[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_NhQRRSyxUJZXSuFcXFjXoOokr55BfB6jCy50Bbi2Xs":3,"white_papers":60},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":8,"wordCount":9,"readTime":10,"title":11,"nbDownloads":12,"excerpt":13,"lang":14,"url":15,"intro":16,"featured":17,"state":18,"author":19,"authorId":20,"datePublication":24,"dateCreation":25,"dateUpdate":26,"mainCategory":27,"categories":43,"metaDatas":49,"imageUrl":50,"imageThumbUrls":51,"id":59},true,"Are you tired of generic newsletters that skim over your real challenges? Dastra offers you **Dastra Insights**, a legal and regulatory watch **specially designed for DPOs, in-house counsel, and Privacy and AI professionals**.\n\n🎯 **Targeted, useful monitoring grounded in the day-to-day reality of data protection and AI.**\n\nHere is our selection for **April 2026**:\n\n## \\[AI - EU\\] European Commission consultation on AI transparency obligations\n\n**Date**: 8 May 2026\\\n**Source**: [European Commission](https://digital-strategy.ec.europa.eu/en/news/commission-opens-consultation-draft-guidelines-ai-transparency-obligations)\n\nThe European Commission has opened a consultation on draft guidelines relating to the transparency obligations provided for under the AI Act. These obligations will apply from **2 August 2026** and concern, in particular, informing individuals when they interact with an AI system, as well as labelling or detecting certain content generated or manipulated by AI.\n\nThis topic is directly operational for AI providers and deployers, especially for chatbots, AI assistants, deepfakes, AI-generated publications on matters of public interest, emotion recognition systems, and biometric categorization systems. Lawyers and DPOs should follow the finalization of these guidelines, as they will clarify compliance expectations before the obligations take effect.\n\nThe consultation is open until **3 June 2026**. The Commission also indicates that a voluntary code of practice on the labelling and marking of AI-generated content is expected in **June 2026**.\n\n## \\[AI-EU\\] Political agreement on the AI Omnibus and timetable for high-risk systems\n\n**Date**: 7 May 2026\\\n**Source**: [European Commission](https://digital-strategy.ec.europa.eu/en/news/eu-agrees-simplify-ai-rules-boost-innovation-and-ban-nudification-apps-protect-citizens)\n\nThe European Commission announced a political agreement between the European Parliament and the Council on simplifying certain implementation rules of the AI Act as part of the so-called **Digital Omnibus on AI** package. The agreement notably changes the application timetable for certain high-risk AI systems.\n\nThe rules applicable to high-risk systems in areas such as biometrics, critical infrastructure, education, employment, migration, asylum, or border control would apply from **2 December 2027**. For systems embedded in certain products, such as toys or elevators, the deadline would be **2 August 2028**.\n\nFor compliance teams, the challenge is twofold: avoid treating this delay as a general suspension of the AI Act, and adjust compliance roadmaps according to the categories of systems involved. Obligations already applicable or about to become applicable, notably in relation to prohibited practices, AI literacy, GPAI, and transparency, remain to be addressed separately.\n\n## \\[AI-EU\\] Commission publishes draft guidelines on classifying high-risk AI systems\n\n**Date**: 19 May 2026\\\n**Source**: [European Commission - Guidelines for providers and deployers of AI high-risk systems](https://digital-strategy.ec.europa.eu/en/policies/guidelines-ai-high-risk-systems)\n\nThe European Commission has published a **draft guideline** to help providers and deployers determine whether an AI system should be classified as a **high-risk system** under the AI Act. The document clarifies how the classification should be interpreted and includes practical examples covering the main areas concerned.\n\nThe guidelines are not legally binding at this stage, but the Commission states that they reflect its interpretation and will guide application of the regulation. They are subject to a targeted consultation open until **23 June 2026**, before the final version is adopted.\n\n{% button href='https://www.dastra.eu/fr/blog/projet-des-lignes-directrices-ai-act-sur-les-systemes-dia-a-haut-risque/60072' text='Read our article here ' target='\\_blank' role='button' class='btn btn-primary' %}\n\n## \\[AI-EU\\] Annual report on prohibited practices and high-risk use cases\n\n**Date**: 22 May 2026\\\n**Source**: [European Commission](https://digital-strategy.ec.europa.eu/EN/library/report-review-prohibitions-and-high-risk-ai)\n\nThe Commission has published a review report on the possible need to amend the list of prohibited AI practices and high-risk use cases under the AI Act. This report is part of the monitoring mechanism предусмотренный by Article 112 of the AI Act.\n\nThe Commission notes in particular that the assessment of certain especially harmful practices remains at an early stage, but mentions the political agreement on the AI Omnibus, including a ban on systems generating non-consensual sexually explicit or intimate content, including certain so-called “nudification” applications.