Luxembourg Recording Laws: All-Party Consent, Penalties & AI Rules (2026)

Luxembourg requires all-party consent to record any phone call or private conversation; recording without every participant's knowledge is a criminal offense under both the Act of 11 August 1982 and the Act of 30 May 2005, carrying penalties of up to one year in prison and fines up to 125,000 euros.

Overview of Luxembourg Recording Laws

Luxembourg treats the unauthorized recording of private communications as a serious criminal matter. The Grand Duchy's legal system layers constitutional protections, dedicated privacy statutes, criminal code provisions, and EU-derived regulations into a framework that demands the consent of all parties before any recording takes place.

This is not a technicality that prosecutors ignore. Luxembourg courts have applied these laws in practice, and the country's data protection regulator, the Commission Nationale pour la Protection des Données (CNPD), has built an active enforcement record that includes on-site investigations of surveillance systems and fines for non-compliant recording practices.

For anyone living in Luxembourg, doing business there, or placing a phone call into the country, the rules are clear: get consent from everyone on the line, or do not press record.

Constitutional Foundation: Articles 11 and 28

Luxembourg's privacy protections begin at the constitutional level. Article 11(3) of the Constitution guarantees the right to protection of private life, subject only to exceptions established by law.

Article 28 goes further with a direct statement: the secrecy of correspondence is inviolable. The provision tasks the legislature with defining penalties for anyone who violates the secrecy of correspondence entrusted to postal services and with establishing safeguards for the secrecy of telegraphic communications.

While Article 28 was drafted in an era of physical mail and telegraph wires, Luxembourg courts and legislators have extended its principles to cover modern telecommunications and electronic communications. These constitutional provisions form the bedrock on which all subsequent recording and surveillance legislation rests.

The Act of 11 August 1982: Privacy Protection Law

The Loi du 11 août 1982 concernant la protection de la vie privée is the primary criminal statute governing the recording of conversations in Luxembourg. It predates the digital era but remains fully in force and applies to both analog and digital recording methods.

Article 1: The Right to Privacy

Article 1 establishes that every person has the right to respect for their private life. Courts may order preventive measures, including seizure, to halt ongoing privacy violations. This creates both a criminal and civil cause of action for unauthorized recording.

Article 2: Recording Private Conversations

Article 2 is the provision that directly criminalizes unauthorized recording. It punishes anyone who intentionally violates the intimacy of another person's private life through the following acts:

Listening to or recording private words. Using any device to listen to, record, or transmit words spoken privately without the consent of the speaker is a criminal offense. This covers phone calls, in-person conversations, and any other verbal exchange where the participants have a reasonable expectation of privacy.

Observing or recording people in private spaces. Capturing or transmitting the image of a person located in a non-public place without their consent falls under the same prohibition. This extends to video recordings that capture both image and sound.

Intercepting sealed messages. Opening, reading, or accessing the contents of a sealed message addressed to someone else without authorization is also covered.

Penalties Under the 1982 Act

Violations of Article 2 carry imprisonment of 8 days to 1 year and fines of 251 to 5,000 euros, or either penalty alone. These are not theoretical maximums. The law provides for actual prosecution and sentencing within these ranges.

Article 3 extends the same penalties to anyone who installs devices designed to facilitate the prohibited recording or surveillance activities.

Article 4 targets the downstream use of illegal recordings. Knowingly retaining, possessing, or disclosing recordings obtained in violation of the law carries identical penalties.

Article 7 imposes heavier penalties when someone who participated in authorized monitoring reveals the contents of those communications for personal gain or to harm another person. In those cases, the punishment increases to 2 months to 2 years of imprisonment and fines of 2,501 to 100,000 euros (amounts originally denominated in francs and converted to euros).

Limited Exception for Telephone Network Personnel

The 1982 Act includes one narrow exception. Personnel responsible for maintaining or supervising a public or private telephone network may listen to communications in the exercise of their technical duties to ensure proper functioning of the connection. Even under this exception, those personnel must maintain confidentiality about anything they overhear.

The Act of 30 May 2005: Electronic Communications Privacy

The Loi modifiée du 30 mai 2005 transposed the European ePrivacy Directive (2002/58/EC) into Luxembourg law. It specifically addresses privacy in the electronic communications sector and adds another layer of protection on top of the 1982 Act.

