CNPD vs CNIL: workplace CCTV, 8 days in LU, up to 30 days in FR

The case

On 10 April 2024, Luxembourg’s CNPD updated its “Guidelines on video surveillance” and released a detailed PDF. Two key points for Luxembourg employers:

• image retention is “in principle” limited to 8 days, with an “exceptional” extension up to 30 days documented in the record (beyond 30 days is generally disproportionate);
• recording or listening to audio associated with images is considered disproportionate.

See the thematic page and the official PDF from the CNPD: “Guidelines on video surveillance” (updated 10/04/2024; reminder 05/06/2025). cnpd.public.lu

In parallel, France’s CNIL notes that “as a general rule, a few days are sufficient,” while for video protection in public places under the Internal Security Code there is a legal cap of one month; in practice, many ministerial frameworks state “30 days maximum.” See “La vidéoprotection” (CNIL) and ministerial frameworks published by the CNIL. cnil.fr

This operational gap between CNPD and CNIL is decisive for organizations active in Luxembourg and France (cross-border groups, headquarters and branches).

Legal reasoning

• Common EU basis. Both authorities apply the GDPR: lawfulness and proportionality (Articles 5 and 6), transparency (Arts. 12‑13), records (Art. 30), storage limitation (Art. 5(1)(e)), security (Art. 32), and, where needed, DPIA (Art. 35). EDPB Guidelines 3/2019 on video devices provide the common foundation (proportionality, two‑layer information, typical legal bases, DPIA for systematic large‑scale monitoring of public areas). edpb.europa.eu — see also our GDPR reminder on Articles 30/35.
• CNPD specifics.
  • Retention: “in principle up to 8 days”; up to 30 days “exceptionally” and “duly justified” in the record; “beyond 30 days generally disproportionate.” CNPD PDF 2024
  • Audio: “video camera surveillance should only cover images, excluding sounds”; listening/recording audio is “to be considered disproportionate.” CNPD PDF 2024
  • Luxembourg labor law: Article L. 261‑1 of the Labor Code requires prior collective information of the staff delegation and allows, within 15 days, the delegation (or failing that, employees) to refer the case to the CNPD for a prior opinion with suspensive effect; the CNPD must decide within one month. CNPD PDF 2024
• CNIL position.
  • Retention: the CNIL recalls that “as a general rule, a few days are sufficient” and that for video protection under the Internal Security Code “the duration may not exceed one month.” cnil.fr
  • Audio: audio recording coupled with video protection is in principle prohibited under French law, but the CNIL mentions very specific allowed cases (event‑triggered, very limited scope, clear legal basis and enhanced notice). cnil.fr

In short, the EDPB sets the framework, but national authorities shape practical application: in Luxembourg, the CNPD sets a lower bar for retention (8 days by default) and rules out coupled audio; in France, the CNIL reasons with “a few days” under a one‑month ISC cap and admits extremely narrow audio exceptions.

What this changes in practice

• LU–FR cross‑border groups. If your group policy sets a 30‑day video retention “by default,” it is non‑compliant in Luxembourg. Set 8 days by default on LU sites and exceed 30 days only exceptionally, with formal justification in the GDPR record of processing (Article 30). Adjust your retention matrix to distinguish LU vs FR. CNPD PDF 2024
• Audio scope. Cameras with continuously enabled microphones are prohibited by the CNPD. Even if very specific setups exist in France, do not align LU sites with those exceptions. Disable audio on LU sites and document technical controls. CNPD PDF 2024
• Social dialogue and timeline. In Luxembourg, before activating a system targeting employees, inform the staff delegation and account for the 15‑day window during which the CNPD may be seized (suspensive effect until decision within one month). CNPD PDF 2024
• DPIA. Trigger a DPIA if EDPB criteria are met (e.g., systematic large‑scale monitoring of publicly accessible areas combined with other criteria). Refer to EDPB Guidelines 3/2019 and the CNPD section. edpb.europa.eu

Common pitfalls

1. Copy‑pasting a “30‑day group policy” without considering LU sites. Outcome: excessive retention under CNPD guidance (8 days by default, 30 only if exceptional and justified). CNPD PDF 2024
2. Forgetting audio. NVRs with remotely enabled audio or IP domes with built‑in mics create non‑compliance risk: CNPD deems coupled audio disproportionate. Verify and document hardware/software disablement. CNPD PDF 2024
3. Neglecting collective information under L. 261‑1. Installing cameras in work areas without prior staff‑delegation information and clear retention/purpose statements can lead to a suspensive CNPD referral. CNPD PDF 2024
4. “Rubber‑stamp” DPIA. Large stores or campuses monitoring wide public areas require a thorough DPIA; copying a template without assessing alternatives, blind spots, and masking contravenes GDPR Art. 35 and Guidelines 3/2019. edpb.europa.eu
5. Incomplete signage. The CNPD requires two‑layer information, with first‑layer items “with the greatest influence” (e.g., retention period, live monitoring). “Icon‑only” signs are insufficient. CNPD PDF 2024

Official sources

• Luxembourg — CNPD, “Guidelines on video surveillance” (thematic page, last updated 10/04/2024) and 2024 PDF: 8‑day retention, disproportionate audio, L. 261‑1 obligations. Thematic page — PDF — News
• France — CNIL: La vidéoprotection; La vidéosurveillance au travail; examples of ministerial acts setting “30 days max”: Example 1 and Example 2.
• Europe — EDPB, “Guidelines 3/2019 on processing personal data through video devices” (final version 30/01/2020). edpb.europa.eu

In practice, keep a “site × purpose × retention × audio × notice × DPIA” matrix: in Luxembourg, set 8 days by default (log any extension), disable audio, apply L. 261‑1, and align with EDPB to decide on a DPIA for public areas. In France, keep “a few days” under the one‑month ISC cap and any applicable ministerial frameworks. For Luxembourg CNPD compliance, see GDPR Luxembourg or engage a DPO mandate.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.