CNPD: recording business meetings and conversations in GDPR compliance

What’s at stake: in 2026, Luxembourg’s CNPD frames audio/video recording of private meetings. Choosing a valid legal basis and limiting retention are decisive; poor participant information creates risks.

General rule

• The GDPR applies whenever a recording can identify individuals (voice, displayed name, image, metadata). Core principles: lawfulness, data minimisation, and storage limitation (Art. 5(1)(a)-(c) and (e) GDPR) and a valid legal basis (Art. 6(1) GDPR). Official text: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679.
• Prior information to participants: Art. 13 (or 14 if indirect) sets the minimum content (purposes, legal basis, recipients, duration/criteria, rights, DPO contact, etc.). Text: https://www.legislation.gov.uk/eur/2016/679/pdfs/eur_20160679_adopted_en.pdf.
• Rights: right to object (Art. 21) when relying on legitimate interests, consent withdrawal (Art. 7), erasure (Art. 17) under conditions, and records of processing (Art. 30). Reference: https://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX%3A32016R0679.

In sector-specific cases, special laws may mandate recording and retention. In Luxembourg’s financial sector (MiFID II), the Law of 5 April 1993 (LSF) requires recording conversations relating to client orders and retention for 5 years (up to 7 years upon CSSF request): https://www.cssf.lu/wp-content/uploads/L_050493_lsf_upd_150724.pdf (Art. 37-1(6bis)).

What the regulators say

• CNPD (Luxembourg) – “Audio recording of meetings” (01/04/2026):
  • Legal basis can be consent (Art. 6(1)(a)) or legitimate interests (Art. 6(1)(f)), but consent is often hard to make “freely given” and “unambiguous” in professional settings.
  • For legitimate interests, necessity and balancing must be assessed case by case; other means (note-taking, meeting secretary, transcription without recording) may suffice.
  • Retention: the recording must be deleted once the minutes are drafted, signed and approved.
  • Link: https://cnpd.public.lu/fr/dossiers-thematiques/enregistrement-sonore-reunions.html.
• EDPB (European Board):
  • Guidelines 05/2020 on consent: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en.
  • Guidelines 3/2019 on video devices: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-personal-data-through-video_en.
  • Draft Guidelines 1/2024 on legitimate interests: https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2024/guidelines-12024-processing-personal-data-based_de.
• EU case law: CJEU, C‑252/21, Meta v. Bundeskartellamt (04/07/2023): strict legal-basis requirement and concrete assessment of necessity and balancing. Text: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX%3A62021CJ0252_RES.
• CSSF (finance): reminders on MiFID II call taping and retention: https://www.cssf.lu/en/2020/03/esma-clarifies-position-on-call-taping-under-mifid-ii/ and LSF: https://www.cssf.lu/wp-content/uploads/L_050493_lsf_upd_150724.pdf.
• ENISA (security): videoconferencing best practices – avoid default recording, inform users, configure privacy, and record only when needed: https://www.enisa.europa.eu/news/enisa-news/tips-for-selecting-and-using-online-communication-tools.

How to apply it in practice

Before (design and preparation)

1. Define the processing and choose the legal basis:
   • If recording is mandated by law (e.g., MiFID II), legal basis = legal obligation; document the text and statutory retention (5 years, up to 7 years upon CSSF request). LSF: https://www.cssf.lu/wp-content/uploads/L_050493_lsf_upd_150724.pdf.
   • Otherwise, prefer legitimate interests for specific objectives (accuracy of minutes, dispute management), after a LIA covering interest, necessity, balancing, and mitigating measures (pause recording, masking sensitive data, restricted access). See EDPB Draft 1/2024: https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2024/guidelines-12024-processing-personal-data-based_de.
   • Consent is valid only if truly freely given (non-recording option without detriment) and unambiguous (collected individually and traceable). See EDPB 05/2020: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en.
2. Inform participants (Art. 13):
   • Before the meeting: include in the invite + a dedicated notice: purpose, legal basis, recipients, retention (or criteria), rights, DPO/contact point, and any non-EU transfers. Align with Art. 13 GDPR: https://www.legislation.gov.uk/eur/2016/679/pdfs/eur_20160679_adopted_en.pdf.
   • In the room/at the start of the video meeting: oral and visual reminder (“Recording on” banner), and provide an “off the record” option if foreseen.
3. Governance and security:
   • Update the RoPA (Art. 30) and, if mapping shows high risk (e.g., systematic employee recordings or sensitive data), assess DPIA obligation (CNPD list Art. 35(4) + WP29 criteria): https://cnpd.public.lu/fr/actualites/national/2019/03/liste-DPIA.html.
   • Configure the tool: recording off by default; encrypted storage; role-based access; ban unmanaged personal recordings; ENISA recommendations: https://www.enisa.europa.eu/news/enisa-news/tips-for-selecting-and-using-online-communication-tools.

