Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
109 articles found · #rgpd
CNPD 16/12/2025: insufficient GDPR Article 30 record sanctioned
On 16/12/2025, the CNPD imposed a €7,000 fine for an incomplete Article 30 record. The decision clarifies required fields (recipients, transfers, categories, retention, security) and the EDPB fine calculation method.
French Council of State — Beaucaire (Apr 30, 2024): the CNIL bar for IAM
France’s Council of State confirms CNIL’s password guidance as state of the art to assess GDPR Article 32. Robust IAM governance enables compliance by design.
CNPD — Vehicle geolocation: what the 2023–2025 guidance requires
The CNPD updated its vehicle geolocation guidance. Key points: structured legitimate interest, purpose limitation, off-duty deactivation, dual transparency and DPIA.
CNIL vs Free/Free Mobile (€42M): a 24/7 SOC is now essential under NIS 2
Following the €42M fine against Free/Free Mobile, weak VPN auth and failed detection show why a 24/7 SOC is critical for GDPR and NIS 2 (24-hour alert).
External DPO France: why choose a Luxembourg firm recognised across Europe
French company looking for an external DPO? Discover the advantage of a Luxembourg European-scale firm: multi-regulator knowledge (CNIL, CNPD, APD, BfDI, AEPD, Garante), pluridisciplinary team, lower cost than Parisian firms.
Criteo: France’s Conseil d’État upholds €40M — consent prevails in AdTech
On 4 March 2026, France’s Conseil d’État upheld the €40M fine against Criteo for personalized advertising without valid consent. Key takeaway in AdTech: for targeting trackers, the lawful basis is (almost always) consent.
CNIL 2025 report: EUR 487M in fines, 1 breach in 2 = hacking, key takeaways
CNIL 2025 annual report: 20,150 complaints (record), EUR 487M in fines (including Google EUR 325M and Shein EUR 150M), 1 breach in 2 results from hacking. The real signal for 2026 and 4 concrete actions for DPO and CISO.
External DPO: 7 lessons from 200+ mandates in Luxembourg and Europe
200+ external DPO mandates across all sectors: the 7 recurring findings we make on takeover, and how Luxgap puts things in order. Concrete pricing, sector examples, what really changes.
FICOBA: 1.2M accounts exposed — IAM and least privilege
A compromised high-privilege account enabled access to ~1.2M FICOBA records. What happened and how least-privilege IAM addresses GDPR Art. 25 and NIS 2 Art. 21 requirements.
CNIL vs Free: €42M — why a 24/7 SOC is vital to meet NIS 2 Art. 23
After the €42M fine against Free/Free Mobile, slow detection proves costly. Under NIS 2 Art. 23, detecting and notifying within 24 hours is now an operational obligation in Luxembourg.
CJEU 19 March 2026 (Brillen Rottler): first access request may be refused for abuse
The CJEU allows a first access request (Art. 15 GDPR) to be refused as “excessive” if an abusive intent is proven (Art. 12(5)). Any refusal must remain exceptional, justified, and within deadlines.
OVG NRW (20 Feb 2025): no general obligation for end-to-end encryption
OVG North Rhine-Westphalia confirms that “appropriate” encryption under GDPR Art. 32 may be limited to robust transport encryption (TLS), depending on risk. How to align legally and technically.