Under GDPR, employers can monitor employees — but consent is almost never the right legal basis, systematic monitoring requires a Data Protection Impact Assessment before deployment, and certain forms of monitoring (continuous keystroke logging, covert screen capture for productivity measurement) are effectively prohibited regardless of the basis claimed.
Key takeaways
- Consent fails in most employment monitoring scenarios. EDPB Opinion 2/2017 established that the power imbalance between employer and employee means employees cannot freely refuse consent without risk to their position. Legitimate interest under Article 6(1)(f) is the predominant basis — but it requires a documented three-part test.
- Systematic monitoring always triggers DPIA obligations. Any software-based monitoring programme qualifies as systematic: organised, methodical, part of a general plan rather than ad hoc observation. Deploying monitoring tools without a prior DPIA is itself an Article 35 violation, regardless of whether the monitoring itself is proportionate.
- Employees working from home have heightened privacy expectations. The ICO's 2023 monitoring guidance states explicitly that remote worker monitoring carries higher risk — including inadvertent capture of household members' data — and that home-based monitoring must be treated as higher risk from the outset.
- Monitoring email and message content requires a special category condition if collection of health, union, or other sensitive data is plausible. The ICO's guidance: even if you don't intend to collect it, if the nature of the monitoring makes collection of special category data likely, you need an Article 9 condition before you begin.
- The CNIL fined a real estate company €40,000 in December 2024 for inactivity-based keystroke monitoring that tracked employees who did not type for more than 3–15 minutes and reduced their pay accordingly. This is the most recent enforcement signal on what crosses the line.
- Works councils and employee representative bodies have co-determination rights over monitoring decisions in multiple EU member states (Netherlands, Germany, Austria, Sweden). Deploying monitoring without works council consultation or approval is a separate legal violation, not a GDPR issue alone.
Why consent fails in employment monitoring
Consent under GDPR must be freely given, specific, informed, and unambiguous. The "freely given" requirement means a genuine choice must exist — the individual must be able to refuse without detriment.
In the employment relationship, this condition is rarely met. An employee who declines to consent to monitoring software faces potential dismissal, disciplinary action, or disadvantage in performance assessment. The EDPB and the Article 29 Working Party (its predecessor) have repeatedly stated that consent in the employment context will generally not be freely given.
This means that even if an employer obtains a signed consent form, it does not create a valid legal basis. If the DPA investigates, the question is whether the consent was genuinely free — and in most employment arrangements it demonstrably is not.
The narrow exception: Consent can work when the monitored activity is entirely voluntary, genuinely separable from core employment, and refusal carries no realistic consequence. Examples are rare but include monitoring personal device use for optional company benefits schemes where the alternative (using a company device) is fully available.
For most monitoring — email access logs, time and attendance software, CCTV, productivity tracking, location data from company devices — legitimate interest or contractual necessity are the operative bases.
The legal bases that actually work
Legitimate interest (Article 6(1)(f))
The most commonly applicable basis for employee monitoring. It requires a three-part assessment, documented in writing before the monitoring begins:
Purpose test: What legitimate interest is the employer pursuing? Protecting company assets, network security, preventing data breaches, ensuring business continuity, verifying that client-facing commitments are met. These qualify. "Checking whether employees are working" stated without more specificity typically does not satisfy the purpose test — productivity monitoring requires a more specific purpose (e.g., verifying SLAs on customer service response times).
Necessity test: Is monitoring necessary to achieve this purpose, or can the purpose be met with a less intrusive approach? DPAs across Europe apply this rigorously. If the purpose is network security, can it be achieved with traffic monitoring at the network boundary rather than individual-level email content scanning? If yes, individual-level scanning is not necessary.
Balancing test: Do the employer's legitimate interests override the employee's privacy rights? Factors that tip the balance in the employer's favour: monitoring is disclosed in advance, is limited in scope and duration, targets a specific category of risk, is proportionate to that risk. Factors that tip against: monitoring is covert, continuous, covers private communications, or extends to personal devices or out-of-work hours.
A documented LIA (Legitimate Interests Assessment) covering all three parts is the minimum compliance requirement. The three-part GDPR legitimate interests test applies identically here, with employment-specific weight on the balancing stage.
Contractual necessity (Article 6(1)(b))
Applies where monitoring is strictly necessary to perform the employment contract. Access logging for security roles, audit trail requirements for regulated activities (financial services, healthcare), and call recording where regulatory requirements mandate it can qualify here. The necessity bar is high: the monitoring must be genuinely required by the contract's terms or the role's legal obligations, not just convenient for the employer.
Legal obligation (Article 6(1)(c))
Covers monitoring required by law: financial sector surveillance obligations, health and safety monitoring in hazardous environments, recording requirements under sector-specific regulation. This basis is narrower than commonly assumed — the legal obligation must require the monitoring, not merely permit it.
When a DPIA is mandatory
Article 35(3)(c) identifies systematic monitoring of individuals at scale as a category triggering mandatory DPIA. EDPB Guidelines 4/2019 on video surveillance, and the supervisory authorities' national lists of processing types requiring DPIAs across EU member states, consistently include employee monitoring systems.
