Employee monitoring under GDPR is one of the areas most frequently scrutinised by supervisory authorities across the EU — and at the same time one of the most commonly applied by employers without full awareness of the legal boundaries. The GDPR does not regulate employee monitoring exhaustively at EU level: it sets the framework — lawfulness, proportionality, necessity, and prior information — while leaving member states significant room to impose additional national requirements. The result is that the rules vary considerably depending on where the employer operates.

In Poland, for example, the Labour Code has since 2018 set out permissible monitoring purposes, locations, and procedures in detail — and the Polish supervisory authority (UODO) actively enforces them. In one case involving a hospital that installed hidden cameras in a neonatal ward, the fine exceeded PLN 1.1 million (approximately €250,000). German courts apply a strict proportionality test, with secret monitoring permissible only in exceptional circumstances. French and Dutch supervisory authorities have issued detailed guidance specifically addressing remote work monitoring tools. The principles are shared across the EU — the intensity of enforcement varies.

This article covers the GDPR framework that applies in every member state, illustrates how key jurisdictions implement it in practice, and identifies the most common mistakes organisations make regardless of where they operate.

Legal Basis — GDPR Framework and National Law

The GDPR does not contain a specific provision on employee monitoring. The applicable framework derives from general principles:

Article 6(1)(f) GDPR — legitimate interests is the most commonly used basis for monitoring in employment. The controller must demonstrate that the monitoring serves a specific legitimate interest, that it is necessary to achieve that purpose, and that the employee’s interests or fundamental rights do not override the employer’s interest — the balancing test.

Article 6(1)(c) GDPR — legal obligation may apply where national law requires specific monitoring measures, e.g. in regulated industries.

Articles 5(1)(a) and (c) GDPR impose the principles of transparency (employees must be informed) and data minimisation (monitoring must not exceed what is necessary for the stated purpose).

Article 88 GDPR expressly permits member states to provide more specific rules for processing personal data in the employment context — and most have done so. This is why the detailed rules differ across the EU:

In Poland, Article 22² of the Labour Code sets out a closed list of permissible monitoring purposes (safety, property protection, production control, confidentiality protection) and requires prior information to employees, consultation with trade unions, documentation in work regulations, and visual marking of monitored areas.

In Germany, the Federal Data Protection Act (BDSG) Section 26 governs employee data processing, with courts applying a strict proportionality analysis. Secret monitoring is permissible only where there is documented concrete suspicion of a specific violation.

In France, the Labour Code and CNIL guidance require prior information through internal data protection policies and consultation with the works council before introducing any monitoring system.

In the Netherlands, the AP takes the position that monitoring tools must be assessed against the necessity and proportionality test for each specific use case — general productivity monitoring is treated with particular scepticism.

The common thread across all jurisdictions: monitoring must serve a specific, documented purpose; must be proportionate to that purpose; and employees must be informed before monitoring begins.

Types of Monitoring — What Is Permissible

Visual monitoring (CCTV) CCTV cameras may cover work premises, the surrounding area of the establishment, and parking areas. They may not be installed in rooms where the dignity and privacy of employees should be respected: sanitary facilities, changing rooms, break rooms, canteens, smoking areas, and union rooms. An exception may apply where the employer can demonstrate an overriding legitimate interest — but supervisory authorities across the EU apply this exception strictly.

Email monitoring An employer may monitor corporate email only where this is necessary for a documented purpose and must not violate the secrecy of personal correspondence. In practice: monitoring the flow and metadata of messages (who sent what and when) is generally permissible; reading the content of private messages on a corporate account — as a rule, is not. The employer must inform employees of the monitoring before it is introduced, specifying its scope and purpose.

Internet activity monitoring Monitoring website visits from company devices is permissible for security and productivity purposes. It requires a documented basis, prior information, and proportionality — blanket monitoring of all activity without a specific purpose is disproportionate.

GPS and vehicle tracking Tracking company vehicles is permissible for property protection and work organisation purposes. It becomes more complex where an employee uses a company vehicle for private purposes — monitoring during private use requires an additional legal basis and advance employee information.

Remote work monitoring Supervisory authorities across the EU have consistently emphasised that monitoring of remote workers is subject to the same framework as in-office monitoring. Real-time screenshot monitoring, keystroke logging, and continuous webcam monitoring are generally considered disproportionate and difficult to justify under the legitimate interest test. The employer may monitor work outcomes and system access — but not replicate physical surveillance in the home environment.

