Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

107 articles found · #rgpd

AEPD fines Yoti €950,000 — Automated DPIA becomes essential

On March 10, 2026, the AEPD fined Yoti €950,000 for unlawful biometrics, invalid consent and excessive retention. A tooled, automated DPIA is now key to reduce risk and evidence GDPR compliance.

Information duty (Art. 14 GDPR): the legal exception clarified in 2026

The French Court of Cassation (Jan 29, 2026) confirms the Art. 14(5)(c) GDPR exception where a law mandates disclosure and provides appropriate safeguards. Useful for tax/social flows and certain B2G sharing in Luxembourg.

Evidence and personal data: France’s Supreme Court draws a clear line

On 17 June 2026, the French Supreme Court allowed an analysis report based on pseudonymised data as evidence, where necessary and strictly proportionate. A green light for carefully run internal investigations.

Outsider Enterprise dismantled: urgent need for phishing‑resistant FIDO2 MFA

FBI, Google, and Black Lotus Labs dismantled “Outsider Enterprise,” a PhaaS linked to >1M URLs and ≈$1.9B in losses. Why FIDO2/WebAuthn MFA is now the “appropriate measure” under GDPR Article 32.

Ex-employee mailbox: €176,000 fine and a short-lived legitimate interest

Belgian DPA (Decision 101/2026): keeping an ex-employee’s mailbox active for over a year is unlawful. Legitimate interest only covers a very short redirection (~1 month), with transparency, LIA and offboarding procedures.

IQVIA fined €5M: pseudonymisation ≠ anonymisation

The CNIL fined IQVIA €5M over shortcomings in two health data warehouses. Key takeaway: pseudonymised data are still personal data and the GDPR applies in full.

GDPR Article 28: Belgian DPA fines SWDE — your DPA must be rock-solid

On 12 May 2026, the Belgian DPA fined SWDE €86,000, including €1,000 for lacking an Article 28-compliant DPA. Key takeaway: without a complete DPA, any outsourced processing leaves the controller non-compliant.

Novo Nordisk rejects $25M after 1.3 TB data theft

On June 16, 2026, FulcrumSec claimed to have stolen over 1 TB from Novo Nordisk and demanded $25M. The company confirmed a June 11 incident, is investigating, and did not pay.

FortiBleed: 73,932 Fortinet firewalls exposed — FIDO2 is now mandatory

FortiBleed exposed ~74,000 Fortinet firewalls/VPNs via stolen and reused credentials. Phishing-resistant MFA (FIDO2/WebAuthn) meets GDPR Article 32 and blocks initial access.

CNPD — Employee vehicle geolocation: 2 months by default, DPIA often required

CNPD clarifies: retention “2 months by default,” no tracking outside working hours if private use is allowed, and DPIA when there is regular/systematic monitoring. Measures to implement immediately.

Kodak hacked: ShinyHunters claims 2.2M records

Kodak confirms an intrusion as ShinyHunters claims 2.2M records. Here’s how RGPD-compliant DLP (Art. 32 and 44‑49) reduces exfiltration and builds evidence.

France Travail fined €5M: GDPR Article 32 moves from theory to audit

The CNIL fined France Travail €5M for breaches of GDPR Article 32: security measures identified in the DPIA but not implemented. A clear signal for Luxembourg organizations.

← Newer Page 3 / 9 Older →