Breach Watch — Enforcement Briefing

Breach Watch

What regulators did this month — and what it means for your program

A short practitioner briefing on recent enforcement, written by the founder of PrivOptic — the same analysis that goes into the signed regulatory packs shipped to PrivOptic Command customers.

Edition: July 2026 · Updated monthly

Erasure requests left open for up to 37 months draw a cross-border fine

Romania DPA · July 2026 · €11,000 + ordered process improvements

A single individual's complaint about an unanswered deletion request opened an investigation that found the company routinely let erasure requests from people in several jurisdictions sit for years — in the worst case, over three years — with no final response and no justification for the delay.

The takeaway: the fine is small; the lesson isn't. One unanswered request is all it takes to invite a regulator into your entire DSAR operation, and "we lost track of it" is not a defense. If your requests live in an inbox, you don't have a process — you have a liability with a timestamp.
The tool for this: DSAR Command Center — $79 →

Automaker penalized over processor security guarantees

France · June 2026 · Security measures and vendor diligence

An enforcement action against Renault found two failures stacked on top of each other: inadequate security measures with no regular testing regime, and a neglected duty to use only service providers offering sufficient data protection guarantees under GDPR.

The takeaway: Article 28 makes your processors' security your problem. "They seemed reputable" doesn't satisfy the duty — documented, scored vendor diligence before signature does, and a DPA that survives scrutiny closes the loop.
The tools for this: Vendor Risk Scorecard — $59 →

EDPB's 2026 coordinated enforcement targets transparency

EU-wide · Ongoing through 2026 · Coordinated Enforcement Framework

This year's coordinated action across European DPAs focuses on transparency and information obligations — privacy notices, consent documentation, and the clarity of what organizations actually tell people about their data. Past coordinated actions have reliably produced a wave of related fines within a year of launch.

The takeaway: when regulators announce where they're looking, believe them. If your privacy notice hasn't been reviewed against your actual processing in the last twelve months, this is the year the gap gets found by someone other than you.
The tool for this: Privacy Policy & SOP Packet →

EU AI Act high-risk enforcement goes live August 2

EU · Effective 2 August 2026 · Penalties up to €35M or 7% of global turnover

The AI Act's high-risk system obligations reach full enforcement in weeks, layering a second penalty regime — with ceilings nearly double the GDPR's — over every AI system your organization deploys or procures. For most privacy teams, the immediate exposure isn't models you build; it's AI tools your business units are buying right now without review.

The takeaway: every AI vendor entering your stack needs a documented review covering training-data terms, automated-decision exposure, and what the tool can access. The teams that built that intake this spring are ready; everyone else is six weeks behind.
The tool for this: AI Vendor Review Kit — $199 →

Breach Watch is a practitioner briefing, not legal advice — enforcement details are summarized from public reporting and simplified for operational planning. PrivOptic Command customers receive deeper analysis in monthly signed regulatory packs, delivered to their own tenant. Learn about Command →