparency and DPIA.
Analytics cookies: CNIL/CNPD exemptions, ICO still requires consent
On 29 April 2026, the ICO confirmed that non-essential analytics cookies require PECR consent. In France and Luxembourg, CNIL and CNPD allow narrow exemptions for certain audience measurement cookies.
External DPO: 7 lessons from 200+ mandates in Luxembourg and Europe
200+ external DPO mandates across all sectors: the 7 recurring findings we make on takeover, and how Luxgap puts things in order. Concrete pricing, sector examples, what really changes.
CJEU 19 March 2026 (Brillen Rottler): first access request may be refused for abuse
The CJEU allows a first access request (Art. 15 GDPR) to be refused as “excessive” if an abusive intent is proven (Art. 12(5)). Any refusal must remain exceptional, justified, and within deadlines.
Amazon vs CNPD (12 March 2026): Legitimate interest is not enough
Luxembourg’s Administrative Court annulled the €746M fine but confirmed that behavioral advertising cannot rely on legitimate interest. 2026 takeaways for legal bases and the requirement to prove fault.
DPIA (Art. 35 GDPR) in Luxembourg: when to trigger and how to succeed
When is a DPIA mandatory in Luxembourg and how to do it right? GDPR framework, CNPD list, EDPB method, prior consultation (Art. 36) and best practices.