Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
23 articles found · #edpb
AML/CFT information sharing: EDPB and AMLA to issue joint guidelines
The EDPB and AMLA announced joint guidelines on information‑sharing partnerships under AMLR Article 75, applicable from 10 July 2027. Goal: a GDPR‑compatible data‑sharing framework for AML/CFT.
GDPR: first access request may be refused for abuse (CJEU 19/03/2026)
The CJEU (C‑526/24) holds that a first GDPR access request may be refused for abuse under Article 12(5). Practical key: document abusive intent and a two‑pronged proportionality test.
Legitimate interest vs consent: CNPD/EDPB tighten, ICO remains looser
Luxembourg’s Administrative Court backed the CNPD in the Amazon case: legitimate interest was not justified. While the EDPB tightens Article 6(1)(f), the UK ICO still calls it the most flexible basis.
Recording meetings and calls: €250,000 fine — CNPD framework 2026
On 16/10/2025, the CNIL fined a call center €250,000 for poorly governed recordings. Since April 2026, the CNPD has issued a dedicated framework for meeting recordings: legal basis, transparency, retention, security, and DPIA.
EDPB updates its Objection & Erasure digest and launches a form
On 25 June 2026, the EDPB updated its OSS digest on the rights to object (Art. 21) and to erasure (Art. 17) and, on 24 June, launched a form to report divergences in GDPR interpretation.
Extra-EU transfers: EDPB vs ICO on transfer risk assessment (TRA)
On 15 Jan 2026, the ICO eased its Transfer Risk Assessment, diverging from the EDPB’s strict “essential equivalence” test. For Luxembourg controllers, maintaining an EDPB-compliant assessment remains key.
EDPB — Scientific research: last chance to comment
On 25 June 2026, the EDPB closes its public consultation on Guidelines 1/2026 for processing personal data for scientific research. Key clarifications on legal basis, broad consent, and GDPR Article 89 safeguards.
Information duty (Art. 14 GDPR): the legal exception clarified in 2026
The French Court of Cassation (Jan 29, 2026) confirms the Art. 14(5)(c) GDPR exception where a law mandates disclosure and provides appropriate safeguards. Useful for tax/social flows and certain B2G sharing in Luxembourg.
72 hours or a fine: the Mayor of Myślenice flagged — a reminder for Luxembourg
On 25 May 2026, Poland’s UODO fined the Mayor of Myślenice for failing to notify a data breach within 72 hours (GDPR Art. 33). A useful reminder of what the CNPD expects in Luxembourg.
Transfers to the United States: CNPD implements the DPF, EDPB remains cautious
The CNPD confirms “free” transfers to US entities certified under the DPF (Art. 45 GDPR), while the EDPB maintains reservations and calls for ongoing vigilance.
CNPD 1FR/2025: how the DPA calculates a GDPR fine in 5 steps
On 6 January 2025, the CNPD fined a controller for delays in data subject rights and applied the EDPB’s five-step method. Key takeaway: track and document your “time-to-rights”.
GDPR Article 6: the Poste Italiane fine clarifies legitimate interest vs consent
Italy’s DPA fined Poste Italiane/PostePay €12.5m for intrusive device access via apps without a valid legal basis. Key message: anything beyond what is strictly necessary often requires valid consent, not legitimate interest.