Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
23 articles found · #edpb
Workplace video surveillance: the Hanako case rules out consent
Italy’s Garante (12/03/2026) fined Hanako s.r.l. for in-store video surveillance without proper notice and labor authorization. EU-wide message: in employment, employee consent is not a convenient legal basis.
GDPR fines 2026: direct actions opened against EDPB decisions
On 10/02/2026, the CJEU allowed companies to bring direct actions against the EDPB’s “binding” decisions. The fine calculation method (Art. 83 GDPR) and compliance orders can now be challenged before the EU courts.
Intra-group sharing: CNIL accepts legitimate interest, CNPD treats it as a transfer
In Luxembourg in 2026, legitimate interest may ground intra-group administrative sharing, but the CNPD qualifies it as a transfer between controllers, requiring strong transparency and, outside the EEA, a Chapter V mechanism.
Ireland — Permanent TSB fined: GDPR arts. 32/33 tested at call centers
The Irish DPC fined Permanent TSB €277,500 for call center authentication failures and late notification. Lesson for Luxembourg: Article 32 and the 72h rule (Art. 33) also apply to human processes.
DPIA: EDPB template (Apr 2026) and CNPD/CNIL divergences
The EDPB issued an EU DPIA template for consultation (April 2026). Yet CNPD and CNIL still diverge on triggers, with France publishing a “not required” whitelist that Luxembourg does not.
France Travail fined: key lessons from GDPR Article 32
On 22 January 2026, the CNIL fined France Travail €5M for weaknesses in authentication, logging and access rights. In Luxembourg, GDPR Article 32 requires appropriate, demonstrably effective security measures.
CNPD 16/12/2025: insufficient GDPR Article 30 record sanctioned
On 16/12/2025, the CNPD imposed a €7,000 fine for an incomplete Article 30 record. The decision clarifies required fields (recipients, transfers, categories, retention, security) and the EDPB fine calculation method.
CJEU 19 March 2026 (Brillen Rottler): first access request may be refused for abuse
The CJEU allows a first access request (Art. 15 GDPR) to be refused as “excessive” if an abusive intent is proven (Art. 12(5)). Any refusal must remain exceptional, justified, and within deadlines.
GDPR – Article 28: the watertight processor contract
In 2026, every DPO/CISO must bulletproof processor contracts. Mandatory clauses, EDPB/CNPD guidance, and a practical audit playbook for a watertight Article 28.
GDPR Art. 33: Notify CNPD of a breach within 72h—without panic
Practical method, based on official texts and CNPD guidance, to decide, notify, and document a personal data breach within 72 hours.
EU‑US data transfers after Schrems II and the DPF: CNPD expectations 2026
Secure transatlantic flows without over‑compliance: the DPF eases transfers to certified US entities, but Article 46 and supplementary measures remain key outside the DPF. Prioritize vendor governance and DPIA documentation.