Workplace video surveillance: CNPD (8 days) vs CNIL (1 month)
The CNPD sets an 8‑day retention period “in principle,” while the CNIL allows up to one month. A concrete divergence affecting retention, DPIAs and employee information.
In short — The CNPD sets a standard “in principle 8 days” retention for video images, while the CNIL allows “in principle” up to one month. This gap affects retention settings, DPIAs and employee information.
The case
On 5 April 2024, the CNPD updated its “Storage limitation” page: “images may in principle be kept for up to 8 days,” with an extension to 30 days only on an exceptional, duly justified basis recorded in the register; beyond that, retention is “generally disproportionate” (ref. decision 14FR/2021) (CNPD, Guidelines — 5. Storage limitation). CNPD source.
Conversely, the CNIL states that retention for video protection systems “in principle does not exceed one month,” subject to justification by purpose and risk (CNIL, “Video surveillance in the workplace”; CNIL, “Video protection”). CNIL (workplace) — CNIL (videoprotection).
This national framing sits under EDPB Guidelines 3/2019 (final 30 Jan 2020), which set GDPR benchmarks for video devices. EDPB 3/2019 (EN) — (FR).
The legal reasoning
- GDPR basis. Retention limits derive from Art. 5(1)(e) GDPR, tied to purpose limitation (Art. 5(1)(b)) and data minimisation/necessity (Art. 5(1)(c)). Lawfulness (Art. 6) is typically legitimate interest. Transparency (Arts. 12‑13) and records (Art. 30) fully apply. For robust records and DPIAs, see our overview of GDPR Article 30/35.
- CNPD approach. A strict operationalisation: 8 days “in principle”; 30 days “exceptionally” with documented justification; beyond that = “generally disproportionate.” Automatic deletion is recommended; longer retention allowed in case of incidents/offences for handover to authorities. Continuous monitoring of workstations is effectively prohibited and private areas excluded. CNPD — Storage — CNPD — Necessity.
- CNIL approach. “In principle one month,” adjusted by purpose and risks; similar prohibitions (no permanent employee monitoring; private areas excluded). Reminders of French regimes (prefectural authorisation for public spaces) and DPIA required for “systematic monitoring at large scale” of publicly accessible areas. CNIL — Videoprotection — CNIL — Workplace.
- EDPB framework. Necessity/proportionality tests, masking, limiting field of view, and when a DPIA is required (Art. 35(3)(c)). DPAs may set stricter national benchmarks, as the CNPD does for retention.
What this changes in practice
- Luxembourg retention policy. Configure NVR/VMS to 8 days by default with auto‑purge. Exceed 30 days only with formal justification recorded and reviewed yearly; beyond 30 days, avoid unless linked to an incident handed to authorities (CNPD 5). CNPD reference. For hands‑on support and a compliant DPO mandate, explore our certified DPO service.
- Cross‑border groups (LU–FR–BE–DE). If harmonising, the strictest setting (8 days) reduces LU risk while remaining acceptable in FR. Document the choice in your LIA and records.
- DPIA: when is it truly required? France: clearly for systematic large‑scale monitoring of public areas; otherwise case‑by‑case. Luxembourg: CNPD anticipates a DPIA “in many cases” at work (large footprint, headcount, 24/7, analytics, HR data coupling). CNPD — DPIA — (DE) — EDPB 3/2019. For a pragmatic “GDPR Luxembourg” view aligned with CNPD expectations, see our LU GDPR guide.
- Employee information and social dialogue. In Luxembourg, Art. L.261‑1 requires prior information/consultation of employee representatives for processing “for surveillance purposes” (on top of GDPR notices). In France, information/consultation is also required, with distinct administrative steps (e.g., prefectural authorisation). CNPD — L.261‑1 — CNIL — Formalities.
Examples
- Multi‑site retail LU/FR covering entrances, tills, stockrooms: set 8 days everywhere; DPIA in LU if 24/7, analytics or high footfall; in FR, DPIA for large‑scale monitoring of public areas; apply masking at tills to avoid continuous filming of staff. CNPD — Necessity — CNIL — Workplace.
- LU bank HQ (lobbies, parking, server room): 8 days by default; 30 days if duly justified by repeated incidents; DPIA recommended given sensitivity; L.261‑1 collective information and two‑level signage. CNPD — Storage — CNPD — L.261‑1.
Common pitfalls
- Keeping “by default” 30 days in Luxembourg: CNPD sets 8 days in principle; 30 days are exceptional and must be recorded with justification. CNPD reference.
- Continuous filming of workstations: deemed disproportionate by CNPD; same prohibition in CNIL guidance. CNPD — Necessity — CNIL — Q&A.
- Skipping prior collective information in Luxembourg: L.261‑1 requires informing/consulting staff representatives for “surveillance” purposes. CNPD text.
- Skipping the DPIA “because the site is not public”: CNPD often expects one in workplace contexts; in France, at least screen and document. CNPD — DPIA — EDPB 3/2019.
- Poor signage: clear level‑1 signs and full level‑2 notices are required. CNIL — Videoprotection.
Need DPO support to align retention, DPIAs and social dialogue? Reach out via our contact page.
Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.
A question on this topic?
Our team usually replies within one business day. Configure your quote or write to us.
Build my quote →