Luxembourg Recording Laws: All-Party Consent Rules and Penalties (2026)

Overview of Luxembourg Recording Laws

Luxembourg treats the unauthorized recording of private communications as a serious criminal matter. The Grand Duchy's legal system layers constitutional protections, dedicated privacy statutes, criminal code provisions, and EU-derived regulations into a framework that demands the consent of all parties before any recording takes place.

This is not a technicality that prosecutors ignore. Luxembourg courts have applied these laws in practice, and the country's data protection regulator, the Commission Nationale pour la Protection des Donnees (CNPD), has built an active enforcement record that includes on-site investigations of surveillance systems and fines for non-compliant recording practices.

For anyone living in Luxembourg, doing business there, or placing a phone call into the country, the rules are clear: get consent from everyone on the line, or do not press record.

Constitutional Foundation: Articles 11 and 28

Luxembourg's privacy protections begin at the constitutional level. Article 11(3) of the Constitution guarantees the right to protection of private life, subject only to exceptions established by law.

Article 28 goes further with a direct statement: the secrecy of correspondence is inviolable. The provision tasks the legislature with defining penalties for anyone who violates the secrecy of correspondence entrusted to postal services and with establishing safeguards for the secrecy of telegraphic communications.

While Article 28 was drafted in an era of physical mail and telegraph wires, Luxembourg courts and legislators have extended its principles to cover modern telecommunications and electronic communications. These constitutional provisions form the bedrock on which all subsequent recording and surveillance legislation rests.

The Act of 11 August 1982: Privacy Protection Law

The Loi du 11 aout 1982 concernant la protection de la vie privee is the primary criminal statute governing the recording of conversations in Luxembourg. It predates the digital era but remains fully in force and applies to both analog and digital recording methods.

Article 1: The Right to Privacy

Article 1 establishes that every person has the right to respect for their private life. Courts may order preventive measures, including seizure, to halt ongoing privacy violations. This creates both a criminal and civil cause of action for unauthorized recording.

Article 2: Recording Private Conversations

Article 2 is the provision that directly criminalizes unauthorized recording. It punishes anyone who intentionally violates the intimacy of another person's private life through the following acts:

Listening to or recording private words. Using any device to listen to, record, or transmit words spoken privately without the consent of the speaker is a criminal offense. This covers phone calls, in-person conversations, and any other verbal exchange where the participants have a reasonable expectation of privacy.

Observing or recording people in private spaces. Capturing or transmitting the image of a person located in a non-public place without their consent falls under the same prohibition. This extends to video recordings that capture both image and sound.

Intercepting sealed messages. Opening, reading, or accessing the contents of a sealed message addressed to someone else without authorization is also covered.

Penalties Under the 1982 Act

Violations of Article 2 carry imprisonment of 8 days to 1 year and fines of 251 to 5,000 euros, or either penalty alone. These are not theoretical maximums. The law provides for actual prosecution and sentencing within these ranges.

Article 3 extends the same penalties to anyone who installs devices designed to facilitate the prohibited recording or surveillance activities.

Article 4 targets the downstream use of illegal recordings. Knowingly retaining, possessing, or disclosing recordings obtained in violation of the law carries identical penalties.

Article 7 imposes heavier penalties when someone who participated in authorized monitoring reveals the contents of those communications for personal gain or to harm another person. In those cases, the punishment increases to 2 months to 2 years of imprisonment and fines of 2,501 to 100,000 euros (amounts originally denominated in francs and converted to euros).

Limited Exception for Telephone Network Personnel

The 1982 Act includes one narrow exception. Personnel responsible for maintaining or supervising a public or private telephone network may listen to communications in the exercise of their technical duties to ensure proper functioning of the connection. Even under this exception, those personnel must maintain confidentiality about anything they overhear.

The Act of 30 May 2005: Electronic Communications Privacy

The Loi modifiee du 30 mai 2005 transposed the European ePrivacy Directive (2002/58/EC) into Luxembourg law. It specifically addresses privacy in the electronic communications sector and adds another layer of protection on top of the 1982 Act.

Article 4: Confidentiality of Communications

Article 4 is the central provision. It prohibits any person other than the user concerned from listening to, intercepting, storing, or engaging in any other form of surveillance of electronic communications or the traffic data relating to those communications, without the consent of the user concerned.