\n\nFor lawyers and DPOs, this report confirms that the mapping of high-risk AI uses should not be frozen: the AI Act lists are likely to evolve in step with technological risks, especially in relation to biometrics, synthetic content, protection of minors, and infringements of fundamental rights.\n\n## \\[AI\\] CNIL-PIPC awareness campaign on generative AI and privacy\n\n**Date**: 27 May 2026\\\n**Source**: [CNIL - Generative AI and privacy](https://www.cnil.fr/fr/ia-generative-et-vie-privee-affiche-coproduite-pipc-cnil)\n\nThe CNIL and the PIPC, the Korean data protection authority, have published an awareness poster dedicated to the use of generative AI services and the protection of personal data. The initiative is part of their cooperation launched in 2022.\n\nAlthough the document is broadly aimed at user awareness, it is useful for internal privacy awareness programs, especially in organizations deploying generative AI tools to employees, students, public officials, or young audiences.\n\nFor DPOs, the practical value lies in integrating simple messages into internal AI-use policies: avoid entering personal or sensitive data into tools that are not controlled, check privacy settings, and raise awareness of the risks linked to re-use of prompts and provided content.\n\n## \\[AI - UK\\] The ICO announces its priorities for “safe” AI innovation\n\n**Date**: 29 May 2026\\\n**Source**: [ICO - Response to government on safe AI-powered innovation](https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/05/ico-response-to-government-on-safe-ai-powered-innovation/)\n\nThe ICO has published its response to the UK government on safe AI innovation. The regulator announces work for 2026/2027 to strengthen consumer trust and legal certainty for businesses regarding the application of data protection law to AI.\n\nThe announced priorities include the development of an **AI code of practice**, guidance dedicated to **agentic AI**, and support for consumers in an increasingly personalized AI environment.\n\nFor lawyers and DPOs operating in the UK, this announcement signals the ICO’s next doctrinal focus areas. AI projects involving ADM, biometric data, agentic models, or personalization should be anticipated in DPIAs, AI governance policies, and contract reviews.\n\n## \\[GDPR-Transfers\\] Europrivacy as a certification usable for transfers\n\n**Date**: 16 April 2026\\\n**Source**: [EDPB - Opinion 15/2026 Europrivacy certification criteria](https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-152026-europrivacy-certification-criteria_pl)\n\nThe EDPB adopted **Opinion 15/2026** on Europrivacy certification criteria, regarding their approval as a European data protection seal that can be used as a tool for transfers under Articles 42 and 46 of the GDPR.\n\nThis development is important for organizations looking for international transfer mechanisms other than standard contractual clauses or BCRs. It does not remove the transfer analysis or risk assessment, but it may enrich the compliance toolkit for documenting appropriate safeguards.\n\nDPOs will need to follow the exact practical conditions for using this certification, particularly its interaction with post-Schrems II supplementary measures, importer commitments, and ongoing monitoring requirements.\n\n## \\[Health-FR\\] EUR 5 million fine against IQVIA\n\n**Date**: 28 May 2026\\\n**Source**: [CNIL - Health data: a EUR 5 million fine imposed on IQVIA](https://www.cnil.fr/fr/donnees-sante-sanction-5-millions-iqvia)\n\nThe CNIL fined IQVIA Operations France **EUR 5 million** for breaches related to the management of health data warehouses. The decision notably concerns failure to comply with safeguards intended to limit risks for data subjects.\n\nOne particularly important point concerns the qualification of the data: IQVIA argued that the data were anonymous, but the restricted committee held that they were only pseudonymous, since re-identification remained possible with reasonable means.\n\nThis decision is significant for players in healthcare, research, pharmaceutical studies, and data science. It is a reminder that pseudonymization does not take data outside the scope of the GDPR, and that authorizations or processing frameworks must be respected in practice, not merely in the initial documentation.\n\n## \\[GDPR-FR\\] CNIL: 2025 annual report, AI priorities, cybersecurity and European cooperation\n\n**Date**: 18 May 2026\\\n**Source**: [CNIL - Annual report: the CNIL’s 2025 record and key actions](https://cnil.fr/fr/rapport-annuel-2025)\n\nThe CNIL has published its **2025 annual report**, highlighting a year marked by an increase in complaints, an unprecedented level of fines, a record number of data breach notifications, and the authority’s preparation for its new missions under the AI Act.\n\nThe report confirms three major priorities: **regulation of artificial intelligence**, **cybersecurity**, and **European cooperation**. On AI, the CNIL recalls its support work on generative AI, the publication of resources for designers and developers, and its upcoming scaling-up under the AI Act. On cybersecurity, it states that it received **6,167 data breach notifications** in 2025, about one incident in two being linked to hacking.\n\nThe most operational information is the announcement that in **2026**, the CNIL will devote **50% of its inspections and enforcement actions** to data security breaches. DPOs should draw a practical consequence: evidence of security measures, vendor management, incident documentation, DPIAs, and cyber/GDPR governance become priority control points.