Article 4: Confidentiality of Communications

Article 4 is the central provision. It prohibits any person other than the user concerned from listening to, intercepting, storing, or engaging in any other form of surveillance of electronic communications or the traffic data relating to those communications, without the consent of the user concerned.

This is a broad prohibition. It covers the content of calls and messages, the metadata about those communications (who called whom, when, for how long), and any form of monitoring or interception. Service providers, employers, third parties, and private individuals are all bound by this rule.

Penalties Under the 2005 Act

Violations of Article 4 are punished by imprisonment of 8 days to 1 year and fines of 251 to 125,000 euros. The maximum fine here is significantly higher than under the 1982 Act, reflecting the legislature's view that electronic communications interception poses a greater systemic risk.

The Business Recording Exception

Article 4 of the 2005 Act contains a limited exception that permits the recording of telephone calls in a business context. This exception applies only when all of the following conditions are met:

The recording documents a commercial transaction. The recording must be carried out in the context of lawful professional practices for the purpose of providing evidence of a commercial transaction. This covers orders, contracts, reservations, and similar business dealings.

All parties receive advance notice. Before any recording begins, the parties to the transaction must be informed that the call may be recorded. A beep tone alone does not satisfy this requirement. The notice must be clear and explicit.

The purpose is stated. The parties must be told why the recording is being made and what it will be used for.

Retention limits are disclosed. The maximum period for which the recording will be stored must be communicated to the parties.

This exception is narrower than what many businesses assume. It does not authorize blanket recording of all business calls. It applies specifically to calls that relate to commercial transactions, and the notification and purpose requirements are mandatory. Recording a general business discussion, a complaint call, or an internal meeting does not fall within this exception unless those calls relate directly to a provable commercial transaction.

Code Pénal: Additional Criminal Provisions

Beyond the dedicated privacy statutes, the Luxembourg Code pénal contains provisions that apply to recording and interception offenses.

Article 460: Violation of Correspondence

Article 460 punishes anyone convicted of suppressing or opening a letter entrusted to the postal service in order to violate its secret. Penalties are 8 days to 1 month of imprisonment and fines of 251 to 2,000 euros, or either penalty alone. While this provision targets physical mail, courts have considered its principles in the context of digital communications.

Article 509-3: Unauthorized Data Interception

Article 509-3 addresses the intentional interception of data during non-public transmissions to, from, or within a computer system. This provision catches digital wiretapping and the interception of electronic messages that might not fall neatly under the 1982 or 2005 Acts. Penalties are notably steeper: 3 months to 3 years of imprisonment and fines of 1,250 to 12,500 euros.

This is the provision most likely to apply when someone intercepts emails, instant messages, or data transmissions rather than voice calls. The three-year maximum prison sentence makes it the harshest criminal penalty available for recording-related offenses in Luxembourg.

Judicial Wiretapping: Articles 88-1 and 88-2

Luxembourg law permits law enforcement to intercept communications, but only under strict judicial oversight. Articles 88-1 through 88-4 of the Code d'instruction criminelle govern lawful interception.

A judge may authorize wiretapping only when investigating serious crimes punishable by two or more years of imprisonment, and only when ordinary investigation methods have proven ineffective due to the nature of the facts and the special circumstances of the case.

Wiretap orders are granted for one-month periods. They may be renewed repeatedly, but the cumulative duration cannot exceed one year. The 2018 amendments to these provisions, enacted through the law of 27 June 2018, expanded the scope to include audio recording, image capture, and digital data collection, while limiting these enhanced measures to offenses against state security and acts of terrorism.

These provisions were further modified by the Act of 30 May 2005, which updated Articles 88-2 and 88-4 to reflect the realities of modern electronic communications infrastructure. Service providers are required to provide technical data and equipment to assist competent authorities in carrying out lawfully authorized surveillance.

GDPR and CNPD Enforcement

Since May 25, 2018, the General Data Protection Regulation (GDPR) applies directly in Luxembourg. Any recording of a person's voice or image constitutes processing of personal data under the GDPR, which means recording activities must comply with both the criminal statutes described above and the GDPR's requirements for lawful data processing.

The CNPD's Role

The Commission Nationale pour la Protection des Données (CNPD) is Luxembourg's national data protection authority. It oversees GDPR compliance, investigates complaints, conducts on-site inspections, and imposes administrative fines.

