Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

107 articles found · #rgpd

AML/CFT information sharing: EDPB and AMLA to issue joint guidelines

The EDPB and AMLA announced joint guidelines on information‑sharing partnerships under AMLR Article 75, applicable from 10 July 2027. Goal: a GDPR‑compatible data‑sharing framework for AML/CFT.

GDPR rights at work: only the individual has standing (Cass. crim., Jan 13, 2026)

France’s Supreme Court held that a company cannot invoke employees’ GDPR rights to challenge a seizure: only the data subjects themselves have standing. A key takeaway for DSAR and DPO response workflows.

Italy: €100,000 fine against Lepida over LepidaID shortcomings

Italy’s DPA fined Lepida S.c.p.A. €100,000 for GDPR violations in managing LepidaID (>1.5M users). Transparency, data minimization, and excessive log retention were flagged.

Workplace video surveillance: CNIL fine of 2 April 2026

On 02/04/2026, the CNIL imposed a €7,500 fine for CCTV non-compliance. In Luxembourg, the CNPD likewise requires proportionality, frequent DPIAs and two-layer information.

Lithuania: €450,000 GDPR fine for lack of MFA at InMedica

Lithuania’s DPA fined InMedica €450,000 over two incidents (2024 breach, 2025 ransomware), citing lack of MFA and poor access controls under GDPR Articles 5(1)(f), 24(1) and 32(1)(b).

GDPR: first access request may be refused for abuse (CJEU 19/03/2026)

The CJEU (C‑526/24) holds that a first GDPR access request may be refused for abuse under Article 12(5). Practical key: document abusive intent and a two‑pronged proportionality test.

GDPR: no automatic damage — French Court of Cassation tightens Article 82

On 24 June 2026, the French Court of Cassation held that a GDPR breach does not, by itself, entitle a claimant to compensation: the claimant must prove damage and causation. A strong signal for data litigation across Europe.

CNIL: vehicle location data — new recommendation

On 30 June 2026, the CNIL issued a recommendation on the use of vehicle location data. It clarifies ePrivacy consent, multi-user rights, security, data minimisation and the need for DPIAs.

AEPD vs AENA: €10.04M for a deficient DPIA in biometrics

On 20 March 2026, the AEPD published in the BOE a €10,043,002 fine against AENA for a non-compliant DPIA related to biometric boarding. Key signal: a DPIA must now be complete, evidence-based and traceable.

UniCredit Romania: €12k GDPR fine — preventing misdirected emails

On 29 May 2026, Romania’s ANSPDCP fined UniCredit Bank SA for security shortcomings (Art. 32) and late breach notification (Art. 33) after mailings to wrong recipients. Here is practical DLP that prevents this and evidences compliance.

Legitimate interest vs consent: CNPD/EDPB tighten, ICO remains looser

Luxembourg’s Administrative Court backed the CNPD in the Amazon case: legitimate interest was not justified. While the EDPB tightens Article 6(1)(f), the UK ICO still calls it the most flexible basis.

ShinyHunters exploits Oracle zero‑day: NAIC hit, 100+ organizations

Oracle confirmed a PeopleSoft zero‑day (CVE‑2026‑35273) exploited by ShinyHunters. NAIC reports unauthorized access; 3.1 TB stolen and 100+ organizations compromised.

Page 1 / 9 Older →