Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
107 articles found · #rgpd
AEPD fines Yoti €950,000 — Automated DPIA becomes essential
On March 10, 2026, the AEPD fined Yoti €950,000 for unlawful biometrics, invalid consent and excessive retention. A tooled, automated DPIA is now key to reduce risk and evidence GDPR compliance.
Information duty (Art. 14 GDPR): the legal exception clarified in 2026
The French Court of Cassation (Jan 29, 2026) confirms the Art. 14(5)(c) GDPR exception where a law mandates disclosure and provides appropriate safeguards. Useful for tax/social flows and certain B2G sharing in Luxembourg.
Evidence and personal data: France’s Supreme Court draws a clear line
On 17 June 2026, the French Supreme Court allowed an analysis report based on pseudonymised data as evidence, where necessary and strictly proportionate. A green light for carefully run internal investigations.
Outsider Enterprise dismantled: urgent need for phishing‑resistant FIDO2 MFA
FBI, Google, and Black Lotus Labs dismantled “Outsider Enterprise,” a PhaaS linked to >1M URLs and ≈$1.9B in losses. Why FIDO2/WebAuthn MFA is now the “appropriate measure” under GDPR Article 32.
Ex-employee mailbox: €176,000 fine and a short-lived legitimate interest
Belgian DPA (Decision 101/2026): keeping an ex-employee’s mailbox active for over a year is unlawful. Legitimate interest only covers a very short redirection (~1 month), with transparency, LIA and offboarding procedures.
IQVIA fined €5M: pseudonymisation ≠ anonymisation
The CNIL fined IQVIA €5M over shortcomings in two health data warehouses. Key takeaway: pseudonymised data are still personal data and the GDPR applies in full.
GDPR Article 28: Belgian DPA fines SWDE — your DPA must be rock-solid
On 12 May 2026, the Belgian DPA fined SWDE €86,000, including €1,000 for lacking an Article 28-compliant DPA. Key takeaway: without a complete DPA, any outsourced processing leaves the controller non-compliant.
Novo Nordisk rejects $25M after 1.3 TB data theft
On June 16, 2026, FulcrumSec claimed to have stolen over 1 TB from Novo Nordisk and demanded $25M. The company confirmed a June 11 incident, is investigating, and did not pay.
FortiBleed: 73,932 Fortinet firewalls exposed — FIDO2 is now mandatory
FortiBleed exposed ~74,000 Fortinet firewalls/VPNs via stolen and reused credentials. Phishing-resistant MFA (FIDO2/WebAuthn) meets GDPR Article 32 and blocks initial access.
CNPD — Employee vehicle geolocation: 2 months by default, DPIA often required
CNPD clarifies: retention “2 months by default,” no tracking outside working hours if private use is allowed, and DPIA when there is regular/systematic monitoring. Measures to implement immediately.
Kodak hacked: ShinyHunters claims 2.2M records
Kodak confirms an intrusion as ShinyHunters claims 2.2M records. Here’s how RGPD-compliant DLP (Art. 32 and 44‑49) reduces exfiltration and builds evidence.
France Travail fined €5M: GDPR Article 32 moves from theory to audit
The CNIL fined France Travail €5M for breaches of GDPR Article 32: security measures identified in the DPIA but not implemented. A clear signal for Luxembourg organizations.