Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

65 articles found · #reglementaire

Intra-group sharing: CNIL accepts legitimate interest, CNPD treats it as a transfer

In Luxembourg in 2026, legitimate interest may ground intra-group administrative sharing, but the CNPD qualifies it as a transfer between controllers, requiring strong transparency and, outside the EEA, a Chapter V mechanism.

Ireland — Permanent TSB fined: GDPR arts. 32/33 tested at call centers

The Irish DPC fined Permanent TSB €277,500 for call center authentication failures and late notification. Lesson for Luxembourg: Article 32 and the 72h rule (Art. 33) also apply to human processes.

Health data: €5M fine against IQVIA — what GDPR Article 9 really requires

On May 26, 2026, the CNIL fined IQVIA €5M over shortcomings in its health data warehouses. The case illustrates GDPR Article 9’s general prohibition and the strict conditions of its exceptions.

DPIA: EDPB template (Apr 2026) and CNPD/CNIL divergences

The EDPB issued an EU DPIA template for consultation (April 2026). Yet CNPD and CNIL still diverge on triggers, with France publishing a “not required” whitelist that Luxembourg does not.

Belgian DPA fines SWDE €86,000 and rebukes missing Article 28 contract

Belgium’s DPA fines SWDE over call recording and monitoring: transparency, retention and a missing processor contract. A clear signal for Luxembourg: an incomplete Article 28 DPA is costly.

GDPR Article 22 after SCHUFA vs ICO guidance: where is the red line?

CJEU SCHUFA: a decisive credit score can be an automated decision (Art. 22). The UK ICO is more flexible if there’s meaningful human involvement. Concrete implications for LU‑UK data chains.

France Travail fined: key lessons from GDPR Article 32

On 22 January 2026, the CNIL fined France Travail €5M for weaknesses in authentication, logging and access rights. In Luxembourg, GDPR Article 32 requires appropriate, demonstrably effective security measures.

CNPD 16/12/2025: insufficient GDPR Article 30 record sanctioned

On 16/12/2025, the CNPD imposed a €7,000 fine for an incomplete Article 30 record. The decision clarifies required fields (recipients, transfers, categories, retention, security) and the EDPB fine calculation method.

CNPD — Vehicle geolocation: what the 2023–2025 guidance requires

The CNPD updated its vehicle geolocation guidance. Key points: structured legitimate interest, purpose limitation, off-duty deactivation, dual transparency and DPIA.

Analytics cookies: CNIL/CNPD exemptions, ICO still requires consent

On 29 April 2026, the ICO confirmed that non-essential analytics cookies require PECR consent. In France and Luxembourg, CNIL and CNPD allow narrow exemptions for certain audience measurement cookies.

Criteo: France’s Conseil d’État upholds €40M — consent prevails in AdTech

On 4 March 2026, France’s Conseil d’État upheld the €40M fine against Criteo for personalized advertising without valid consent. Key takeaway in AdTech: for targeting trackers, the lawful basis is (almost always) consent.

CSSF: DORA takes precedence and clarifies ICT outsourcing (Apr 2025)

CSSF confirmed DORA’s primacy from 17 January 2025 and issued Circular 25/882 to govern third‑party ICT use, the Article 28 register of information, and incident notifications via eDesk.

← Newer Page 4 / 6 Older →