Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

108 articles found · #rgpd

CJEU (19 March 2026): access may be refused if abusive

The CJEU accepts that a data access request may be rejected as “abusive” if it solely aims at obtaining GDPR compensation. Strong signal for reasoned refusals, burden of proof, and meeting deadlines.

AI Act: 52 days to go before transparency duty (Article 50)

On 2 August 2026, the AI Act transparency duty (Art. 50) applies: clear “you are interacting with AI” notices, machine‑readable labels for generated/manipulated content, and disclosure of deepfakes.

Right of access vs premature deletion: Belgian DPA warns recruiter (37/2026)

On 24 February 2026, the Belgian DPA warned a company for deleting an interview video after an access request. In practice: purge must be suspended until the access right is handled (Arts. 12 and 15 GDPR).

Qilin exploits a Check Point zero-day: VPNs breached, patch within 72h

A critical zero-day (CVE‑2026‑50751) in Check Point VPNs is being actively exploited by Qilin. CISA mandates a fix by June 11, 2026. Luxembourg NIS 2 entities must check IKEv1, patch, and notify via SERIMA if an incident occurs.

Unimed (DE): 72,000+ patient files stolen — DLP, Article 32 and GDPR transfers

In mid‑April 2026, outsourcer Unimed had 72,000+ patient records stolen. Here is a concrete DLP stack to prevent exfiltration and demonstrate compliance with GDPR Article 32 and cross‑border transfers (Arts. 44‑49).

Amazon v. CNPD (12 March 2026): Legitimate interest rejected in AdTech

Luxembourg’s Administrative Court confirms Amazon’s behavioral advertising could not rely on legitimate interest and annuls the fine in light of the CJEU’s fault requirement.

ENISA updates crypto mechanisms: public review open until July

ENISA opens the public consultation of ACM v3 until the end of July 2026. Companies can comment on suites and key sizes that will guide EUCC and the European security “state of the art.”

VG Düsseldorf clarifies email: TLS may suffice, no default E2E

On 02/04/2026, the VG Düsseldorf ruled that under GDPR Art. 32, email does not require default E2E: transport encryption (TLS) may suffice based on risk.

Transfers to the United States: CNPD implements the DPF, EDPB remains cautious

The CNPD confirms “free” transfers to US entities certified under the DPF (Art. 45 GDPR), while the EDPB maintains reservations and calls for ongoing vigilance.

ANSSI risk analysis on encryption: actions for GDPR Art. 32 and CSSF 22/806

On 27/05/2026, ANSSI released an encryption risk analysis. This article turns the guidance into an at‑rest and in‑transit architecture aligned with GDPR Art. 32 and CSSF 22/806, including a post‑quantum roadmap.

CNPD 1FR/2025: how the DPA calculates a GDPR fine in 5 steps

On 6 January 2025, the CNPD fined a controller for delays in data subject rights and applied the EDPB’s five-step method. Key takeaway: track and document your “time-to-rights”.

ICO recovers £118,852 from two former RAC employees

On 4 June 2026, the ICO secured confiscation orders totaling £118,852.32 against two former RAC employees for illegally selling nearly 30,000 lines of motorists’ data, underscoring increased post-conviction use of POCA powers.

← Newer Page 5 / 9 Older →