Recording meetings and calls: €250,000 fine — CNPD framework 2026

Summary — On 16 October 2025, the CNIL fined a call center €250,000 for non‑compliant recordings (minimisation, retention, security). Since April 2026, the CNPD has issued a practical file on meeting recordings: in Luxembourg, you now need the right legal basis, clear information, very short retention, robust security and, where required, a DPIA.

The case

CNIL decision of 16/10/2025: “Call center company” — cumulative infringements of data minimisation, storage limitation and security — €250,000 fine, published in “Les sanctions prononcées par la CNIL” (simplified procedure, identity not disclosed). Official reference: cnil.fr. This highlights the sensitivity of call recordings and, by extension, workplace audio/video meeting recordings.

Legal reasoning

GDPR provisions relied upon

• Article 5(1)(c) data minimisation: no “full and systematic” recording without strict necessity. The 16/10/2025 decision explicitly cites minimisation (cnil.fr).
• Article 5(1)(e) storage limitation: justified, configured retention with tested deletions; “Duration of retention” cited as a breach (cnil.fr).
• Article 32 security: access control, encryption, logging, restore testing; “Lack of security” also retained (cnil.fr).

CNPD framework (Luxembourg)

• Audio meetings: April 2026 thematic file “Sound recording of meetings” — legal basis (consent often unsuitable in hierarchical settings; legitimate interest if necessity is demonstrated), information, minimisation, data subject rights (cnpd.public.lu and file).
• Workplace video surveillance: “in principle up to 8 days” (30 days exceptionally and duly justified), DPIA often required, bans on filming certain areas; a baseline transposable to internal audio/video when aimed at control/security (cnpd.public.lu).

EDPB position

• Guidelines 3/2019 (video): necessity, specified purposes, transparency, zoning/configuration, short retention, DPIA for high risk (edpb.europa.eu).
• Guidelines 1/2024 (legitimate interest): documented balancing (LIA) and effective safeguards; perceived “usefulness” alone is insufficient (edpb.europa.eu).

Finance-specific (Luxembourg/EU)

Where recording is mandated, the legal basis is legal obligation (GDPR art. 6(1)(c)). Under MiFID II, Directive 2014/65/EU art. 16(7) and Delegated Regulation (EU) 2017/565 art. 76 require recording communications related to orders/transactions, with ongoing oversight. References: EUR‑Lex and Delegated Regulation.

What this changes in practice

1. Legal basis: document your choice.
   • Legitimate interest (art. 6(1)(f)) if necessity is demonstrated (e.g., accuracy of minutes for sensitive decisions) with an EDPB 1/2024‑aligned LIA; provide an alternative for unwilling participants (edpb.europa.eu).
   • Legal obligation if a sectoral rule requires it (e.g., MiFID II) (EUR‑Lex).
2. Transparency (art. 13): before and at the start — purpose, basis, retention, recipients, rights.
3. Short, controlled retention: “until drafting and approval of the minutes,” then deletion/redaction; by analogy, target very short periods (CNPD recalls “up to 8 days” for video) (cnpd.public.lu).
4. Security: encrypted storage, restricted access, logging, no export outside controlled IT; deletion tests. To operationalise this, outsourced CISO support can accelerate technical compliance.
5. Governance: update the records of processing (art. 30), assess DPIA where high risk (systematic employee monitoring, potential sensitive data), organise data subject rights (cnpd.public.lu). A certified DPO mandate helps structure analysis and documentation of GDPR Articles 30/35.

Likely to be sanctionable soon

• “Default” recording of all Teams/Meet sessions “for later”.
• Long “comfort” retention without justification and without tested automatic purges.
• Lack of clear, immediate participant information.
• Over‑broad access, no encryption, no access logs.
• Incoherent legal basis (e.g., illusory consent in hierarchical settings). These mirror the 16/10/2025 CNIL fine (cnil.fr).

Common pitfalls

1. Consent at work: rarely “freely given”. Provide a real alternative (no recording absent full consent, or pause when a person speaks) (cnpd.public.lu).
2. Vague retention: prohibited. Set an objective period and test deletion. CNIL flagged poor retention control (16/10/2025) (cnil.fr).
3. Over‑broad purposes: split “training / evidence / quality / history”; minimise. In finance, isolate MiFID II recordings (EUR‑Lex).
4. Missing DPIA: EDPB criteria often met (systematic monitoring, vulnerable data subjects). Without a DPIA, exposure increases (cnpd.public.lu).
5. Theoretical security: open shares, no encryption, no logs. Article 32 requires effective measures; CNIL reiterated this in the €250,000 fine (cnil.fr).

Official sources

• CNIL — “Les sanctions prononcées par la CNIL” (16/10/2025) — https://www.cnil.fr/fr/les-sanctions-prononcees-par-la-cnil
• CNPD — “Enregistrement sonore des réunions” (Apr 2026) — https://cnpd.public.lu/fr/dossiers-thematiques/enregistrement-sonore-reunions.html and announcement
• CNPD — Video surveillance: retention “up to 8 days” — https://cnpd.public.lu/fr/dossiers-thematiques/surveillance/videosurveillance/limitation-conservation.html
• CNPD — DPIA and video surveillance — https://cnpd.public.lu/fr/dossiers-thematiques/surveillance/videosurveillance/aipd.html and necessity / proportionality
• EDPB — Guidelines 3/2019 (video) — https://www.edpb.europa.eu/documents/guideline/guidelines-32019-on-processing-of-personal-data-through-video-devices_en
• EDPB — Guidelines 1/2024 (legitimate interest) — https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2024/guidelines-12024-processing-personal-data-based_en
• MiFID II — Directive 2014/65/EU, art. 16(7) — https://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:32014L0065 and Delegated Regulation (EU) 2017/565, art. 76 — https://www.legislation.gov.uk/eur/2017/565/pdfs/eur_20170565_2017-12-14_en.pdf

In a nutshell

The 16/10/2025 CNIL fine confirms that blanket recording of calls/meetings without necessity, clear information, controlled deletion, and solid security will be sanctioned. Since April 2026, the CNPD provides an operational playbook to frame these practices in Luxembourg.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.