The CNPD has made surveillance and recording compliance a priority enforcement area. In 2022, the authority concentrated its investigation resources on two topics: the appointment of data protection officers and the compliance of video surveillance systems with the GDPR. These investigations targeted municipal authorities, schools, and private sector companies. More recent enforcement cycles have added vehicle geolocation tracking to the priority list.

Enforcement Track Record

The CNPD has issued fines for surveillance and recording violations. In July 2022, a bank received a 10,000 euro fine for operating a video surveillance system that failed to adequately inform the people being filmed. The investigation revealed that simply posting a sign with a camera icon was not sufficient notice under the GDPR. Controllers must provide information about the purpose of the processing, who is responsible, and where individuals can exercise their data rights.

The CNPD has also fined companies for failing to inform people about camera surveillance, with penalties as low as 1,000 euros for smaller infractions and up to 7,200 euros for video surveillance that violated proportionality requirements.

On the extreme end of the enforcement spectrum, the CNPD imposed a 746 million euro fine on Amazon Europe Core for GDPR violations related to data processing and transparency in its advertising system. The Luxembourg Administrative Tribunal upheld the fine on March 13, 2025. While that case involved targeted advertising rather than recording, it demonstrated the CNPD's willingness to use its full enforcement authority.

CNPD as AI Act National Authority

Luxembourg's Draft Bill of Law 8476, submitted to Parliament on December 23, 2024, designates the CNPD as the primary national supervisory authority for EU AI Act compliance. Because most AI practices covered by the AI Act involve personal data, the CNPD is the natural default supervisor. Sectoral authorities retain their roles: the Commission de Surveillance du Secteur Financier (CSSF) supervises AI in financial services, and the Luxembourg Regulatory Institute (ILR) oversees high-risk AI deployed in critical infrastructure. The bill proposes administrative penalties of up to 35 million euros or 7% of global annual turnover for violations involving prohibited AI practices. As of May 2026, the bill remains pending parliamentary approval.

GDPR Penalty Ranges

For recording and surveillance violations that breach the GDPR, the CNPD can impose administrative fines of up to 20 million euros or 4% of total global annual turnover, whichever is higher. These administrative penalties apply on top of any criminal sanctions under Luxembourg's domestic statutes.

Phone Calls vs. In-Person Conversations

Luxembourg law does not draw a meaningful distinction between recording phone calls and recording face-to-face conversations. Both are covered, and both require all-party consent.

Phone Calls

The Act of 30 May 2005 governs the recording of phone calls and other electronic communications. No telephone call can be recorded without the knowledge and consent of the person being called. The only exception is the narrow business transaction provision described above, and even that requires advance notification rather than mere consent.

In-Person Conversations

The Act of 11 August 1982 covers the recording of private spoken words in any setting. Using any device to listen to, record, or transmit words spoken privately, without the consent of the speaker, is criminal. This applies whether the conversation takes place in a home, an office, a restaurant, or any other location where the participants would reasonably expect privacy.

Public Spaces

The distinction that matters in Luxembourg is between public and private settings. The 1982 Act specifically protects "paroles prononcées en privé," meaning words spoken in private. Conversations held in a genuinely public setting, where the speakers cannot reasonably expect privacy, may fall outside the statute's protection. However, this is a narrow exception. A conversation between two people at a quiet table in a public café could still be considered private depending on the circumstances.

Video recording in public spaces is regulated separately through GDPR and CNPD guidelines. Cameras in public or semi-public areas must be visible, marked with appropriate signage, and limited to images without sound recording. Video surveillance data must generally be deleted within eight days, though this period can be extended to thirty days when justified.

Recording Police and Public Officials

Recording police officers or other public officials in Luxembourg does not benefit from a dedicated statutory exception. The general all-party consent rules apply: recording an officer during a private interaction or telephone conversation still requires consent from all parties under the 1982 and 2005 Acts.

The Journalism Exception

Luxembourg's implementation of the GDPR (Loi du 1er août 2018) provides a journalism exception for the processing of personal data, including recordings, when the processing serves exclusively journalistic, academic, artistic, or literary purposes. Under this exception, a journalist or news organization may record a public official exercising public functions without violating the data protection rules, provided the recording relates to the official's public role rather than their private life.

The exception is interpreted restrictively. It does not apply when the primary purpose of the recording is to harm the individual rather than to inform the public on a matter of genuine public interest. Using the journalism exception as a cover for personal surveillance or harassment falls outside its scope.