This is a broad prohibition. It covers the content of calls and messages, the metadata about those communications (who called whom, when, for how long), and any form of monitoring or interception. Service providers, employers, third parties, and private individuals are all bound by this rule.

Penalties Under the 2005 Act

Violations of Article 4 are punished by imprisonment of 8 days to 1 year and fines of 251 to 125,000 euros. The maximum fine here is significantly higher than under the 1982 Act, reflecting the legislature's view that electronic communications interception poses a greater systemic risk.

The Business Recording Exception

Article 4 of the 2005 Act contains a limited exception that permits the recording of telephone calls in a business context. This exception applies only when all of the following conditions are met:

The recording documents a commercial transaction. The recording must be carried out in the context of lawful professional practices for the purpose of providing evidence of a commercial transaction. This covers orders, contracts, reservations, and similar business dealings.

All parties receive advance notice. Before any recording begins, the parties to the transaction must be informed that the call may be recorded. A beep tone alone does not satisfy this requirement. The notice must be clear and explicit.

The purpose is stated. The parties must be told why the recording is being made and what it will be used for.

Retention limits are disclosed. The maximum period for which the recording will be stored must be communicated to the parties.

This exception is narrower than what many businesses assume. It does not authorize blanket recording of all business calls. It applies specifically to calls that relate to commercial transactions, and the notification and purpose requirements are mandatory. Recording a general business discussion, a complaint call, or an internal meeting does not fall within this exception unless those calls relate directly to a provable commercial transaction.

Code Penal: Additional Criminal Provisions

Beyond the dedicated privacy statutes, the Luxembourg Code Penal contains provisions that can apply to recording and interception offenses.

Article 460: Violation of Correspondence

Article 460 punishes anyone convicted of suppressing or opening a letter entrusted to the postal service in order to violate its secret. Penalties are 8 days to 1 month of imprisonment and fines of 251 to 2,000 euros, or either penalty alone. While this provision targets physical mail, courts have considered its principles in the context of digital communications.

Article 509-3: Unauthorized Data Interception

Article 509-3 addresses the intentional interception of data during non-public transmissions to, from, or within a computer system. This provision catches digital wiretapping and the interception of electronic messages that might not fall neatly under the 1982 or 2005 Acts. Penalties are notably steeper: 3 months to 3 years of imprisonment and fines of 1,250 to 12,500 euros.

This is the provision most likely to apply when someone intercepts emails, instant messages, or data transmissions rather than voice calls. The three-year maximum prison sentence makes it the harshest criminal penalty available for recording-related offenses in Luxembourg.

Judicial Wiretapping: Articles 88-1 and 88-2

Luxembourg law permits law enforcement to intercept communications, but only under strict judicial oversight. Articles 88-1 through 88-4 of the Code d'instruction criminelle govern lawful interception.

A judge may authorize wiretapping only when investigating serious crimes punishable by two or more years of imprisonment, and only when ordinary investigation methods have proven ineffective due to the nature of the facts and the special circumstances of the case.

Wiretap orders are granted for one-month periods. They may be renewed repeatedly, but the cumulative duration cannot exceed one year. The 2018 amendments to these provisions, enacted through the law of 27 June 2018, expanded the scope to include audio recording, image capture, and digital data collection, while limiting these enhanced measures to offenses against state security and acts of terrorism.

These provisions were further modified by the Act of 30 May 2005, which updated Articles 88-2 and 88-4 to reflect the realities of modern electronic communications infrastructure. Service providers are required to provide technical data and equipment to assist competent authorities in carrying out lawfully authorized surveillance.

GDPR and CNPD Enforcement

Since May 25, 2018, the General Data Protection Regulation (GDPR) applies directly in Luxembourg. Any recording of a person's voice or image constitutes processing of personal data under the GDPR, which means recording activities must comply with both the criminal statutes described above and the GDPR's requirements for lawful data processing.

The CNPD's Role

The Commission Nationale pour la Protection des Donnees (CNPD) is Luxembourg's national data protection authority. It oversees GDPR compliance, investigates complaints, conducts on-site inspections, and imposes administrative fines.

