CNPD — Workplace video surveillance: proportionality, DPIA and employee rights

Summary — Workplace video surveillance in Luxembourg is governed by the GDPR, the CNPD, and Labour Code article L.261‑1. Strict proportionality, collective and individual information, and often a DPIA before rollout.

The general rule

• GDPR legal basis. Video surveillance processes identifiable personal data: it must rely on an Article 6 GDPR legal basis, most often legitimate interests (Art. 6(1)(f)) — not consent, which is rarely “freely given” in an employment context. See GDPR Arts. 6 and 13 on EUR‑Lex. (eur-lex.europa.eu)
• Records and security. The processing must appear in the records of processing activities (Art. 30) and be protected by appropriate measures (Art. 32). (cnpd.public.lu)
• DPIA. An impact assessment (Art. 35) is required when processing is “likely to result in a high risk,” which is frequent for video surveillance (systematic monitoring, “vulnerable” data subjects such as employees, public areas). (cnpd.public.lu)

Under Luxembourg law, Labour Code article L.261‑1 complements the GDPR: prior collective information to employee representatives (in addition to individual GDPR information), scope of admissible purposes, and an optional prior CNPD opinion at the request of the staff delegation/employees, with suspensive effect for one month. (cnpd.public.lu)

For practical governance, consider a certified DPO mandate and local resources on GDPR Luxembourg compliance.

What the regulator says

• CNPD (guidance, April 2024). No prior authorization since the GDPR, but records (Art. 30) and core principles (purpose, transparency, necessity, storage limitation) are mandatory; CNPD provides a signage template. (cnpd.public.lu)
• Proportionality: ban on continuous filming of workstations; ban on private areas (toilets, changing rooms, smoking areas, break rooms, staff delegation room, kitchenette, etc.). Admissible vs. problematic zones illustrated. (cnpd.public.lu)
• DPIA: “reasonable to presume” that a DPIA will be needed in many cases; apply the WP29 nine criteria and EDPB Guidelines 3/2019. (cnpd.public.lu)
• Labour Code (L.261‑1). Notify employee representatives with detailed purposes, modalities, retention criteria and commitment not to repurpose. 15 days for the delegation to seek a prior CNPD opinion (suspensive effect); CNPD replies within one month. (cnpd.public.lu)
• EDPB (Guidelines 3/2019): legal basis, layered information (signs + detailed notice), proportionality, short retention, minimization (masking, privacy zones, rolling overwrites). (edpb.europa.eu)
• CNPD decisions. Decision 27FR/2021 (15.07.2021): disproportionate field of view and insufficient information → corrective measures and fine. (cnpd.public.lu)

How to apply it in practice

Example: a company plans cameras at reception, the warehouse entrance and a checkout.

Before processing

1. Define the purpose and test necessity
   Typical purposes: safety of people and assets, crime prevention, evidence collection. Exclude performance/behavior monitoring. Document less intrusive alternatives (access control, guards, lighting, sensors). (cnpd.public.lu)
2. Choose the legal basis and draft the LIA
   Perform a Legitimate Interests Assessment: purpose, necessity, balancing, safeguards (masking, narrow angles, exclusion zones, restricted access, access logs). Base: Art. 6(1)(f) GDPR. (eur-lex.europa.eu)
3. Conduct a DPIA
   Apply Art. 35 GDPR + WP29 criteria (systematic monitoring, “vulnerable” employees). Many deployments require a DPIA, especially if public areas are monitored at scale. (cnpd.public.lu)
4. Prior information and internal consultation
   Provide collective information to staff representatives: purposes, modalities, retention criteria, no-repurposing commitment. 15 days to request a prior CNPD opinion (suspensive effect); decision within one month. Prepare individual Art. 13 information in parallel. (cnpd.public.lu)
5. Update the records (Art. 30)
   Create the “Video surveillance” ROPA entry: purpose, legal basis, data categories, recipients, transfers, retention, security, processors. (cnpd.public.lu)

During processing (deployment and operation)

6. Privacy by design
   Limit angles to the objective (e.g., cover the checkout and client area, not the employee continuously), masking, no microphones unless necessary and with a specific legal basis, exclude private areas (changing rooms, restrooms, break rooms, delegation room…). (cnpd.public.lu)
7. Layered information
   Visible, compliant signage (camera icon, purpose, controller/DPO, link to full notice), then detailed Art. 13 notice. CNPD templates available. (cnpd.public.lu)
8. Security and access
   Art. 32 measures: strict access control, encryption, logging, role separation, controlled export, regular tests. Limit and log each viewing. (gdpr.eu)

After processing (ongoing management)

9. Retention periods
   Keep footage for a short, justified time (a few days to weeks), with automatic deletion/overwrite; retain longer only if an incident occurred and evidence is needed, duly documented. Mention these criteria in L.261‑1 and Art. 13 information. (cnpd.public.lu)
10. Controls and review
    Annually reassess necessity, proportionality, the LIA and DPIA; verify camera fields haven’t drifted. Rely on CNPD case law (e.g., 27FR/2021). (cnpd.public.lu)
11. Data subject rights
    Set up channels and deadlines (access, erasure, objection, restriction), verify identity, blur third parties where needed. Record justified refusals (e.g., rights of others or ongoing investigation). Basis: GDPR Arts. 12‑15. (eur-lex.europa.eu)

Common pitfalls

1. Continuous filming of workstations “for security” when narrower angles suffice. (cnpd.public.lu)
2. Omitting L.261‑1 collective information or not waiting for the outcome of a prior CNPD opinion request (suspensive effect). (cnpd.public.lu)
3. No DPIA despite multiple WP29/EDPB criteria being met. (cnpd.public.lu)
4. Incomplete signs and no accessible Art. 13 notice. (cnpd.public.lu)
5. Repurposing footage to evaluate performance or sanction lateness: prohibited purpose creep. (cnpd.public.lu)

Official sources

• CNPD – Video surveillance guidance (topic page; sign template; records; principles) — https://cnpd.public.lu/fr/dossiers-thematiques/surveillance/videosurveillance.html
• CNPD – Necessity and proportionality (examples; workstations) — https://cnpd.public.lu/fr/dossiers-thematiques/surveillance/videosurveillance/necessite-proportionnalite.html
• CNPD – DPIA and video surveillance (Art. 35 GDPR; WP29 criteria; EDPB Guidelines 3/2019) — https://cnpd.public.lu/en/dossiers-thematiques/surveillance/videosurveillance/aipd.html
• CNPD – Labour Code Art. L.261‑1 (collective information; suspensive prior opinion) — https://cnpd.public.lu/fr/dossiers-thematiques/surveillance/videosurveillance/article2611.html
• EDPB – Guidelines 3/2019 “video devices” — https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-personal-data-through-video_en
• CNPD – Decision 27FR/2021 — https://cnpd.public.lu/fr/decisions-sanctions/2021/decision-27-fr-2021.html
• EUR‑Lex – GDPR 2016/679 (Arts. 6, 13, 30, 32, 35) — https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32016R0679
• ITM – Video surveillance and the Labour Code — https://itm.public.lu/en/support/protection-donnees/traitement/videosurveillance.html

As of May 2026, Luxembourg authorities are clear: document legitimate interests, test proportionality for each camera, run a DPIA when criteria are met, follow the L.261‑1 procedure and provide unambiguous information.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.