Obligations Before Introducing Monitoring

Regardless of jurisdiction, the following steps are required before monitoring begins:

1. Document the purpose and legal basis The purpose must be specific, legitimate, and documented. “Productivity” or “security” without further definition does not satisfy the requirement. A data protection impact assessment (DPIA) should be conducted for monitoring systems that may result in high risk to individuals.

2. Consult employee representatives Most EU member states require consultation with works councils, trade unions, or employee representatives before introducing monitoring. In Poland this is a statutory requirement; in Germany, France, and Belgium works council approval or consultation is mandatory.

3. Inform employees individually Employees must receive clear prior information — before monitoring begins — about the purpose, scope, manner of application, and data retention period. New employees must be informed before commencing work.

4. Mark monitored areas Where physical monitoring is used (CCTV), areas must be visually marked with information notices before monitoring begins.

Data Retention for Monitoring

Recordings and monitoring data must be deleted once the purpose for which they were collected has been achieved. In Poland the statutory maximum for CCTV is 3 months; the European Data Protection Board’s guidance recommends short retention periods as the general principle.

The retention period may be extended only where recordings constitute or may constitute evidence in ongoing proceedings — and only for the duration of those proceedings.

Storing recordings longer than necessary without a documented legal basis for the extension is one of the most frequently cited deficiencies during supervisory inspections across the EU.

How Enforcement Differs Across Europe

Germany — German courts and the Federal Labour Court (BAG) apply a strict proportionality test. Secret monitoring without prior employee knowledge is permissible only where there is concrete suspicion of a specific violation and less intrusive means have been exhausted. Blanket monitoring is effectively impermissible. German courts regularly award damages to employees whose monitoring rights were violated.

France — The CNIL requires that employees be informed of all forms of monitoring through the internal data protection policy and the company’s works council. GPS tracking of vehicles is permissible but may not be used outside working hours. The CNIL has published detailed guidance on remote work monitoring tools, emphasising proportionality and the prohibition on continuous surveillance.

Netherlands — The AP takes the position that keystroke logging, screenshot monitoring, and activity trackers on employees’ computers are disproportionate as a rule, unless there is a documented concrete security risk. The Netherlands has one of the most restrictive approaches to remote work monitoring in Europe.

Belgium — The Social Criminal Code supplements GDPR requirements, imposing specific obligations for monitoring electronic communications. The Belgian DPA has issued detailed guidance distinguishing permissible monitoring of communications metadata from impermissible monitoring of content.

Spain — The AEPD allows monitoring of corporate devices but requires that employees be explicitly informed of the possibility and scope of monitoring at the time of hiring, through the company’s data protection policy.

United Kingdom (post-Brexit) — UK GDPR and the Employment Practices Code of the ICO impose similar requirements to EU GDPR. The ICO recommends conducting a DPIA before introducing any monitoring system and emphasises proportionality.

Most Common Mistakes

No prior information to employees. Introducing CCTV or email monitoring without informing employees — even where the monitoring itself would be permissible — is a GDPR violation in every EU jurisdiction.

Cameras in prohibited areas. CCTV in toilets, changing rooms, or break rooms is a serious violation. In Poland it was the primary reason for the PLN 1.1 million fine against the hospital.

Excessive retention of recordings. Storing CCTV recordings for 6 or 12 months as a default — without a documented legal basis — is one of the most frequently cited deficiencies during supervisory inspections.

No documentation of the legal basis. The employer must be able to demonstrate that monitoring serves a specific, documented purpose and that the means chosen are proportionate. Absence of documentation makes it impossible to meet the accountability obligation.

Monitoring private devices used for work (BYOD). Monitoring employees’ private devices — even where used to access company systems — requires particular caution. The employee’s privacy interest in their own device is significantly stronger than in a company device.

Treating remote work monitoring differently from office monitoring. The same rules apply. Deploying productivity tracking tools for remote workers without prior information, a DPIA, and a documented legitimate interest basis is a violation.

Summary

Employee monitoring is permissible across the EU — but only within the boundaries set by the GDPR and national implementing law. The GDPR requires a lawful basis (typically legitimate interest), proportionality, data minimisation, and prior information to employees. National law adds further requirements — works council consultation, specific purpose lists, marking of monitored areas — that vary by jurisdiction. Recordings must be deleted once the purpose is fulfilled. The consistent requirement across all EU member states: document the purpose, inform employees before monitoring begins, and do not monitor beyond what is necessary.

FAQ