Workplace video surveillance: CNIL fine of 2 April 2026
On 02/04/2026, the CNIL imposed a €7,500 fine for CCTV non-compliance. In Luxembourg, the CNPD likewise requires proportionality, frequent DPIAs and two-layer information.
On 2 April 2026, the CNIL fined a retail operator €7,500 for multiple CCTV infringements. Key takeaway for Luxembourg organisations: the CNPD applies the same fundamentals (proportionality, DPIA, information). To structure your programme, see our approach to GDPR compliance in Luxembourg.
The case
On 02/04/2026, the CNIL, in a simplified procedure, imposed a €7,500 administrative fine on a “company operating toilet boutiques.” Failures included lack of a lawful basis, breach of data minimisation (disproportionate framing), inadequate processor governance (Art. 28 GDPR) and absence of a DPIA (Art. 35). Official source: CNIL — Sanctions (entry “02/04/2026 — SOCIÉTÉ EXPLOITANT DES BOUTIQUES TOILETTES”).
Why does this matter in Luxembourg? Because the CNPD’s guidelines, revised in 2024 and current in 2025, set very similar expectations and, on key points (workstation proportionality, information and DPIA), local practice is stringent. See the CNPD CCTV Guidelines.
Legal reasoning
- Legal basis and principles. Workplace video processing must rely on an Art. 6(1) GDPR basis, typically legitimate interests (6(1)(f)), supported by a documented balancing test (LIA). Art. 5 principles apply: purpose limitation (5(1)(b)), minimisation/proportionality (5(1)(c)), storage limitation (5(1)(e)), transparency (Arts. 12–13). The 02/04/2026 case penalised precisely lawfulness/minimisation defects. CNIL — Sanctions.
- Luxembourg specifics. Labour Code Art. L.261‑1 governs processing “for monitoring purposes in the employment context”: individual employee information (Arts. 12–13 GDPR) and prior collective information of staff representation are mandatory. The CNPD stresses that employees should not, in principle, be subject to continuous permanent monitoring and that certain areas (toilets, changing rooms, break areas, kitchenettes, staff delegation rooms, etc.) must not be filmed. CNPD — L.261‑1 and proportionality.
- DPIA (Art. 35 GDPR). CCTV frequently triggers a DPIA, especially for “systematic monitoring of a publicly accessible area on a large scale” (Art. 35(3)(c)). The CNPD states this explicitly; the CNIL also sanctioned the absence of a DPIA on 02/04/2026. CNPD — DPIA for CCTV and CNIL — Sanctions.
- EU framework (EDPB). EDPB Guidelines 3/2019 on video devices cover: legal basis choice, necessity/proportionality test, zones/angles, two-layer information (sign + full notice), storage limitation and DPIA. EDPB Guidelines 3/2019.
- Processors (Art. 28 GDPR). Any CCTV vendor (installation/O&M, remote monitoring, cloud VMS) must be governed by a compliant DPA (purposes, documented instructions, confidentiality, security, sub‑processors, DPIA assistance, audit). The 02/04/2026 decision flagged missing controller–processor governance. CNIL — Sanctions.
What this changes in practice
- Where to place cameras. In Luxembourg, continuous filming of workstations where staff are permanently present (open spaces, offices, workshops) is generally disproportionate. Risk areas (entrances, stockrooms, docks, car parks, server rooms) are typically admissible if tightly scoped. Expect masking/zonings, privacy shields, and a precise purpose per camera. CNPD — Proportionality.
- When to do a DPIA. A DPIA is required for medium/large‑scale monitoring of publicly accessible areas (customer seating, lobbies, checkouts), cumulative high‑risk factors (systematic surveillance, vulnerable data subjects, scale) or interconnection with biometrics/access control. CNPD — CCTV DPIA; EDPB 3/2019.
- Informing staff and the public. Two-layer information is expected: a front‑of‑area sign (pictogram, controller, key purposes, legal basis, rights, contact) pointing to a full notice (site/secondary panel) with retention, recipients, transfers, DPO, redress. Absent/insufficient information is a recurring ground for sanctions. CNPD — 2024 update; EDPB 3/2019.
- Record of processing and processors. Log each system in the Art. 30 record and formalise DPAs with the installer/maintainer and the storage host (Art. 28). During audits, authorities often request the record and signed DPAs. Missing contractual governance was explicitly sanctioned on 02/04/2026. CNIL — Sanctions; CNPD — Guidelines.
- Mandatory social dialogue. Before go‑live, inform the staff delegation (prior collective information per Art. L.261‑1), in addition to individual notices. Keep evidence and minutes. CNPD — L.261‑1.
Common pitfalls
- Filming prohibited/sensitive areas. E.g., cameras partly framing toilets, changing rooms, break areas or staff delegation rooms. Must be avoided; document masks and limited angles. CNPD — Proportionality.
- Equating “asset security” with “permanent employee monitoring.” “Security” does not justify continuous workstation surveillance. Prefer deterrent coverage of entrances/high‑risk zones with prior social consultation. CNPD — Guidelines.
- Skipping the DPIA when required. The CNIL sanctioned the absence of a DPIA on 02/04/2026; repeating this in Luxembourg risks corrective orders and fines. CNIL — Sanctions; CNPD — DPIA.
- Letting the vendor “handle it” without a DPA. No VMS or remote monitoring without an Art. 28‑compliant DPA, security clauses, role allocation and audit rights. This was flagged in the 02/04/2026 decision. CNIL — Sanctions.
- Overlong retention. Set short, risk‑based periods (e.g., 7–30 days), with automatic, logged purge. Document exceptions (law enforcement hold, internal investigation). CNPD — Guidelines.
Official sources
- CNIL — Sanctions (entry 02/04/2026: “SOCIÉTÉ EXPLOITANT DES BOUTIQUES TOILETTES”)
- CNPD — CCTV Guidelines (updated 05/06/2025)
- CNPD — Labour Code Art. L.261‑1
- CNPD — Proportionality/minimisation
- CNPD — CCTV DPIA
- CNPD — 2024 update (information)
- EDPB — Guidelines 3/2019
To steer DPIAs, information, records and processor contracts, a certified DPO mandate can support you from design to audit. Start the conversation via our contact form.
Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.
A question on this topic?
Our team usually replies within one business day. Configure your quote or write to us.
Build my quote →