Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
65 articles found · #reglementaire
Intra-group sharing: CNIL accepts legitimate interest, CNPD treats it as a transfer
In Luxembourg in 2026, legitimate interest may ground intra-group administrative sharing, but the CNPD qualifies it as a transfer between controllers, requiring strong transparency and, outside the EEA, a Chapter V mechanism.
Ireland — Permanent TSB fined: GDPR arts. 32/33 tested at call centers
The Irish DPC fined Permanent TSB €277,500 for call center authentication failures and late notification. Lesson for Luxembourg: Article 32 and the 72h rule (Art. 33) also apply to human processes.
Health data: €5M fine against IQVIA — what GDPR Article 9 really requires
On May 26, 2026, the CNIL fined IQVIA €5M over shortcomings in its health data warehouses. The case illustrates GDPR Article 9’s general prohibition and the strict conditions of its exceptions.
DPIA: EDPB template (Apr 2026) and CNPD/CNIL divergences
The EDPB issued an EU DPIA template for consultation (April 2026). Yet CNPD and CNIL still diverge on triggers, with France publishing a “not required” whitelist that Luxembourg does not.
Belgian DPA fines SWDE €86,000 and rebukes missing Article 28 contract
Belgium’s DPA fines SWDE over call recording and monitoring: transparency, retention and a missing processor contract. A clear signal for Luxembourg: an incomplete Article 28 DPA is costly.
GDPR Article 22 after SCHUFA vs ICO guidance: where is the red line?
CJEU SCHUFA: a decisive credit score can be an automated decision (Art. 22). The UK ICO is more flexible if there’s meaningful human involvement. Concrete implications for LU‑UK data chains.
France Travail fined: key lessons from GDPR Article 32
On 22 January 2026, the CNIL fined France Travail €5M for weaknesses in authentication, logging and access rights. In Luxembourg, GDPR Article 32 requires appropriate, demonstrably effective security measures.
CNPD 16/12/2025: insufficient GDPR Article 30 record sanctioned
On 16/12/2025, the CNPD imposed a €7,000 fine for an incomplete Article 30 record. The decision clarifies required fields (recipients, transfers, categories, retention, security) and the EDPB fine calculation method.
CNPD — Vehicle geolocation: what the 2023–2025 guidance requires
The CNPD updated its vehicle geolocation guidance. Key points: structured legitimate interest, purpose limitation, off-duty deactivation, dual transparency and DPIA.
Analytics cookies: CNIL/CNPD exemptions, ICO still requires consent
On 29 April 2026, the ICO confirmed that non-essential analytics cookies require PECR consent. In France and Luxembourg, CNIL and CNPD allow narrow exemptions for certain audience measurement cookies.
Criteo: France’s Conseil d’État upholds €40M — consent prevails in AdTech
On 4 March 2026, France’s Conseil d’État upheld the €40M fine against Criteo for personalized advertising without valid consent. Key takeaway in AdTech: for targeting trackers, the lawful basis is (almost always) consent.
CSSF: DORA takes precedence and clarifies ICT outsourcing (Apr 2025)
CSSF confirmed DORA’s primacy from 17 January 2025 and issued Circular 25/882 to govern third‑party ICT use, the Article 28 register of information, and incident notifications via eDesk.