The CNPD has made surveillance and recording compliance a priority enforcement area. In 2022, the authority concentrated its investigation resources on two topics: the appointment of data protection officers and the compliance of video surveillance systems with the GDPR. These investigations targeted municipal authorities, schools, and private sector companies.

Enforcement Track Record

The CNPD has issued fines for surveillance and recording violations. In July 2022, a bank received a 10,000 euro fine for operating a video surveillance system that failed to adequately inform the people being filmed. The investigation revealed that simply posting a sign with a camera icon was not sufficient notice under the GDPR. Controllers must provide information about the purpose of the processing, who is responsible, and where individuals can exercise their data rights.

The CNPD has also fined companies for failing to inform people about camera surveillance, with penalties as low as 1,000 euros for smaller infractions and up to 7,200 euros for video surveillance that violated proportionality requirements.

On the extreme end of the enforcement spectrum, the CNPD imposed a 746 million euro fine on Amazon Europe Core for GDPR violations related to data processing and transparency. While that case involved targeted advertising rather than recording, it demonstrated the CNPD's willingness to use its full enforcement authority. The Administrative Court of Luxembourg upheld the fine in March 2025.

GDPR Penalty Ranges

For recording and surveillance violations that breach the GDPR, the CNPD can impose administrative fines of up to 20 million euros or 4% of total global annual turnover, whichever is higher. These administrative penalties apply on top of any criminal sanctions under Luxembourg's domestic statutes.

Phone Calls vs. In-Person Conversations

Luxembourg law does not draw a meaningful distinction between recording phone calls and recording face-to-face conversations. Both are covered, and both require all-party consent.

Phone Calls

The Act of 30 May 2005 governs the recording of phone calls and other electronic communications. No telephone call can be recorded without the knowledge and consent of the person being called. The only exception is the narrow business transaction provision described above, and even that requires advance notification rather than mere consent.

In-Person Conversations

The Act of 11 August 1982 covers the recording of private spoken words in any setting. Using any device to listen to, record, or transmit words spoken privately, without the consent of the speaker, is criminal. This applies whether the conversation takes place in a home, an office, a restaurant, or any other location where the participants would reasonably expect privacy.

Public Spaces

The distinction that matters in Luxembourg is between public and private settings. The 1982 Act specifically protects "paroles prononcees en prive," meaning words spoken in private. Conversations held in a genuinely public setting, where the speakers cannot reasonably expect privacy, may fall outside the statute's protection. However, this is a narrow exception. A conversation between two people at a quiet table in a public cafe could still be considered private depending on the circumstances.

Video recording in public spaces is regulated separately through GDPR and CNPD guidelines. Cameras in public or semi-public areas must be visible, marked with appropriate signage, and limited to images without sound recording. Video surveillance data must generally be deleted within eight days, though this period can be extended to thirty days when justified.

Workplace Recording and Monitoring

Luxembourg has specific rules governing workplace surveillance that overlay the general recording laws.

Labour Code Article L.261-1

Article L.261-1 of the Luxembourg Labour Code regulates the processing of personal data for the purpose of monitoring employees. Employers may only implement monitoring systems based on one of the lawful grounds listed in GDPR Article 6.1(a) through (f).

The Labour Code permits employee monitoring for three specific purposes:

1. Health and safety of employees. Surveillance cameras in hazardous work areas, for example.
2. Production or performance control. But only when monitoring is the sole means of determining exact salary or compensation.
3. Flexible work arrangements. Monitoring related to the organization of flexitime schedules.

Mandatory Notification Process

Before implementing any employee monitoring system, an employer must provide collective notice to the staff delegation (employee representatives) and individual notice to each affected employee. The notice must include a detailed description of the monitoring purpose, the implementation process, data retention duration and criteria, and a formal commitment that the collected data will not be used for any purpose other than the one stated.

CNPD Review and Suspensive Effect

Within 15 days of receiving the employer's notice, the staff delegation or the affected employees may request a compliance opinion from the CNPD. This request has a suspensive effect: the employer cannot activate the monitoring system until the CNPD issues its opinion, which must come within one month.