\n\n## \\[GDPR-FR\\] Douai Court of Appeal: GDPR non-compliance of a website may lead to contract nullity\n\n**Date**: 7 May 2026\\\n**Source**: [Court of Cassation - CA Douai, 7 May 2026, No. 22/05075](https://www.courdecassation.fr/decision/69fd7dbdcdc6046d47043e30)\n\nThe Douai Court of Appeal declared a website creation and rental contract null and void due to an **error concerning the essential qualities** of the delivered website. The dispute opposed **Auffray Paysage** and **Axecibles**, the provider responsible for creating the website. The Court held that the website collected personal data under conditions that did not comply with the GDPR and cookie regulations.\n\nThe decision notes in particular that cookies, including a Google Analytics cookie, were installed automatically despite the absence of valid user choice. The Court also mentions the processing linked to the contact form and the free callback button. It recalls that continuing to browse does not constitute valid consent and that the requirements relating to consent for trackers are not mere recommendations.\n\nThe practical significance is major for IT and web contracts: GDPR compliance is not only a matter of administrative sanction by the CNIL. It can also become an **essential quality expected of the delivered service**, the absence of which affects contract validity. Digital service providers must therefore embed privacy by design compliance in their deliverables, and clients should contractually frame obligations relating to cookies, forms, analytics, security, and compliance documentation.\n\n## \\[Health-FR\\] CNIL: update of reference methodologies MR-001 and MR-003\n\n**Date**: 26 May 2026\\\n**Source**: [CNIL - Health research: the CNIL updates and expands the scope of reference methodologies 001 and 003](https://www.cnil.fr/fr/recherche-en-sante-la-cnil-met-jour-et-elargit-le-champ-des-methodologies-de-reference-001-et-003) ; see also the compliance grids [MR-001 / MR-003](https://cnil.fr/fr/methodologies-de-reference-pour-les-recherches-en-sante-verifier-sa-conformite-aux-mr-001-et-mr-003)\n\nThe CNIL announced the update and expansion of reference methodologies **MR-001** and **MR-003**, which govern certain health data processing activities for research purposes. MR-001 applies to research requiring consent collection, while MR-003 applies to research that does not require such consent for participation.\n\nThe changes concern notably the scope, categories of data, recipients, information provided to individuals, security, transfers outside the European Union, and the use of processors. The CNIL also specifies that the new methodologies are supplemented by annexes on security and quality control, as well as annotated versions and compliance checklists.\n\nFor controllers, sponsors, CROs, healthcare institutions, and DPOs, the practical impact is very concrete: when a study complies with the applicable reference methodology, it may be conducted on the basis of a compliance undertaking, without prior CNIL authorization. By contrast, non-compliant studies must be documented and, depending on the case, submitted for authorization. Studies or substantial changes implemented from **23 May 2026** onward must be assessed against the new versions.\n\n## \\[Cloud\\] CNIL clarifies GDPR roles of cloud actors\n\n**Date**: 28 May 2026\\\n**Source**: [CNIL - What qualifications apply to cloud computing actors?](https://www.cnil.fr/fr/quelles-qualifications-pour-les-acteurs-de-linformatique-en-nuage-cloud)\n\nThe CNIL has published guidance on how cloud actors should be qualified under the GDPR: controller, joint controller, or processor. It notably distinguishes between processing linked to the provision of the service, service improvement, security “of” the cloud, and security “in” the cloud.\n\nThis clarification is very useful for cloud contracts, risk analyses, processor clauses, compliance documentation, and the management of data subject rights requests. The CNIL stresses that the qualification depends on a concrete analysis of the provider’s degree of control, the purposes pursued, and the essential means of the processing.\n\nFor DPOs, the practical point is clear: processing for service improvement or general security carried out by the provider should not automatically be classified as processing by a processor. Depending on the case, it may fall within the provider’s own responsibility.\n\n## \\[Cyber-EU\\] NIS2: adoption of common incident notification templates\n\n**Date**: 26 May 2026\\\n**Source**: [European Commission - NIS2 Cooperation Group adopts common templates for incident reporting](https://digital-strategy.ec.europa.eu/en/news/nis2-cooperation-group-adopts-common-templates-incident-reporting)\n\nThe NIS2 Cooperation Group, bringing together Member States, the European Commission and ENISA, has adopted common templates for reporting cybersecurity incidents. The adoption took place during the **39th plenary meeting in Cyprus**.\n\nThese templates are intended to harmonize notification fields across the European Union and reduce administrative burden for essential and important entities operating in several Member States. The Commission indicates that it plans to adopt these templates by an **implementing act**, which would make them mandatory for all Member States.