Health & Safety

Workplace Surveillance and Monitoring in Luxembourg

Since the GDPR came into force in 2018, employee surveillance in Luxembourg no longer requires prior authorisation from the CNPD. It is now analysed as personal data processing governed by the GDPR and Article L.261-1 of the Labour Code. The employer must therefore identify a lawful basis, comply with a mandatory prior information obligation, and — above all — ensure the proportionality of the monitoring arrangement: a legally valid but poorly calibrated surveillance system can render a disciplinary sanction or dismissal unenforceable.

Legal basis: Art. L.261-1 Labour Code; Regulation (EU) 2016/679 (GDPR), Art. 6; Art. L.414-9 (≥ 150 employees) Updated: June 2026

1. Surveillance as data processing: the 2018 paradigm shift

Before 2018, any employee surveillance system required prior authorisation from the CNPD. Since the GDPR entered into force, that regime was abolished and replaced by a system based on employer accountability.

In practice, an employer may deploy a surveillance system without prior administrative authorisation, provided they:

  • Identify a valid lawful basis under Article 6 GDPR.
  • Comply with the mandatory prior information obligation under Article L.261-1 of the Labour Code.
  • Apply the proportionality principle and data minimisation.
  • Maintain a record of processing activities documenting the surveillance system.
A mandatory record: Even though prior CNPD authorisation is no longer required, employers must document each surveillance processing activity in their record of processing activities (Art. 30 GDPR). This record may be requested by the CNPD at any time during an inspection.

2. The lawful basis: what actually justifies surveillance

Article L.261-1, §1 of the Labour Code refers to the lawfulness conditions of Article 6 GDPR. In practice, in an employment relationship, the relevant grounds are:

The bases normally relied upon

  • Legitimate interests of the employer (Art. 6-1-f GDPR): protection of company assets, security of facilities, prevention of internal fraud, enforcement of IT usage policies. This is the most commonly invoked basis — provided the employer's interest is not overridden by the employee's fundamental rights.
  • Legal obligation (Art. 6-1-c GDPR): where sectoral regulation itself mandates traceability (financial sector, healthcare, transport).
  • Performance of a contract (Art. 6-1-b GDPR): in limited cases where monitoring is inherent to the contract terms (e.g. call centre operators whose calls are recorded for training purposes, as contractually provided).
Employee consent is not a normal lawful basis: In an employment relationship, consent is rarely considered to be freely given due to the subordination relationship. The CNPD and the European Data Protection Board (EDPB) generally reject this ground for employee monitoring. An employer relying on consent risks having the lawful basis challenged.

3. The mandatory prior information obligation (Art. L.261-1, §2)

Before implementing any surveillance system, the employer must inform:

  • The joint committee or, failing that, the staff delegation or, failing that, the ITM (for private-law contracts).
  • The competent staff representative bodies for statutory employment regimes.

This information must be detailed and include at minimum:

  • The purpose of the processing (the specific objective for which monitoring is implemented).
  • The implementation modalities (type of system, scope, data access).
  • The data retention period or the criteria used to determine it.
  • A formal commitment not to repurpose the data for any purpose other than that declared.
  • The employees' GDPR rights: right of access, rectification, restriction of processing, and right to lodge a complaint with the CNPD.
Failure to inform = risk of unlawful evidence: A system deployed without following this information procedure is irregular. Evidence gathered through such a system may be excluded by labour courts, and any dismissal based solely on that evidence risks being deemed unfair.

4. The proportionality principle: a sine qua non condition

Even where the lawful basis is valid and the information has been provided, surveillance is only lawful if the system is strictly necessary and proportionate to the objective pursued. This principle derives from Article 5-1-c GDPR (data minimisation) and directly conditions the evidentiary value of the information gathered.