Employees who file complaints with the CNPD about workplace monitoring are protected from retaliation. The Labour Code explicitly states that filing such a complaint cannot constitute grounds for dismissal.

Telephone Monitoring at Work

Employers who wish to record employee phone calls face the combined requirements of the 2005 Act and the Labour Code. The call recording must meet the business transaction exception under the 2005 Act, the monitoring must satisfy one of the Labour Code's permitted purposes, and the full notification procedure must be followed. In practice, this means most employers can only record calls that directly relate to commercial transactions, and only after completing the notice and consultation process.

Financial Sector: MiFID II Recording Obligations

One significant exception to the general consent framework applies in the financial sector. The Law of 30 May 2018 on markets in financial instruments transposed MiFID II into Luxembourg law, creating mandatory recording obligations for investment firms supervised by the Commission de Surveillance du Secteur Financier (CSSF).

Under Article 16(7) of MiFID II, investment firms must record all telephone conversations and electronic communications that relate to client orders or that could lead to a transaction. This includes investment consultations by phone, video conference, or chat, as well as communications via email, instant messaging, or any other electronic channel.

These recordings must be stored for at least five years. The CSSF may require extended retention of up to seven years. Archives must be tamper-proof, with every modification traceable and the data accessible at all times.

Clients must be informed at the start of each conversation that the call is being recorded. The MiFID II framework effectively overrides the general consent requirement for these specific transaction-related communications, replacing it with a notification-plus-mandatory-recording model. This is one of the few contexts in Luxembourg law where recording is not just permitted but required.

Penalties Summary

Luxembourg imposes a graduated system of penalties depending on which statute is violated:

Offense	Statute	Prison	Fine
Recording private conversations without consent	Act of 1982, Art. 2	8 days to 1 year	251 to 5,000 EUR
Installing recording devices to facilitate violations	Act of 1982, Art. 3	8 days to 1 year	251 to 5,000 EUR
Possessing or disclosing illegal recordings	Act of 1982, Art. 4	8 days to 1 year	251 to 5,000 EUR
Revealing monitored communications for gain	Act of 1982, Art. 7	2 months to 2 years	2,501 to 100,000 EUR
Intercepting electronic communications	Act of 2005, Art. 4	8 days to 1 year	251 to 125,000 EUR
Violating secrecy of correspondence	Code Penal, Art. 460	8 days to 1 month	251 to 2,000 EUR
Unauthorized data interception	Code Penal, Art. 509-3	3 months to 3 years	1,250 to 12,500 EUR
GDPR violations (administrative)	GDPR Art. 83	N/A	Up to 20M EUR or 4% turnover

Courts may also order the destruction of recordings made in violation of the law. Illegally obtained recordings are generally inadmissible as evidence in Luxembourg proceedings.

Business Compliance Checklist

Companies operating in Luxembourg should take the following steps to comply with recording laws:

Audit existing recording practices. Identify every system that records calls, meetings, or workplace activity. This includes phone systems, call center platforms, video conferencing tools, CCTV cameras, and GPS tracking in vehicles.

Verify the legal basis for each recording. The business transaction exception under the 2005 Act is narrow. General call recording requires consent. CCTV requires a GDPR-compliant legal basis and proportionality assessment.

Implement advance notification procedures. For any recording covered by the business transaction exception, build the required notice into your call flow. Callers must hear a clear statement about the recording, its purpose, and the retention period before the conversation begins.

Complete workplace consultation requirements. If any monitoring affects employees, follow the Labour Code notification procedure: inform the staff delegation, provide individual notices, and allow the 15-day window for a CNPD opinion request.

Maintain GDPR processing records. Document every recording activity in your processing records under Article 30 of the GDPR. Include the purpose, legal basis, data categories, retention periods, and security measures.

Set retention limits and enforce them. Do not store recordings longer than necessary. For business transaction recordings, define and disclose the maximum retention period. For video surveillance, the default is eight days with a justified maximum of thirty days.

Conduct a Data Protection Impact Assessment (DPIA). For systematic monitoring of employees or large-scale surveillance of public areas, a DPIA is likely required under GDPR Article 35.

Post visible notices for surveillance cameras. A camera icon alone is not enough. Signs must identify the controller, the purpose, and where individuals can exercise their rights.