Public Life Carve-Out

Article 11(3) of the Constitution and case law applying it recognize that individuals who voluntarily enter public life accept a reduced expectation of privacy regarding their public activities. A politician giving a public speech, a police officer directing traffic, or a public official attending a press conference can be recorded and reported on without violating the privacy statutes, because those activities take place in genuinely public settings where no reasonable expectation of private conversation exists.

Practical Note

Recording a police officer during an arrest or a public enforcement action on a public street falls in a different category from covertly recording a private conversation with an officer. The former typically involves no reasonable expectation of privacy on the officer's part. The latter involves a private verbal exchange and triggers the all-party consent requirement. Consulting a Luxembourg attorney before relying on the journalism or public-life exception in a specific situation is advisable, because the line between public conduct and private conversation is fact-specific.

Workplace Recording and Monitoring

Luxembourg has specific rules governing workplace surveillance that overlay the general recording laws.

Labour Code Article L.261-1

Article L.261-1 of the Luxembourg Labour Code regulates the processing of personal data for the purpose of monitoring employees. Employers may only implement monitoring systems based on one of the lawful grounds listed in GDPR Article 6.1(a) through (f).

The Labour Code permits employee monitoring for three specific purposes:

1. Health and safety of employees. Surveillance cameras in hazardous work areas, for example.
2. Production or performance control. But only when monitoring is the sole means of determining exact salary or compensation.
3. Flexible work arrangements. Monitoring related to the organization of flexitime schedules.

Mandatory Notification Process

Before implementing any employee monitoring system, an employer must provide collective notice to the staff delegation (employee representatives) and individual notice to each affected employee. The notice must include a detailed description of the monitoring purpose, the implementation process, data retention duration and criteria, and a formal commitment that the collected data will not be used for any purpose other than the one stated.

CNPD Review and Suspensive Effect

Within 15 days of receiving the employer's notice, the staff delegation or the affected employees may request a compliance opinion from the CNPD. This request has a suspensive effect: the employer cannot activate the monitoring system until the CNPD issues its opinion, which must come within one month.

Employees who file complaints with the CNPD about workplace monitoring are protected from retaliation. The Labour Code explicitly states that filing such a complaint cannot constitute grounds for dismissal.

Telephone Monitoring at Work

Employers who wish to record employee phone calls face the combined requirements of the 2005 Act and the Labour Code. The call recording must meet the business transaction exception under the 2005 Act, the monitoring must satisfy one of the Labour Code's permitted purposes, and the full notification procedure must be followed. In practice, this means most employers can only record calls that directly relate to commercial transactions, and only after completing the notice and consultation process. For more on employer recording obligations, see our employer recording guide.

Financial Sector: MiFID II Recording Obligations

One significant exception to the general consent framework applies in the financial sector. The Law of 30 May 2018 on markets in financial instruments transposed MiFID II into Luxembourg law, creating mandatory recording obligations for investment firms supervised by the Commission de Surveillance du Secteur Financier (CSSF).

Under Article 16(7) of MiFID II, investment firms must record all telephone conversations and electronic communications that relate to client orders or that could lead to a transaction. This includes investment consultations by phone, video conference, or chat, as well as communications via email, instant messaging, or any other electronic channel.

These recordings must be stored for at least five years. The CSSF may require extended retention of up to seven years. Archives must be tamper-proof, with every modification traceable and the data accessible at all times.

Clients must be informed at the start of each conversation that the call is being recorded. The MiFID II framework effectively overrides the general consent requirement for these specific transaction-related communications, replacing it with a notification-plus-mandatory-recording model. This is one of the few contexts in Luxembourg law where recording is not just permitted but required.

Draft Law 8498, submitted to Parliament on February 12, 2025, updates Luxembourg's MiFID II and MiFIR framework following the adoption of EU Regulation 2024/791 and Directive 2024/790. The proposed changes modernize trading venue rules and market transparency requirements but do not materially alter the recording obligations under Article 16(7) of MiFID II.

Voyeurism and Intimate Recording

Luxembourg's Penal Code addresses a category of recording offenses that overlaps with but extends beyond the general consent rules: the recording of intimate images without consent.

Code Pénal Article 385ter

Article 385ter of the Code pénal, enacted March 9, 2021, defines voyeurism as using any means to observe the intimate parts or underwear of a person. The provision covers recording, photographing, and any form of capture of intimate imagery without the subject's consent.

