Right of access vs premature deletion: Belgian DPA warns recruiter (37/2026)

Excerpt — On 24 February 2026, the Belgian DPA warned a company for deleting an interview video after the candidate had requested a copy. Key takeaway for Luxembourg: do not purge before handling an access request (Arts. 12 and 15 GDPR).

The case

On 24 February 2026, the Litigation Chamber of the Belgian Data Protection Authority (APD) issued Decision 37/2026. Facts: a candidate attended a video interview, partly recorded so an absent assessor could review it. After being rejected, the candidate requested access and a copy on 11 July 2025. The company nevertheless deleted the video on 18 July 2025, then replied on 4 August 2025 that no copy was possible… because it had been erased. The DPA held that retention should have covered, at minimum, the time needed to process the request and issued a warning for potential infringements of Articles 12(2), 12(4) and 15 GDPR (facilitating rights, informing of refusals, right of access and copy). Source: APD, Decision 37/2026 (24/02/2026). See the decision in PDF. Belgian DPA – Decision 37/2026.

Why does this matter for Luxembourg? HR practices (recorded interviews, video tools, ATS) are widely cross-border in the Greater Region. The CNPD considers that the right of access includes a “copy of the data” (Art. 15(3)) and recalls the one‑month deadline, extendable by two months “in case of complexity” — aligned with the GDPR and the EDPB. References: CNPD – Right of access (2026 update) and Chapter III on the CNPD website. CNPD – Right of access. CNPD – Chapter III (Arts. 12–22).

Legal reasoning

• Legal basis: Articles 12 and 15 GDPR. Article 12(2) requires controllers to “facilitate” the exercise of rights; Article 12(3) sets a one‑month response time (extendable by two months); Article 12(4) requires, in case of inaction/refusal, informing within the same period of reasons and redress. Article 15(1) enshrines access; Article 15(3) the right to obtain “a copy of the data”. Official text: EUR‑Lex, Regulation (EU) 2016/679. EUR‑Lex – GDPR, Arts. 12 and 15. For internal alignment, see GDPR Articles 12 and 15.
• DPA’s interpretation: aiming for very short retention (data minimisation and storage limitation, Art. 5(1)(e)) was legitimate, but the video had to be kept at least until the pending access request was processed. Deleting the only copy while the right is pending makes it materially impossible to provide the copy, breaching the duty to “facilitate” (Art. 12(2)) and the right to obtain a copy (Art. 15(3)). The DPA also stressed the obligation to inform within one month in case of refusal (Art. 12(4)) — which was not properly done. Source: APD, Decision 37/2026. APD – Decision 37/2026.
• European doctrine: EDPB Guidelines 01/2022 on the right of access (final 2023) confirm that a “copy” means a faithful reproduction of the personal data processed (including document excerpts, logs, recordings), not a mere summary, and controllers must organise systems to enable effective exercise. EDPB – Final Guidelines on the Right of Access.
• CNPD position: the CNPD’s “Right of access” factsheet explains scope (access + copy), timelines, extensions and what to do in case of refusal or silence, reinforcing operational expectations for Luxembourg employers (HR, security, IT). CNPD – Right of access.

What changes in practice

• Interview/call/meeting recordings: if you record for a narrow purpose (e.g., to compensate for an absence), you should limit retention. But once an access/copy request (Art. 15) is received, you must suspend purge until you comply or send a reasoned response within one month. In short: a DSAR‑specific legal hold must block automatic deletion. A certified DPO mandate can steer the hold and evidence the timeline.
• HR tools and procedures: your systems (videoconferencing, cloud storage, ATS) must allow targeted copy extraction, pseudonymisation/blurring as needed to protect third‑party rights (Art. 15 is “without prejudice” to others’ rights and freedoms), and deadline traceability (Arts. 12(3)–(4)). If extraction is objectively impossible without disproportionate impact, justify, document, and offer an alternative (supervised on‑site viewing, redacted excerpt).
• Document governance: “short” retention periods remain required but must not neutralise a pending right. Your policy should include a simple rule: “purge suspended upon access request.” This lock also applies to application logs where they contain identifiable personal data.
• Territoriality and cross‑border teams: whether processing occurs in Luxembourg, Belgium, France or Germany, GDPR obligations are common. APD 37/2026 sends a useful signal to groups operating from Luxembourg in the Greater Region: align purge rules and rights workflows. For local practices, explore GDPR in Luxembourg.

Frequent pitfalls

1. Blind batch/cron purges: automated deletion jobs do not check for pending requests. Without a DPO/IT‑triggered legal hold, deletion “breaks” the access right. Fix: add a “DSAR pending” state to the recording registry and an exclusion API in the tool.
2. Summary vs. copy confusion: providing an interview recap or an email summary is not enough. The EDPB requires a faithful reproduction of the personal data processed (audio/video excerpt, relevant metadata). Reference: EDPB, Guidelines 01/2022. EDPB – Right of Access.
3. Missing deadlines and refusal reasoning: silence beyond one month, or an unreasoned refusal without redress information (authority/court), violates Art. 12(4) and exposes you to corrective measures. Reference: EUR‑Lex, Arts. 12(3)–(4). EUR‑Lex – GDPR.
4. Overusing “trade secrets”: not a blanket excuse to refuse a copy. Seek proportionate modalities (redaction, blurring, supervised viewing) reconciling access rights and third‑party/legitimate interests.
5. No plan for blurring/anonymisation effort: when third parties appear in the video, anticipate the redaction workload (blur tools, processing time) or you may be tempted to delete “to go faster” — precisely the breach identified by the DPA.

Official sources

• Belgian DPA – Decision 37/2026 of 24 February 2026 (warning – access to an interview video and premature purge): https://autoriteprotectiondonnees.be/publications/avertissement-n0-37-2026.pdf.
• CNPD (Luxembourg) – Right of access (2026 update): timelines, scope, practical guidance: https://cnpd.public.lu/fr/particuliers/vos-droits/droit-acces.html.
• CNPD – Chapter III (Articles 12–22) – consolidated version, one‑month deadline and duty to inform in case of refusal: https://cnpd.public.lu/fr/legislation/droit-europ/union-europeenne/rgpd/chapitre-3.html.
• EUR‑Lex – Regulation (EU) 2016/679 (official text): Articles 12 and 15 (modalities and right of access/copy): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679.
• EDPB – Guidelines 01/2022 on the right of access (final 2023): scope of “copy”, interplay with third‑party rights: https://www.edpb.europa.eu/news/news/2023/edpb-adopts-final-version-guidelines-data-subject-rights-right-access_sl.

In short: across Luxembourg and neighbouring countries, “strict” retention must never short‑circuit a triggered access right. Best practice is technical (automated legal hold), procedural (tracked DSAR workflows) and legal (reasoned responses within one month). APD 37/2026 is a textbook case for HR recordings and professional meetings. Need hands‑on support? Tell us about your constraints.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.