During (running the meeting)

• Clearly announce start/end of recording; if relying on consent, log individual consent.
• Minimisation: avoid capturing irrelevant information; prefer audio if the goal is drafting minutes (less intrusive than video per proportionality in EDPB 3/2019): https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-personal-data-through-video_en.
• Manage “off the record”: have a procedure to pause recording (button/instruction), documented in the notice.

After (use, retention, deletion)

• Draft the minutes; verify accuracy; restrict access strictly to need-to-know (integrity/confidentiality principle, Art. 5(1)(f)).
• Delete the recording once the minutes are approved (CNPD position). Implement controlled/automatic and logged deletion: https://cnpd.public.lu/fr/dossiers-thematiques/enregistrement-sonore-reunions.html.
• If legal obligation (MiFID II) is the basis, apply statutory retention (5 years, extendable to 7 years upon CSSF request) and handle client access requests: https://www.cssf.lu/wp-content/uploads/L_050493_lsf_upd_150724.pdf.
• Handle data subject rights (access, objection under legitimate interests, consent withdrawal), and log responses and reasons.

Use cases

• Executive committee meeting (non-regulated sector): purpose = accuracy of minutes. Recommended basis: legitimate interests, with measures: prior notice, limit to agenda items, access restricted to the secretariat, deletion upon approval of the minutes. CNPD ref.: https://cnpd.public.lu/fr/dossiers-thematiques/enregistrement-sonore-reunions.html.
• Trading floor (MiFID II investment firm): mandatory recording of calls related to client orders; prior client information and 5-year retention. Processes and controls documented (LSF, MiFID II): https://www.cssf.lu/wp-content/uploads/L_050493_lsf_upd_150724.pdf and https://www.cssf.lu/en/2020/03/esma-clarifies-position-on-call-taping-under-mifid-ii/.

Common pitfalls

1. Relying on a group “vote” as a substitute for individual consent: rejected by the CNPD (not “freely given and unambiguous”). Ref.: https://cnpd.public.lu/fr/dossiers-thematiques/enregistrement-sonore-reunions.html.
2. Recording “just in case” without demonstrating necessity and balancing (LIA) under legitimate interests; the CJEU and EDPB require a concrete, restrictive analysis: https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2024/guidelines-12024-processing-personal-data-based_de.
3. Keeping recordings after minutes approval “for history”: contrary to storage limitation and CNPD guidance: https://cnpd.public.lu/fr/dossiers-thematiques/enregistrement-sonore-reunions.html.
4. Omitting Art. 13/14 information (duration or criteria, rights, DPO): a frequent audit non-compliance: https://www.legislation.gov.uk/eur/2016/679/pdfs/eur_20160679_adopted_en.pdf.
5. Turning on default recording in video tools without access control or encryption: ENISA advises against it and to record only when needed: https://www.enisa.europa.eu/news/enisa-news/tips-for-selecting-and-using-online-communication-tools.

Official sources

• CNPD – Audio recording of meetings (01/04/2026): https://cnpd.public.lu/fr/dossiers-thematiques/enregistrement-sonore-reunions.html
• GDPR (EUR‑Lex): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
• EDPB – Guidelines 05/2020 (Consent): https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en
• EDPB – Guidelines 3/2019 (Video devices): https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-personal-data-through-video_en
• EDPB – Draft Guidelines 1/2024 (Legitimate interest): https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2024/guidelines-12024-processing-personal-data-based_de
• CJEU – C‑252/21 Meta v. Bundeskartellamt (04/07/2023): https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX%3A62021CJ0252_RES
• CSSF – Consolidated LSF (MiFID II, 5/7-year retention): https://www.cssf.lu/wp-content/uploads/L_050493_lsf_upd_150724.pdf
• CSSF/ESMA – Call taping under MiFID II: https://www.cssf.lu/en/2020/03/esma-clarifies-position-on-call-taping-under-mifid-ii/
• ENISA – Online communication tools: https://www.enisa.europa.eu/news/enisa-news/tips-for-selecting-and-using-online-communication-tools

Note (scope): the CNPD page targets the private sector (companies/associations). Specific public-sector rules (e.g., publicity of sessions) fall under other texts and are not addressed here by the CNPD: https://cnpd.public.lu/fr/dossiers-thematiques/enregistrement-sonore-reunions.html.

In practice: in Luxembourg, an organisation may record meetings if (i) the legal basis is justified and documented, (ii) information is complete, (iii) retention is strictly limited (often until minutes approval), and (iv) end-to-end security is controlled. Any deviation must be grounded in a special law (e.g., MiFID II) or a robust, traceable legitimate interest analysis.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.