Basic penalties. A person convicted of voyeurism under Article 385ter faces imprisonment of 2 months to 1 year and a fine of 251 to 15,000 euros.

Aggravated penalties. The penalty increases to 2 months to 2 years of imprisonment and a fine of up to 30,000 euros where any of the following aggravating circumstances apply:

• The victim is a minor or a particularly vulnerable person (due to illness, disability, physical or psychological deficiency, or pregnancy).
• The offense was committed in public transport or on board an aircraft.
• The images were recorded, distributed, or transmitted, including via social networks or messaging platforms.

The recording or transmission aggravating factor is particularly significant. A person who films under another person's clothing in a public space and then shares the images faces the upper penalty tier, not just the basic range. Courts have treated distribution through digital channels as a serious aggravating circumstance.

Upskirting and Related Conduct

The voyeurism law explicitly covers "upskirting" (filming under clothing in public spaces) as well as hidden-camera recording in changing rooms, toilets, and other locations where a person expects privacy. Prosecution has occurred in Luxembourg for both types of conduct.

A person who secretly films someone in a hotel room, a gym changing room, or a shared accommodation space faces potential prosecution under both the 1982 Act (recording private activities without consent) and Article 385ter of the Code pénal (if the recording captures intimate parts). The statutes can apply concurrently.

Deepfakes and AI-Generated Content

Luxembourg applies both existing criminal law and emerging EU-level rules to AI-generated recording and synthetic media.

Existing Criminal Law Framework

The Act of 11 August 1982 and the Code pénal do not use the word "deepfake," but their technology-neutral language captures the use of AI systems to fabricate recordings. Using AI to synthesize a realistic-sounding voice recording of a person saying things they never said, or to generate intimate imagery of an identifiable person, can constitute a violation of the right to private life under Article 1 of the 1982 Act. If the synthetic content is then disseminated, Article 4 of the 1982 Act (disclosure of unlawfully obtained recordings) may apply, as courts interpret "recordings" functionally rather than technologically.

EU AI Act Transparency Obligations

The EU AI Act (Regulation EU 2024/1689), which entered into force on August 1, 2024, introduces transparency obligations that directly affect AI-generated content in Luxembourg. Article 50 of the AI Act requires providers and deployers of AI systems to disclose that audio or video content has been artificially generated or manipulated, using machine-readable watermarking or marking. These transparency obligations for deepfakes take effect from August 2, 2026.

The EU AI Act also prohibits certain AI practices outright, effective from February 2, 2025. Among the prohibited practices: AI systems that generate or manipulate voice or video in ways that impair a natural person's rights without authorization, and AI systems used for real-time biometric identification of natural persons in publicly accessible spaces (with narrow exceptions for law enforcement under judicial authorization).

Luxembourg's AI Act Implementation (Bill 8476)

Luxembourg designated the CNPD as the national market surveillance authority for AI Act compliance through Draft Bill 8476, submitted to Parliament on December 23, 2024. Once enacted, the CNPD will have enforcement powers for AI Act violations involving personal data processing, with fines up to 35 million euros or 7% of global annual turnover for operators of prohibited AI practices. As of May 2026, the bill remains pending parliamentary approval.

Proposed Cyberviolences Legislation (April 2026)

On April 15, 2026, the Luxembourg government approved a draft law transposing EU Directive 2024/1385 on combating violence against women and domestic violence. The bill proposes to add new offenses to the Code pénal targeting:

• Non-consensual distribution of sexual content, including content created or manipulated by artificial intelligence (deepfake intimate imagery).
• Unsolicited sending of intimate images (cyberflashing).
• Online stalking and collective harassment.

As of May 2026, this bill has been approved by the government and submitted for parliamentary review but has not yet been enacted. The proposed legislation would create explicit criminal penalties for AI-generated intimate content distributed without consent, supplementing the existing Code pénal framework.

Watch out: Until the April 2026 cyberviolences bill is enacted, there is no Luxembourg statute that explicitly names deepfakes. Practitioners and victims rely on the technology-neutral privacy provisions of the 1982 Act and the Code pénal's existing articles. EU AI Act transparency obligations apply separately as a regulatory obligation for providers and deployers of AI systems, not as a criminal prohibition on individual deepfake creation.

Cross-Border Recording: Luxembourg as EU Hub

Luxembourg's position as a major EU financial and technology center creates distinctive cross-border recording issues that do not arise in most other jurisdictions.