\n\nFor DPOs and compliance lawyers, the relevance is immediate: an incident may trigger both a NIS2 notification to the CSIRT or competent authority, and a GDPR notification to the data protection authority where personal data are involved. Internal incident response procedures must therefore align NIS2 deadlines, notably the 24-hour early warning and the 72-hour notification, with Article 33 of the GDPR.\n\n## \\[Cyber-UK\\] The ICO publishes five measures against AI-amplified cyber threats\n\n**Date**: 14 May 2026\\\n**Source**: [ICO - Five steps to protect your organisation from AI-powered cyber threats](https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/05/five-steps-to-protect-your-organisation-from-ai-powered-cyber-threats/)\n\nThe ICO has published practical recommendations to help organisations address AI-amplified cyber threats, including AI-generated phishing, automated vulnerability discovery, credential compromise, and data poisoning.\n\nThe regulator recalls that UK GDPR obligations require appropriate technical and organisational measures to protect personal data. It also emphasises the importance of a DPIA and safeguards where AI tools process high-risk data.\n\nThis publication is useful for bridging AI governance and cyber compliance programmes. DPOs should ensure that risks specific to AI systems, including attacks targeting models, training data, or outputs, are integrated into risk assessments and security documentation.","\u003Cp>Are you tired of generic newsletters that skim over your real challenges? Dastra offers you \u003Cstrong>Dastra Insights\u003C/strong>, a legal and regulatory watch \u003Cstrong>specially designed for DPOs, in-house counsel, and Privacy and AI professionals\u003C/strong>.\u003C/p>\n\u003Cp>🎯 \u003Cstrong>Targeted, useful monitoring grounded in the day-to-day reality of data protection and AI.\u003C/strong>\u003C/p>\n\u003Cp>Here is our selection for \u003Cstrong>April 2026\u003C/strong>:\u003C/p>\n\u003Ch2 id=\"ai-eu-european-commission-consultation-on-ai-transparency-obligations\">[AI - EU] European Commission consultation on AI transparency obligations\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 8 May 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://digital-strategy.ec.europa.eu/en/news/commission-opens-consultation-draft-guidelines-ai-transparency-obligations\" rel=\"nofollow\">European Commission\u003C/a>\u003C/p>\n\u003Cp>The European Commission has opened a consultation on draft guidelines relating to the transparency obligations provided for under the AI Act. These obligations will apply from \u003Cstrong>2 August 2026\u003C/strong> and concern, in particular, informing individuals when they interact with an AI system, as well as labelling or detecting certain content generated or manipulated by AI.\u003C/p>\n\u003Cp>This topic is directly operational for AI providers and deployers, especially for chatbots, AI assistants, deepfakes, AI-generated publications on matters of public interest, emotion recognition systems, and biometric categorization systems. Lawyers and DPOs should follow the finalization of these guidelines, as they will clarify compliance expectations before the obligations take effect.\u003C/p>\n\u003Cp>The consultation is open until \u003Cstrong>3 June 2026\u003C/strong>. The Commission also indicates that a voluntary code of practice on the labelling and marking of AI-generated content is expected in \u003Cstrong>June 2026\u003C/strong>.\u003C/p>\n\u003Ch2 id=\"ai-eu-political-agreement-on-the-ai-omnibus-and-timetable-for-high-risk-systems\">[AI-EU] Political agreement on the AI Omnibus and timetable for high-risk systems\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 7 May 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://digital-strategy.ec.europa.eu/en/news/eu-agrees-simplify-ai-rules-boost-innovation-and-ban-nudification-apps-protect-citizens\" rel=\"nofollow\">European Commission\u003C/a>\u003C/p>\n\u003Cp>The European Commission announced a political agreement between the European Parliament and the Council on simplifying certain implementation rules of the AI Act as part of the so-called \u003Cstrong>Digital Omnibus on AI\u003C/strong> package. The agreement notably changes the application timetable for certain high-risk AI systems.\u003C/p>\n\u003Cp>The rules applicable to high-risk systems in areas such as biometrics, critical infrastructure, education, employment, migration, asylum, or border control would apply from \u003Cstrong>2 December 2027\u003C/strong>. For systems embedded in certain products, such as toys or elevators, the deadline would be \u003Cstrong>2 August 2028\u003C/strong>.\u003C/p>\n\u003Cp>For compliance teams, the challenge is twofold: avoid treating this delay as a general suspension of the AI Act, and adjust compliance roadmaps according to the categories of systems involved. Obligations already applicable or about to become applicable, notably in relation to prohibited practices, AI literacy, GPAI, and transparency, remain to be addressed separately.