Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

109 articles found · #rgpd

CNPD frames meeting recordings: divergence with the CNIL

As of 01/04/2026, the CNPD tightens meeting audio: strict legitimate interest and deletion once minutes are approved. In France, the CNIL allows call recording for evidential purposes but bans audio paired with CCTV.

French Supreme Court (Mar 5, 2026) reshapes qualified e-signatures

Since March 5, 2026, only a Qualified Electronic Signature (QES) shifts the burden of proof. How to evidence QTSP, QSCD and LTV to secure contracts and compliance.

Intra-group sharing: CNIL accepts legitimate interest, CNPD treats it as a transfer

In Luxembourg in 2026, legitimate interest may ground intra-group administrative sharing, but the CNPD qualifies it as a transfer between controllers, requiring strong transparency and, outside the EEA, a Chapter V mechanism.

Luxgap SealedMail: the first email server where your CIO cannot read you

Launch of SealedMail, zero-knowledge email server hosted in Luxembourg, designed for executives. End-to-end encryption with X25519 asymmetric keys. Neither IT admin nor Luxgap can read your mailboxes. Works with your usual Outlook.

Ireland — Permanent TSB fined: GDPR arts. 32/33 tested at call centers

The Irish DPC fined Permanent TSB €277,500 for call center authentication failures and late notification. Lesson for Luxembourg: Article 32 and the 72h rule (Art. 33) also apply to human processes.

CNIL updates MR‑001/MR‑003: an operational playbook (26/05)

The CNIL updates MR‑001 and MR‑003 and releases compliance checklists. Immediate effect for health research conducted in France, impacting Luxembourg sponsors when French patients or sites are involved.

Health data: €5M fine against IQVIA — what GDPR Article 9 really requires

On May 26, 2026, the CNIL fined IQVIA €5M over shortcomings in its health data warehouses. The case illustrates GDPR Article 9’s general prohibition and the strict conditions of its exceptions.

DPIA: EDPB template (Apr 2026) and CNPD/CNIL divergences

The EDPB issued an EU DPIA template for consultation (April 2026). Yet CNPD and CNIL still diverge on triggers, with France publishing a “not required” whitelist that Luxembourg does not.

Belgian DPA fines SWDE €86,000 and rebukes missing Article 28 contract

Belgium’s DPA fines SWDE over call recording and monitoring: transparency, retention and a missing processor contract. A clear signal for Luxembourg: an incomplete Article 28 DPA is costly.

GDPR Article 22 after SCHUFA vs ICO guidance: where is the red line?

CJEU SCHUFA: a decisive credit score can be an automated decision (Art. 22). The UK ICO is more flexible if there’s meaningful human involvement. Concrete implications for LU‑UK data chains.

France Travail fined: key lessons from GDPR Article 32

On 22 January 2026, the CNIL fined France Travail €5M for weaknesses in authentication, logging and access rights. In Luxembourg, GDPR Article 32 requires appropriate, demonstrably effective security measures.

Okta/SSO hit by vishing: how FIDO2 blocks MFA bypass

In January 2026, Okta/Entra accounts were breached via vishing and AiTM proxies capturing OTP/push in real time. Phishing-resistant FIDO2/WebAuthn meets GDPR Article 32 requirements.

← Newer Page 7 / 10 Older →