Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

109 articles found · #rgpd

Amazon vs CNPD (12 March 2026): Legitimate interest is not enough

Luxembourg’s Administrative Court annulled the €746M fine but confirmed that behavioral advertising cannot rely on legitimate interest. 2026 takeaways for legal bases and the requirement to prove fault.

DPIA (Art. 35 GDPR) in Luxembourg: when to trigger and how to succeed

When is a DPIA mandatory in Luxembourg and how to do it right? GDPR framework, CNPD list, EDPB method, prior consultation (Art. 36) and best practices.

CNPD — Workplace video surveillance: proportionality, DPIA and employee rights

Workplace cameras are allowed in Luxembourg, but under strict rules: legal basis, proportionality, frequent DPIA, L.261‑1 information duties and employee rights. Document everything, camera by camera.

GDPR – Article 28: the watertight processor contract

In 2026, every DPO/CISO must bulletproof processor contracts. Mandatory clauses, EDPB/CNPD guidance, and a practical audit playbook for a watertight Article 28.

Phishing‑resistant MFA (FIDO2/WebAuthn): answering GDPR Article 32

GDPR Article 32 requires state‑of‑the‑art security. Phishing‑resistant MFA with FIDO2/WebAuthn is the most robust and pragmatic way to comply without unnecessary complexity.

NIS 2 in Luxembourg: Law of 5 May 2026 published—what to do before 10 May

Luxembourg’s law transposing NIS 2 was published on 5 May 2026 and enters into force on 10 May. Broader scope, stronger governance, incident reporting within 24 h/72 h to ILR via SERIMA. Priority actions and official sources.

AI Act – Article 50: transparency for chatbots and deepfakes by 2026

From 2 August 2026, any AI interaction, synthetic content, and any emotion recognition/biometric categorization system must be disclosed. Fines up to €15M or 3% of global turnover.

GDPR Art. 33: Notify CNPD of a breach within 72h—without panic

Practical method, based on official texts and CNPD guidance, to decide, notify, and document a personal data breach within 72 hours.

EU‑US data transfers after Schrems II and the DPF: CNPD expectations 2026

Secure transatlantic flows without over‑compliance: the DPF eases transfers to certified US entities, but Article 46 and supplementary measures remain key outside the DPF. Prioritize vendor governance and DPIA documentation.

CNPD: recording business meetings and conversations in GDPR compliance

In 2026, Luxembourg’s CNPD frames audio/video recording of private meetings. Legal basis, transparency and retention are critical; recordings often must be deleted once the minutes are approved.

CNIL approves a GDPR code of conduct for retail

On 28 April 2026, the CNIL approved a GDPR code of conduct for apparel/footwear retailers in France. A strong signal for retailers, with auditable requirements and third-party oversight.

Qilin claims cyberattack on Exclusive Networks

The Qilin ransomware group claims it compromised Exclusive Networks, a major European cybersecurity distributor. Claimed in late April 2026; supply-chain risk for customers in Luxembourg.

← Newer Page 9 / 10 Older →