\u003C/p>\n\u003Ch2 id=\"ai-eu-commission-publishes-draft-guidelines-on-classifying-high-risk-ai-systems\">[AI-EU] Commission publishes draft guidelines on classifying high-risk AI systems\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 19 May 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://digital-strategy.ec.europa.eu/en/policies/guidelines-ai-high-risk-systems\" rel=\"nofollow\">European Commission - Guidelines for providers and deployers of AI high-risk systems\u003C/a>\u003C/p>\n\u003Cp>The European Commission has published a \u003Cstrong>draft guideline\u003C/strong> to help providers and deployers determine whether an AI system should be classified as a \u003Cstrong>high-risk system\u003C/strong> under the AI Act. The document clarifies how the classification should be interpreted and includes practical examples covering the main areas concerned.\u003C/p>\n\u003Cp>The guidelines are not legally binding at this stage, but the Commission states that they reflect its interpretation and will guide application of the regulation. They are subject to a targeted consultation open until \u003Cstrong>23 June 2026\u003C/strong>, before the final version is adopted.\u003C/p>\n\u003Cdiv class=\"content-btn-container\">\u003Ca>\u003C/a>\u003C/div>\n\u003Ch2 id=\"ai-eu-annual-report-on-prohibited-practices-and-high-risk-use-cases\">[AI-EU] Annual report on prohibited practices and high-risk use cases\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 22 May 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://digital-strategy.ec.europa.eu/EN/library/report-review-prohibitions-and-high-risk-ai\" rel=\"nofollow\">European Commission\u003C/a>\u003C/p>\n\u003Cp>The Commission has published a review report on the possible need to amend the list of prohibited AI practices and high-risk use cases under the AI Act. This report is part of the monitoring mechanism предусмотренный by Article 112 of the AI Act.\u003C/p>\n\u003Cp>The Commission notes in particular that the assessment of certain especially harmful practices remains at an early stage, but mentions the political agreement on the AI Omnibus, including a ban on systems generating non-consensual sexually explicit or intimate content, including certain so-called “nudification” applications.\u003C/p>\n\u003Cp>For lawyers and DPOs, this report confirms that the mapping of high-risk AI uses should not be frozen: the AI Act lists are likely to evolve in step with technological risks, especially in relation to biometrics, synthetic content, protection of minors, and infringements of fundamental rights.\u003C/p>\n\u003Ch2 id=\"ai-cnil-pipc-awareness-campaign-on-generative-ai-and-privacy\">[AI] CNIL-PIPC awareness campaign on generative AI and privacy\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 27 May 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://www.cnil.fr/fr/ia-generative-et-vie-privee-affiche-coproduite-pipc-cnil\" rel=\"nofollow\">CNIL - Generative AI and privacy\u003C/a>\u003C/p>\n\u003Cp>The CNIL and the PIPC, the Korean data protection authority, have published an awareness poster dedicated to the use of generative AI services and the protection of personal data. The initiative is part of their cooperation launched in 2022.\u003C/p>\n\u003Cp>Although the document is broadly aimed at user awareness, it is useful for internal privacy awareness programs, especially in organizations deploying generative AI tools to employees, students, public officials, or young audiences.\u003C/p>\n\u003Cp>For DPOs, the practical value lies in integrating simple messages into internal AI-use policies: avoid entering personal or sensitive data into tools that are not controlled, check privacy settings, and raise awareness of the risks linked to re-use of prompts and provided content.\u003C/p>\n\u003Ch2 id=\"ai-uk-the-ico-announces-its-priorities-for-safe-ai-innovation\">[AI - UK] The ICO announces its priorities for “safe” AI innovation\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 29 May 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/05/ico-response-to-government-on-safe-ai-powered-innovation/\" rel=\"nofollow\">ICO - Response to government on safe AI-powered innovation\u003C/a>\u003C/p>\n\u003Cp>The ICO has published its response to the UK government on safe AI innovation. The regulator announces work for 2026/2027 to strengthen consumer trust and legal certainty for businesses regarding the application of data protection law to AI.\u003C/p>\n\u003Cp>The announced priorities include the development of an \u003Cstrong>AI code of practice\u003C/strong>, guidance dedicated to \u003Cstrong>agentic AI\u003C/strong>, and support for consumers in an increasingly personalized AI environment.\u003C/p>\n\u003Cp>For lawyers and DPOs operating in the UK, this announcement signals the ICO’s next doctrinal focus areas. AI projects involving ADM, biometric data, agentic models, or personalization should be anticipated in DPIAs, AI governance policies, and contract reviews.\u003C/p>\n\u003Ch2 id=\"gdpr-transfers-europrivacy-as-a-certification-usable-for-transfers\">[GDPR-Transfers] Europrivacy as a certification usable for transfers\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 16 April 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-152026-europrivacy-certification-criteria_pl\" rel=\"nofollow\">EDPB - Opinion 15/2026 Europrivacy certification criteria\u003C/a>\u003C/p>\n\u003Cp>The EDPB adopted \u003Cstrong>Opinion 15/2026\u003C/strong> on Europrivacy certification criteria, regarding their approval as a European data protection seal that can be used as a tool for transfers under Articles 42 and 46 of the GDPR.