The Commission Nationale pour la Protection de Données (“CNPD”) has recently issued new guidance on the recording of meetings in the private sector, clarifying how such practices should be assessed under the GDPR.
In the absence of specific Luxembourg legislation, the legality of recording meetings must be evaluated based on GDPR requirements. While consent might seem like the obvious path, the CNPD warns that it is often difficult to obtain validly in a workplace, as it must be freely given, informed, and unambiguous.
Alternatively, organizations may instead consider legitimate interest as a legal basis. However, this is not a “blank check” to record every interaction. To rely on this basis, companies must proactively demonstrate that recording is necessary, proportionate, and that it does not disproportionately affect the rights and freedoms of participants. This requires a careful, case-by-case assessment, taking into account the context of the meeting and its potential impact on individuals.
The CNPD also emphasizes that recordings should only be retained for a limited period and must be deleted once the meeting minutes have been finalized and approved.
This guidance highlights the importance of a cautious and well-reasoned approach to recording meetings in compliance with the GDPR.
Key takeaways
Recording should not be a systematic practice but must rely on a solid legal basis, such as legitimate interest, to be assessed on a case-by-case basis. The file must be deleted as soon as the minutes are finalized. The legitimacy of the practice now depends as much on its initial justification as on its deletion once it is no longer needed.