Four criteria are used to assess proportionality:

  1. The system must be necessary: the objective cannot be achieved by a less intrusive means.
  2. It must be adequate: the data collected must be useful to the declared purpose.
  3. It must be limited: no collection beyond what is strictly necessary (duration, scope, frequency).
  4. It must not establish permanent or systematic monitoring without specific justification.
Generally permitted
  • Video surveillance of entrances, access points, storage areas
  • Badge-based access control (hours, zones)
  • Geolocation of company vehicles (optimisation, safety)
  • Computer access logging (connection logs)
  • Call recording in call centres (training, quality), contractually provided
  • URL filtering on the company network
Generally problematic
  • Permanent video surveillance of an individual workstation
  • Continuous audio capture unrelated to a specific task
  • Access to the content of an employee's private emails
  • Continuous geolocation of an employee outside working hours
  • Systematic monitoring of communications without a prior usage policy
  • Keyloggers or continuous screenshot capture

5. Employee rights and recourse

CNPD opinion on system compliance (Art. L.261-1, §4)

Within 15 days of the prior information, the staff delegation or employees concerned may request the CNPD's opinion on the compliance of the proposed system. This referral has a one-month suspensive effect: the employer may not deploy the system during that period.

This is not an administrative authorisation but a consultation mechanism allowing the CNPD to examine the system and, where appropriate, flag a non-compliance before implementation.

Individual right of complaint (Art. L.261-1, §5)

Any employee may at any time lodge an individual complaint with the CNPD if they consider that the processing of their personal data under a surveillance system violates the GDPR or Article L.261-1.

Protection against retaliation: Article L.261-1, §5 expressly states that a complaint to the CNPD may constitute neither a serious ground nor a legitimate ground for dismissal. Any dismissal linked to the exercise of this right would be liable to be annulled.

Individual GDPR rights

Independently of the specific L.261-1 procedure, each employee has the following GDPR rights against their employer:

  • Right of access (Art. 15 GDPR): obtain confirmation that data concerning them is being processed and receive a copy.
  • Right to rectification (Art. 16 GDPR): have inaccurate data corrected.
  • Right to restriction (Art. 18 GDPR): have processing temporarily suspended where it is contested.
  • Right to object (Art. 21 GDPR): object to processing based on legitimate interests, subject to the employer's compelling legitimate grounds.

6. Special cases

Surveillance for specific purposes (Art. L.261-1, §3)

Specific rules apply where monitoring is directly justified by one of the following objectives:

  • Employee health and safety (Art. L.211-8): surveillance systems integrated into occupational risk prevention obligations.
  • Control of production or services (Art. L.414-9): only where it is the sole means of determining the employee's exact wage.
  • Organisation of work on flexible schedules (Art. L.423-1): badge readers and working-time recording systems.

Co-determination in companies with at least 150 employees (Art. L.414-9)

In companies employing at least 150 employees, the introduction of certain technical installations designed to monitor employee behaviour or performance falls under the co-determination regime with the staff delegation provided for by Article L.414-9. The decision must in that case be taken by mutual agreement between the employer and the delegation.

Interaction between Art. L.414-9 and Art. L.261-1: Both provisions coexist. In companies with ≥ 150 employees, the employer must both comply with the information procedure under Art. L.261-1 and, for systems falling under co-determination, obtain the delegation's agreement under Art. L.414-9. The precise interaction between the two regimes is assessed on a case-by-case basis depending on the nature of the system.

7. Evidentiary value of surveillance data

The legality of the surveillance system directly determines whether the data gathered can be used in disciplinary proceedings or employment litigation.

Luxembourg case law assesses the admissibility of such evidence on a case-by-case basis. The court examines in particular:

  • Compliance with the prior information obligations under Art. L.261-1.
  • The declared purpose: was the data used for the stated objective, or repurposed for other ends?
  • The proportionate nature of the system in the specific circumstances of the case.
Two possible outcomes depending on the regularity of the system
Regular system: surveillance data (images, logs, records) may be produced in court and support a dismissal for serious misconduct if relevant and proportionate to the alleged facts.
Irregular system: if the employer failed to comply with the information obligations or used the data for a purpose other than that declared, the evidence risks being excluded by the labour tribunal. A dismissal based solely on that evidence may be deemed unfair — exposing the employer to damages.

A question about implementing a surveillance system or your company's GDPR compliance?

Ask Kymora →

Related guides

The information in this guide is provided for informational purposes only and does not constitute legal advice. It may contain inaccuracies or may not reflect the latest legislative or case-law developments. For any specific situation, please consult a qualified legal professional.