\u003C/p>\n\u003Cp>This development is important for organizations looking for international transfer mechanisms other than standard contractual clauses or BCRs. It does not remove the transfer analysis or risk assessment, but it may enrich the compliance toolkit for documenting appropriate safeguards.\u003C/p>\n\u003Cp>DPOs will need to follow the exact practical conditions for using this certification, particularly its interaction with post-Schrems II supplementary measures, importer commitments, and ongoing monitoring requirements.\u003C/p>\n\u003Ch2 id=\"health-fr-eur-5-million-fine-against-iqvia\">[Health-FR] EUR 5 million fine against IQVIA\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 28 May 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://www.cnil.fr/fr/donnees-sante-sanction-5-millions-iqvia\" rel=\"nofollow\">CNIL - Health data: a EUR 5 million fine imposed on IQVIA\u003C/a>\u003C/p>\n\u003Cp>The CNIL fined IQVIA Operations France \u003Cstrong>EUR 5 million\u003C/strong> for breaches related to the management of health data warehouses. The decision notably concerns failure to comply with safeguards intended to limit risks for data subjects.\u003C/p>\n\u003Cp>One particularly important point concerns the qualification of the data: IQVIA argued that the data were anonymous, but the restricted committee held that they were only pseudonymous, since re-identification remained possible with reasonable means.\u003C/p>\n\u003Cp>This decision is significant for players in healthcare, research, pharmaceutical studies, and data science. It is a reminder that pseudonymization does not take data outside the scope of the GDPR, and that authorizations or processing frameworks must be respected in practice, not merely in the initial documentation.\u003C/p>\n\u003Ch2 id=\"gdpr-fr-cnil-2025-annual-report-ai-priorities-cybersecurity-and-european-cooperation\">[GDPR-FR] CNIL: 2025 annual report, AI priorities, cybersecurity and European cooperation\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 18 May 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://cnil.fr/fr/rapport-annuel-2025\" rel=\"nofollow\">CNIL - Annual report: the CNIL’s 2025 record and key actions\u003C/a>\u003C/p>\n\u003Cp>The CNIL has published its \u003Cstrong>2025 annual report\u003C/strong>, highlighting a year marked by an increase in complaints, an unprecedented level of fines, a record number of data breach notifications, and the authority’s preparation for its new missions under the AI Act.\u003C/p>\n\u003Cp>The report confirms three major priorities: \u003Cstrong>regulation of artificial intelligence\u003C/strong>, \u003Cstrong>cybersecurity\u003C/strong>, and \u003Cstrong>European cooperation\u003C/strong>. On AI, the CNIL recalls its support work on generative AI, the publication of resources for designers and developers, and its upcoming scaling-up under the AI Act. On cybersecurity, it states that it received \u003Cstrong>6,167 data breach notifications\u003C/strong> in 2025, about one incident in two being linked to hacking.\u003C/p>\n\u003Cp>The most operational information is the announcement that in \u003Cstrong>2026\u003C/strong>, the CNIL will devote \u003Cstrong>50% of its inspections and enforcement actions\u003C/strong> to data security breaches. DPOs should draw a practical consequence: evidence of security measures, vendor management, incident documentation, DPIAs, and cyber/GDPR governance become priority control points.\u003C/p>\n\u003Ch2 id=\"gdpr-fr-douai-court-of-appeal-gdpr-non-compliance-of-a-website-may-lead-to-contract-nullity\">[GDPR-FR] Douai Court of Appeal: GDPR non-compliance of a website may lead to contract nullity\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 7 May 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://www.courdecassation.fr/decision/69fd7dbdcdc6046d47043e30\" rel=\"nofollow\">Court of Cassation - CA Douai, 7 May 2026, No. 22/05075\u003C/a>\u003C/p>\n\u003Cp>The Douai Court of Appeal declared a website creation and rental contract null and void due to an \u003Cstrong>error concerning the essential qualities\u003C/strong> of the delivered website. The dispute opposed \u003Cstrong>Auffray Paysage\u003C/strong> and \u003Cstrong>Axecibles\u003C/strong>, the provider responsible for creating the website. The Court held that the website collected personal data under conditions that did not comply with the GDPR and cookie regulations.\u003C/p>\n\u003Cp>The decision notes in particular that cookies, including a Google Analytics cookie, were installed automatically despite the absence of valid user choice. The Court also mentions the processing linked to the contact form and the free callback button. It recalls that continuing to browse does not constitute valid consent and that the requirements relating to consent for trackers are not mere recommendations.\u003C/p>\n\u003Cp>The practical significance is major for IT and web contracts: GDPR compliance is not only a matter of administrative sanction by the CNIL. It can also become an \u003Cstrong>essential quality expected of the delivered service\u003C/strong>, the absence of which affects contract validity. Digital service providers must therefore embed privacy by design compliance in their deliverables, and clients should contractually frame obligations relating to cookies, forms, analytics, security, and compliance documentation.