Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
109 articles found · #rgpd
Amazon vs CNPD (12 March 2026): Legitimate interest is not enough
Luxembourg’s Administrative Court annulled the €746M fine but confirmed that behavioral advertising cannot rely on legitimate interest. 2026 takeaways for legal bases and the requirement to prove fault.
DPIA (Art. 35 GDPR) in Luxembourg: when to trigger and how to succeed
When is a DPIA mandatory in Luxembourg and how to do it right? GDPR framework, CNPD list, EDPB method, prior consultation (Art. 36) and best practices.
CNPD — Workplace video surveillance: proportionality, DPIA and employee rights
Workplace cameras are allowed in Luxembourg, but under strict rules: legal basis, proportionality, frequent DPIA, L.261‑1 information duties and employee rights. Document everything, camera by camera.
GDPR – Article 28: the watertight processor contract
In 2026, every DPO/CISO must bulletproof processor contracts. Mandatory clauses, EDPB/CNPD guidance, and a practical audit playbook for a watertight Article 28.
Phishing‑resistant MFA (FIDO2/WebAuthn): answering GDPR Article 32
GDPR Article 32 requires state‑of‑the‑art security. Phishing‑resistant MFA with FIDO2/WebAuthn is the most robust and pragmatic way to comply without unnecessary complexity.
NIS 2 in Luxembourg: Law of 5 May 2026 published—what to do before 10 May
Luxembourg’s law transposing NIS 2 was published on 5 May 2026 and enters into force on 10 May. Broader scope, stronger governance, incident reporting within 24 h/72 h to ILR via SERIMA. Priority actions and official sources.
AI Act – Article 50: transparency for chatbots and deepfakes by 2026
From 2 August 2026, any AI interaction, synthetic content, and any emotion recognition/biometric categorization system must be disclosed. Fines up to €15M or 3% of global turnover.
GDPR Art. 33: Notify CNPD of a breach within 72h—without panic
Practical method, based on official texts and CNPD guidance, to decide, notify, and document a personal data breach within 72 hours.
EU‑US data transfers after Schrems II and the DPF: CNPD expectations 2026
Secure transatlantic flows without over‑compliance: the DPF eases transfers to certified US entities, but Article 46 and supplementary measures remain key outside the DPF. Prioritize vendor governance and DPIA documentation.
CNPD: recording business meetings and conversations in GDPR compliance
In 2026, Luxembourg’s CNPD frames audio/video recording of private meetings. Legal basis, transparency and retention are critical; recordings often must be deleted once the minutes are approved.
CNIL approves a GDPR code of conduct for retail
On 28 April 2026, the CNIL approved a GDPR code of conduct for apparel/footwear retailers in France. A strong signal for retailers, with auditable requirements and third-party oversight.
Qilin claims cyberattack on Exclusive Networks
The Qilin ransomware group claims it compromised Exclusive Networks, a major European cybersecurity distributor. Claimed in late April 2026; supply-chain risk for customers in Luxembourg.