Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
108 articles found · #rgpd
Magecart 1×1 SVG skimmer on Magento: DLP and GDPR compliance
Sansec reveals a credit-card skimmer hidden in a 1×1 SVG targeting ~100 Magento stores, exfiltrating to 23.137.249.67. Here’s how well‑tuned DLP addresses GDPR Articles 32 and 44‑49.
GDPR Article 6: the Poste Italiane fine clarifies legitimate interest vs consent
Italy’s DPA fined Poste Italiane/PostePay €12.5m for intrusive device access via apps without a valid legal basis. Key message: anything beyond what is strictly necessary often requires valid consent, not legitimate interest.
WFP Gaza: warning for your enrollment portals (600,000 households)
On 2 June 2026, the WFP confirmed its self‑registration app in Palestine was compromised: data of ~600,000 Gaza households (names, IDs, mobiles, location) exfiltrated. Breach dated 14 May.
Charter: 4.9M emails exposed — phishing‑resistant MFA is now essential
A vishing attack abused a Microsoft Entra account to exfiltrate customer data from Salesforce. FIDO2/WebAuthn MFA is now the state of the art expected by GDPR Article 32.
Workplace video surveillance: the Hanako case rules out consent
Italy’s Garante (12/03/2026) fined Hanako s.r.l. for in-store video surveillance without proper notice and labor authorization. EU-wide message: in employment, employee consent is not a convenient legal basis.
Dashlane: fewer than 20 vaults copied — lessons from a 2FA attack
On May 31, 2026, a brute-force campaign targeting 2FA allowed attackers to copy encrypted Dashlane vaults from “fewer than 20” users. Here’s what this means for your IAM controls and GDPR/NIS 2 obligations.
French Council of State 2026 — Health Data Hub: DLP impact and EU transfers
The French Council of State (20/03/2026) upholds CNIL’s authorization for Health Data Hub on Microsoft Ireland in France and confirms no transfers outside the EU. A well‑configured DLP proves and enforces these flow limits technically.
AEPD vs AENA: €10,043,002 for a deficient DPIA (Art. 35 GDPR)
On 4 March 2026, the AEPD fined AENA €10,043,002 for a non‑compliant DPIA on biometric boarding. Key takeaway: a “pro forma” DPIA is tantamount to no DPIA.
GDPR fines 2026: direct actions opened against EDPB decisions
On 10/02/2026, the CJEU allowed companies to bring direct actions against the EDPB’s “binding” decisions. The fine calculation method (Art. 83 GDPR) and compliance orders can now be challenged before the EU courts.
AEPD fines Amadeus €14.4M for traveler profiling without legal basis
Spain’s AEPD fined Amadeus IT Group €14.4M (reduced from €18M) for a traveler profiling pilot using booking data without a lawful basis and without informing travelers. Decision made public on May 26–27, 2026.
Tycoon 2FA: device code campaign bypasses Microsoft MFA
On May 12, 2026, eSentire detailed a Tycoon 2FA campaign abusing the OAuth Device Code flow to steal tokens without passwords. Why phishing-resistant FIDO2/WebAuthn MFA is required to meet GDPR Article 32.
CNPD frames meeting recordings: divergence with the CNIL
As of 01/04/2026, the CNPD tightens meeting audio: strict legitimate interest and deletion once minutes are approved. In France, the CNIL allows call recording for evidential purposes but bans audio paired with CCTV.