\u003C/p>\n\u003Ch2 id=\"health-fr-cnil-update-of-reference-methodologies-mr-001-and-mr-003\">[Health-FR] CNIL: update of reference methodologies MR-001 and MR-003\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 26 May 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://www.cnil.fr/fr/recherche-en-sante-la-cnil-met-jour-et-elargit-le-champ-des-methodologies-de-reference-001-et-003\" rel=\"nofollow\">CNIL - Health research: the CNIL updates and expands the scope of reference methodologies 001 and 003\u003C/a> ; see also the compliance grids \u003Ca href=\"https://cnil.fr/fr/methodologies-de-reference-pour-les-recherches-en-sante-verifier-sa-conformite-aux-mr-001-et-mr-003\" rel=\"nofollow\">MR-001 / MR-003\u003C/a>\u003C/p>\n\u003Cp>The CNIL announced the update and expansion of reference methodologies \u003Cstrong>MR-001\u003C/strong> and \u003Cstrong>MR-003\u003C/strong>, which govern certain health data processing activities for research purposes. MR-001 applies to research requiring consent collection, while MR-003 applies to research that does not require such consent for participation.\u003C/p>\n\u003Cp>The changes concern notably the scope, categories of data, recipients, information provided to individuals, security, transfers outside the European Union, and the use of processors. The CNIL also specifies that the new methodologies are supplemented by annexes on security and quality control, as well as annotated versions and compliance checklists.\u003C/p>\n\u003Cp>For controllers, sponsors, CROs, healthcare institutions, and DPOs, the practical impact is very concrete: when a study complies with the applicable reference methodology, it may be conducted on the basis of a compliance undertaking, without prior CNIL authorization. By contrast, non-compliant studies must be documented and, depending on the case, submitted for authorization. Studies or substantial changes implemented from \u003Cstrong>23 May 2026\u003C/strong> onward must be assessed against the new versions.\u003C/p>\n\u003Ch2 id=\"cloud-cnil-clarifies-gdpr-roles-of-cloud-actors\">[Cloud] CNIL clarifies GDPR roles of cloud actors\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 28 May 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://www.cnil.fr/fr/quelles-qualifications-pour-les-acteurs-de-linformatique-en-nuage-cloud\" rel=\"nofollow\">CNIL - What qualifications apply to cloud computing actors?\u003C/a>\u003C/p>\n\u003Cp>The CNIL has published guidance on how cloud actors should be qualified under the GDPR: controller, joint controller, or processor. It notably distinguishes between processing linked to the provision of the service, service improvement, security “of” the cloud, and security “in” the cloud.\u003C/p>\n\u003Cp>This clarification is very useful for cloud contracts, risk analyses, processor clauses, compliance documentation, and the management of data subject rights requests. The CNIL stresses that the qualification depends on a concrete analysis of the provider’s degree of control, the purposes pursued, and the essential means of the processing.\u003C/p>\n\u003Cp>For DPOs, the practical point is clear: processing for service improvement or general security carried out by the provider should not automatically be classified as processing by a processor. Depending on the case, it may fall within the provider’s own responsibility.\u003C/p>\n\u003Ch2 id=\"cyber-eu-nis2-adoption-of-common-incident-notification-templates\">[Cyber-EU] NIS2: adoption of common incident notification templates\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 26 May 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://digital-strategy.ec.europa.eu/en/news/nis2-cooperation-group-adopts-common-templates-incident-reporting\" rel=\"nofollow\">European Commission - NIS2 Cooperation Group adopts common templates for incident reporting\u003C/a>\u003C/p>\n\u003Cp>The NIS2 Cooperation Group, bringing together Member States, the European Commission and ENISA, has adopted common templates for reporting cybersecurity incidents. The adoption took place during the \u003Cstrong>39th plenary meeting in Cyprus\u003C/strong>.\u003C/p>\n\u003Cp>These templates are intended to harmonize notification fields across the European Union and reduce administrative burden for essential and important entities operating in several Member States. The Commission indicates that it plans to adopt these templates by an \u003Cstrong>implementing act\u003C/strong>, which would make them mandatory for all Member States.\u003C/p>\n\u003Cp>For DPOs and compliance lawyers, the relevance is immediate: an incident may trigger both a NIS2 notification to the CSIRT or competent authority, and a GDPR notification to the data protection authority where personal data are involved. Internal incident response procedures must therefore align NIS2 deadlines, notably the 24-hour early warning and the 72-hour notification, with Article 33 of the GDPR.