April Data Protection Newsletter

We continue to share clear and practical insights on the latest developments in data protection, AI, and tech regulation, helping you stay informed and compliant in this ever-changing digital landscape.

Whether you manage compliance or simply want to stay safer and better informed online, this newsletter is for you.

As always, our Data Protection Team is here to help. If you would like tailored advice or to discuss a specific issue, please contact us using the details at the end of this page.

CNPD released guidance on audio recording of meetings

The Luxembourg data protection authority, the CNPD, has published a new guidance on the audio recording of meetings, a practice that has become increasingly common, particularly in the workplace, with the rise of video conferencing and AI-powered note-taking tools.

🧩Key takeaways

In the absence of specific rules in Luxembourg law, the CNPD clarifies that the legality of such recordings must be assessed under the GDPR.

The CNPD focuses on two possible legal bases: 

• Consent must be free, specific, informed, and unambiguous, requirements that are difficult to meet in an employment context where power imbalances may compromise genuine freedom of choice. 
• Legitimate interest requires a rigorous balancing test between the controller's interests and the participants' rights and must be properly documented. 

In all cases, recordings must serve a defined and documented purpose and must be deleted as soon as that purpose is achieved. Transparency toward all participants is also mandatory, they must be informed that a recording is taking place before it begins. 

The CNPD underlines that recording should remain exceptional, not a routine practice, especially for sensitive meetings such as HR discussions, disciplinary hearings, or governance sessions.

❔Why is it important?

For Luxembourg-based organisations and multinationals with operations in the Grand Duchy, this guidance creates concrete obligations for any entity using recording features in tools like Microsoft Teams, Zoom, or AI transcription software.

CNIL Publishes a Guideline on Retention Periods of Personal Data in HR Context

On 2 April, The CNIL (French Data Protection Authority) has published a Guide to help the organisations identify and determine appropriate retention periods for the processing of employee-related data (the Guideline). 

🧩Key takeaways

This Guideline covers the full employee lifecycle, from recruitment to contract termination, and provides both legally mandatory retention durations and CNIL-recommended durations, colour-coded for easy identification.

Although the Guideline is not legally binding, it serves as a practical reference tool for organisations in the context of human resources management. 

For example, for recruitment the CNIL recommends keeping CV data only until the conclusion of the recruitment process, unless further consent has been obtained, and up to 5 years for anti-discrimination purposes.

For payroll, electronic payslips must be available for 50 years or until the employee reaches retirement age plus 6 years when issued electronically.

The Guideline also covers working time tracking, biometric access controls, vehicle geolocation, and collective labour relations.

The Guideline is also not exhaustive, meaning that other sector-specific legal requirements (such as tax, road traffic, or internal security rules) may also apply.

❔Why is it important?

Organisations now have a consolidated, up-to-date reference to align their Records of Processing Activities (RoPAs) with actual legal obligations.

In practice, it helps employers reduce legal uncertainty by offering concrete, sector-specific retention periods for common HR activities such as recruitment, payroll, monitoring, and employee management. Keeping data longer than required exposes organisations to GDPR enforcement risk. 

CNIL Publishes Recommendations on Tracking Pixels in Emails

On 14 April, the CNIL has published the final version of its Recommendations on the use of tracking pixels in emails (the Recommendation), following a public consultation held in June 2025.

🧩Key takeaways

A tracking pixel is a discreet way of monitoring whether an email has been opened or interacted with. They usually take the form of a tiny, invisible image embedded in the email. Organisations commonly use this technique to measure the effectiveness of their communications, improve email delivery rates, and tailor future messages based on user engagement.

The CNIL distinguishes between use cases that require prior consent and those that are exempt. 

Consent is required for: measuring open rates to optimise campaigns, building recipient profiles for cross-channel targeting, fraud detection analytics, and individual deliverability measurement outside strictly necessary use. 

Exempt from consent: pixels used solely for authentication security (verifying a known device) and deliverability management (identifying inactive recipients to clean mailing lists), provided only the date of last known opening is kept.

The recommendation also specifies that consent must be collected at the time the email address is gathered, must be specific for each purpose, and must be as easy to withdraw as to give.

The Recommendation applies to both public and private organisations that use tracking pixels in emails, as well as to their service providers. 

Individuals may lodge a complaint with the CNIL in respect of any non-compliance with the Recommendations, subject to checks by the CNIL.

❔Why is it important?

The Recommendation complements the existing GDPR framework on tracking technologies, with a specific focus on the use of tracking pixels in emails. The adoption of this Recommendation responds to a growing number of complaints received by the CNIL from individuals regarding email tracking practices.

For organisations, this is a clear signal to review current email tracking practices and ensure that appropriate consent, transparency, and withdrawal mechanisms are in place. 

For individuals, this is a meaningful step toward greater transparency in a space, the email inbox, where tracking has historically been invisible and unconsented.

EDPB Adopts DPIA Template

On 14 April, the European Data Protection Board (EDPB) release a draft Template for Data Protection Impact Assessments (DPIAs), designed to guide organisations step by step through the DPIA reporting process.

The template is currently open for public consultation until 9 June 2026, after which it will be finalised and adopted by all EU national supervisory authorities a reference.

🧩Key takeaways

Under article 35 of the GDPR, organisations are required to carry out a DPIA where a processing activity is likely to result in a high risk to individuals’ rights and freedoms. 

A DPIA serves to document how personal data is processed, assess whether the processing is necessary and proportionate, and identify appropriate measures to mitigate identified risks.

The template is structured into six main sections: (1) an overview of the processing including controller and processor identification; (2) a description covering data categories, purposes, nature, scope, and context; (3) a compliance analysis covering legal basis, data minimisation, retention, and rights facilitation; (4) a necessity and proportionality assessment; (5) a risk assessment and management plan with both inherent and residual risk evaluation; and (6) a section on DPO consultation and data subject involvement. 

The template is designed to record a minimum set of mandatory information in a format accepted by all supervisory authorities, while leaving organisations flexibility on their preferred DPIA methodology for the underlying analysis.

The EDPB’s template is accompanied by an explanatory document to facilitate completion of the template by clarifying key concepts and addressing practical questions that may arise in the course of a DPIA.

❔Why is it important?

While the use of the EDPB DPIA template is not mandatory, it provides a structured harmonised framework that promotes completeness and consistency in DPIA documentation. Its use may help reduce the risk of omissions, enhance the quality of assessments, and improve efficiency in compliance processes.

For organisations seeking to strengthen their data protection governance, the template represents a useful reference tool and potential benchmark for best practices.

Contact

Need advice on Data Protection, AI, or Whistleblowing compliance?

Our Data Protection team is here to support you. Contact us today to discuss your needs and explore how we can assist you: Dara Kelly, Head of Advisory, or Pasquale Esposito, Data Protection Officer.