Luxembourg as Lead GDPR Supervisory Authority

Under GDPR Article 56, when a company has its main EU establishment in Luxembourg, the CNPD serves as the lead supervisory authority for that company's GDPR compliance across the entire European Union. Many of the world's largest technology companies, investment funds, and financial institutions have established their European headquarters or principal operations in Luxembourg for this and other regulatory reasons.

This means that CNPD decisions about recording practices, data retention periods, and consent requirements can affect how those companies operate in France, Germany, the Netherlands, and every other EU member state. A CNPD ruling on call recording standards at a Luxembourg-headquartered financial institution has potential EU-wide effect.

Extraterritorial Scope: GDPR Article 3

GDPR Article 3(2) applies to non-EU controllers and processors that offer goods or services to individuals in the EU or that monitor the behavior of individuals in the EU. A business based outside the EU that records calls with Luxembourg-resident customers must still apply GDPR-compliant consent and notice procedures for the processing of those recordings. The all-party consent requirement under the 1982 and 2005 Acts applies to the recording itself under Luxembourg criminal law; the GDPR layered on top governs the processing of the recorded data.

Practical Implications for International Calls

When a call is made between a party in Luxembourg and a party in a country with one-party consent rules (such as the United States or the United Kingdom), two legal regimes can apply simultaneously:

• Luxembourg's all-party consent rules govern the recording of the communication within Luxembourg's territorial jurisdiction.
• The GDPR governs the processing of any personal data derived from the recording, regardless of where the recording server is located, if the data subjects are EU residents or if the controller has EU establishment.

A US company calling its Luxembourg-based subsidiary or business partner cannot unilaterally record the call under a US one-party consent law without violating Luxembourg's Act of 30 May 2005. The safest approach is to treat the call as subject to Luxembourg's all-party consent requirement and obtain explicit notice and consent before recording begins.

Luxembourg Financial Hub and MiFID II

Luxembourg hosts the largest investment fund domicile in Europe after the United States, as well as significant branches of global banks and insurance groups. Many of these entities are subject to the MiFID II mandatory recording requirements described above. The interaction of mandatory MiFID II recording with Luxembourg's general all-party consent rules is resolved by the notification model: investment firms must inform clients at the start of each call that the call will be recorded, which satisfies the notice requirement and effectively creates a consent-by-continuation framework.

Penalties Summary

Luxembourg imposes a graduated system of penalties depending on which statute is violated:

Courts may also order the destruction of recordings made in violation of the law. Illegally obtained recordings are generally inadmissible as evidence in Luxembourg proceedings.

Business Compliance Checklist

Companies operating in Luxembourg should take the following steps to comply with recording laws:

Audit existing recording practices. Identify every system that records calls, meetings, or workplace activity. This includes phone systems, call center platforms, video conferencing tools, CCTV cameras, and GPS tracking in vehicles.

Verify the legal basis for each recording. The business transaction exception under the 2005 Act is narrow. General call recording requires consent. CCTV requires a GDPR-compliant legal basis and proportionality assessment.

Implement advance notification procedures. For any recording covered by the business transaction exception, build the required notice into your call flow. Callers must hear a clear statement about the recording, its purpose, and the retention period before the conversation begins.

Complete workplace consultation requirements. If any monitoring affects employees, follow the Labour Code notification procedure: inform the staff delegation, provide individual notices, and allow the 15-day window for a CNPD opinion request.

Maintain GDPR processing records. Document every recording activity in your processing records under Article 30 of the GDPR. Include the purpose, legal basis, data categories, retention periods, and security measures.

Set retention limits and enforce them. Do not store recordings longer than necessary. For business transaction recordings, define and disclose the maximum retention period. For video surveillance, the default is eight days with a justified maximum of thirty days.

Conduct a Data Protection Impact Assessment (DPIA). For systematic monitoring of employees or large-scale surveillance of public areas, a DPIA is likely required under GDPR Article 35.

Post visible notices for surveillance cameras. A camera icon alone is not enough. Signs must identify the controller, the purpose, and where individuals can exercise their rights.

Review AI systems for EU AI Act compliance. If your organization deploys AI systems that process biometric data, generate synthetic audio or video, or use real-time identification, the prohibitions and transparency obligations under the EU AI Act apply from February 2025 and August 2026 respectively.