\u003C/p>\n\u003Ch2 id=\"cyber-uk-the-ico-publishes-five-measures-against-ai-amplified-cyber-threats\">[Cyber-UK] The ICO publishes five measures against AI-amplified cyber threats\u003C/h2>\n\u003Cp>\u003Cstrong>Date\u003C/strong>: 14 May 2026\u003Cbr />\n\u003Cstrong>Source\u003C/strong>: \u003Ca href=\"https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/05/five-steps-to-protect-your-organisation-from-ai-powered-cyber-threats/\" rel=\"nofollow\">ICO - Five steps to protect your organisation from AI-powered cyber threats\u003C/a>\u003C/p>\n\u003Cp>The ICO has published practical recommendations to help organisations address AI-amplified cyber threats, including AI-generated phishing, automated vulnerability discovery, credential compromise, and data poisoning.\u003C/p>\n\u003Cp>The regulator recalls that UK GDPR obligations require appropriate technical and organisational measures to protect personal data. It also emphasises the importance of a DPIA and safeguards where AI tools process high-risk data.\u003C/p>\n\u003Cp>This publication is useful for bridging AI governance and cyber compliance programmes. DPOs should ensure that risks specific to AI systems, including attacks targeting models, training data, or outputs, are integrated into risk assessments and security documentation.\u003C/p>\n","Dastra Insights Privacy & AI: what happened in May?","A legal and regulatory watch specifically designed for DPOs, legal professionals, and Privacy and AI professionals.",2349,13,"Dastra Insights: what happened in May?",0,null,"en","dastra-insights-what-happened-in-may-privacy-ai","A legal and regulatory watch specially designed for DPOs, legal professionals, and Privacy and AI practitioners.",false,"Published",{"id":20,"displayName":21,"avatarUrl":22,"bio":13,"blogUrl":13,"color":13,"userId":20,"creationDate":23},20352,"Leïla Sayssa","https://static.dastra.eu/tenant-3/avatar/20352/TDYeY3C8Rz1lLE/dpo-avatar-h01-150.png","2025-03-03T11:08:22","2026-06-01T15:26:00","2026-06-01T15:26:37.8772532","2026-06-02T09:59:05.5216252",{"id":28,"name":29,"description":30,"url":31,"color":32,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":33},2,"Blog","A list of curated articles provided by the community","blog","#28449a",[34,37,40],{"lang":35,"name":29,"description":36},"fr","Une liste d'articles rédigés par la communauté",{"lang":38,"name":29,"description":39},"es","Una lista de artículos escritos por la comunidad",{"lang":41,"name":29,"description":42},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[44],{"id":28,"name":29,"description":30,"url":31,"color":32,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":45},[46,47,48],{"lang":35,"name":29,"description":36},{"lang":38,"name":29,"description":39},{"lang":41,"name":29,"description":42},[],"https://static.dastra.eu/content/94e0c6f6-149a-45ed-8901-bc1f90f91cab/dastractu-1000-300-original.webp",[52,53,54,55,56,57,58],"https://static.dastra.eu/content/94e0c6f6-149a-45ed-8901-bc1f90f91cab/dastractu-1000-300-1000.webp","https://static.dastra.eu/content/94e0c6f6-149a-45ed-8901-bc1f90f91cab/dastractu-1000-300.webp","https://static.dastra.eu/content/94e0c6f6-149a-45ed-8901-bc1f90f91cab/dastractu-1000-300-1500.webp","https://static.dastra.eu/content/94e0c6f6-149a-45ed-8901-bc1f90f91cab/dastractu-1000-300-800.webp","https://static.dastra.eu/content/94e0c6f6-149a-45ed-8901-bc1f90f91cab/dastractu-1000-300-600.webp","https://static.dastra.eu/content/94e0c6f6-149a-45ed-8901-bc1f90f91cab/dastractu-1000-300-300.webp","https://static.dastra.eu/content/94e0c6f6-149a-45ed-8901-bc1f90f91cab/dastractu-1000-300-100.webp",60075,{"items":61,"total":101,"size":102,"page":102},[62],{"title":63,"nbDownloads":64,"excerpt":13,"lang":14,"url":65,"intro":66,"featured":17,"state":18,"author":67,"authorId":20,"datePublication":68,"dateCreation":69,"dateUpdate":70,"mainCategory":71,"categories":78,"metaDatas":86,"imageUrl":91,"imageThumbUrls":92,"id":100},"Your Checklist to Multi-State Privacy Impact Assessments ",8,"your-checklist-to-multi-state-privacy-impact-assessment-compliance","Master multi-state Privacy Impact Assessments by downloading this checklist.",{"id":20,"displayName":21,"avatarUrl":22,"bio":13,"blogUrl":13,"color":13,"userId":20,"creationDate":23},"2026-02-23T10:07:00","2026-02-23T10:07:01.6114712","2026-02-24T15:38:38.0037058",{"id":72,"name":73,"description":13,"url":74,"color":75,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":76,"translations":77},70,"Livre blanc","white-papers","#1795d3",3,[],[79,84],{"id":28,"name":29,"description":30,"url":31,"color":32,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":80},[81,82,83],{"lang":35,"name":29,"description":36},{"lang":38,"name":29,"description":39},{"lang":41,"name":29,"description":42},{"id":72,"name":73,"description":13,"url":74,"color":75,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":76,"translations":85},[],[87],{"typeMetaDataId":88,"value":89,"id":90},4,"https://static.dastra.eu/backofficefilescontainer/6c9c6770-09f5-44d2-ac35-466a87c40426/US PIA Cross State Checklist Best Practices.pdf",117305,"https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18-original.jpg",[93,94,95,96,97,98,99],"https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18-1000.webp","https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18.webp","https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18-1500.webp","https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18-800.webp","https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18-600.webp","https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18-300.webp","https://static.dastra.eu/content/a321130b-375a-4a3f-b9d5-e9d9afea648e/visuel-article-18-100.webp",59886,12,1]