Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

108 articles found · #rgpd

France Travail fined €5M: GDPR Article 32 moves from theory to audit

The CNIL fined France Travail €5M for breaches of GDPR Article 32: security measures identified in the DPIA but not implemented. A clear signal for Luxembourg organizations.

GDPR Article 28: when a vendor is a processor (AEPD SEUR/Citibox)

On 8 June 2026, the AEPD fined SEUR and Citibox for lacking a GDPR Article 28-compliant data processing agreement in a “carrier + smart lockers” setup. Contract labels are not decisive; actual processing reality prevails.

CJEU: age checks for foreign porn sites, under conditions

On 16 June 2026, the CJEU conditionally upheld requiring porn sites based in another EU state to implement age checks. A strong signal for regulators like ARCOM with immediate GDPR implications.

Shai-Hulud: supply-chain token theft — why FIDO2 MFA is non-negotiable

Zscaler documents “Shai-Hulud”: GitHub/npm/PyPI compromises, OIDC abuse, and public IOCs. Phishing-resistant FIDO2/WebAuthn MFA addresses GDPR Article 32 and blocks initial access.

GDPR: complaint closure and no Article 78 appeal if not concerned

The French Council of State (20 May 2026) held that a CNIL complaint closure is not a “legally binding decision” triggering an Article 78 GDPR appeal if the complainant is not concretely affected.

DSG Retail v ICO Broadens the Security Duty: Serious DLP Required

The English Court of Appeal confirms a broadened security duty: anticipate jigsaw identification. Here is how ISO 27001‑aligned DLP meets GDPR Article 32.

Free Mobile/Free fined €42M: lessons for your 72h GDPR response

CNIL fines Free Mobile (€27M) and Free (€15M) after a breach affecting 24M contracts. Priorities: security (Art. 32), content of authority notifications (Art. 33) and of communications to individuals (Art. 34).

CNPD vs CNIL: workplace CCTV, 8 days in LU, up to 30 days in FR

The CNPD sets a default retention of “up to 8 days,” while the CNIL in practice admits up to one month. Entities operating in Luxembourg must adjust their practices and records.

Berlin: €14.5m cut to €900k — deletion obligation confirmed

On 9 June 2026, the Berlin Regional Court confirmed a GDPR breach by Deutsche Wohnen for archiving without deletion and cut the fine from €14.5m to €900k. A strong signal on effective deletion obligations.

72 hours or a fine: the Mayor of Myślenice flagged — a reminder for Luxembourg

On 25 May 2026, Poland’s UODO fined the Mayor of Myślenice for failing to notify a data breach within 72 hours (GDPR Art. 33). A useful reminder of what the CNPD expects in Luxembourg.

RUAG pays a ransom to Akira: red alert for executive boards

On 6 June 2026, RUAG confirmed it paid a ransom to the Akira gang after its US subsidiary was hit. A rare admission that quantifies ransomware’s economic impact: paying, even a “small amount,” to retrieve data.

Council of State (13/02/2026): Pseudonymization ≠ Anonymization — DLP and GDPR Transfers

France’s Council of State confirms: “pseudonymized” health data remain personal if re-identifiable. Here’s how strong DLP secures flows and compliance with GDPR Articles 32 and 44–49.

← Newer Page 4 / 9 Older →