The ICO's guidance goes further: a DPIA is recommended for all employee monitoring, regardless of whether the monitoring appears likely to be high risk. The DPA investigation pattern supports this — the DPIA is the single most-cited missing control in enforcement cases about employee monitoring.
Systematic in this context means organised, methodical, part of a general plan. Any software-based monitoring system qualifies. The absence of monitoring software does not make monitoring non-systematic if the employer regularly reads email logs, reviews access records, or checks application usage manually on a scheduled basis.
What the DPIA must cover for monitoring specifically:
- Description of the monitoring (what data, what channels, what frequency, by whom)
- Necessity and proportionality analysis (the LIA, if legitimate interest is the basis)
- Risk to employees (privacy, chilling effect on communication, discrimination risk from productivity data)
- Mitigating measures (notice, access controls on monitoring data, retention limits, access to results for the monitored employee)
- Residual risk assessment — and if residual risk is high, prior consultation with the supervisory authority before deployment
Monitoring types and their GDPR status
Email and message content monitoring
The highest-risk category. Even automated scanning of email content for data loss prevention or legal compliance purposes can capture health information, family matters, trade union communications — all special category data under Article 9. The ICO guidance: where the nature of the monitoring makes collection of special category data plausible, an Article 9 condition must be identified before monitoring begins. Explicit consent (Article 9(2)(a)) or substantial public interest (Article 9(2)(g)) are the conditions most commonly available, but both have conditions of their own.
Automated scanning of email metadata (sender, recipient, timestamp, size) without reading content is lower risk but still requires a legal basis and transparency.
Limit principle: The CNIL and ICO both advise that email monitoring should target specific indicators of risk (unusual volumes, specific keywords) rather than blanket content surveillance. Blanket content monitoring of all employee emails typically fails the necessity test.
CCTV and video surveillance
Established monitoring type with reasonably clear rules. Must be disclosed to employees (including signage where required by national law), must be limited in scope (no cameras in bathrooms, changing rooms, break rooms unless extraordinary circumstances), and retention must be defined and limited (CNIL guidance: footage not needed for a specific incident should be deleted within a month).
Continuous audio recording alongside video is treated more stringently — it can capture protected communications and special category data with higher frequency.
Keystroke logging and screen capture
The most enforcement-active area in 2024–2025. The CNIL's December 2024 enforcement action against the real estate company found that continuous monitoring of keyboard inactivity and regular screenshot capture for productivity measurement:
- Violated Article 6 (no valid legal basis for continuous covert monitoring)
- Violated Article 35 (no prior DPIA conducted)
- Resulted in a €40,000 fine and mandatory deletion of collected data
The CNIL's earlier 2023 guidance on keyloggers: software that captures every keystroke without discrimination is effectively prohibited for general productivity monitoring purposes because it inherently captures private communications, personal data unrelated to work, and potentially special category data with no meaningful filtering possible.
Targeted logging (capturing only specific application activity, with prior notice, for a specific security or compliance purpose, with strict retention limits) is treated differently from blanket keystroke capture.
Location tracking
GPS tracking of vehicles in company fleet: generally permissible with notice and a documented business purpose (fleet management, route optimisation, security). Tracking during off-hours without notice or necessity is not.
Location tracking on personal devices or company devices used for personal purposes: subject to strict proportionality. Tracking must switch off outside working hours or when the device is used personally, unless a specific legal obligation requires otherwise.
Time and attendance monitoring
Login/logout tracking, swipe card access, biometric attendance systems. Legitimate interest or contractual basis generally available. Biometric attendance systems specifically (fingerprint, facial recognition) process special category data under Article 9(1) and require an Article 9 condition plus, in most EU member states, explicit regulatory authorisation or a DPA consultation. Several national DPAs have issued enforcement actions against biometric attendance systems without prior authorisation — check member state law before deploying.
Productivity scoring and AI-generated performance metrics
The emerging category. Where an algorithm generates a score about an employee's productivity, reliability, or performance that affects their pay, conditions, or position, GDPR Article 22 may apply — automated decision-making producing legal or similarly significant effects. GDPR Article 22 and automated decision-making requires one of three exceptions and mandatory safeguards including a genuine right to human review.
Foodinho/Glovo's €5 million fine (Italian DPA, 2024) is the most significant enforcement action in this area: the company used algorithms to assign delivery shifts, orders, and deactivate workers based on performance scores with no human intervention mechanism.
Transparency: what the notice must contain
Even the most proportionate monitoring programme is unlawful if employees are not informed. Articles 13 and 14 require:
- Confirmation that monitoring takes place and what form it takes (type of monitoring, channels or systems monitored)
- The purpose and legal basis for the monitoring
- The data retention period for monitoring data
- Who has access to monitoring results (line managers, HR, IT, external providers)
- Data subject rights in respect of monitoring data
- For legitimate interest processing: the right to object
The notice must be given before monitoring begins, not after. Retroactive disclosure of monitoring already underway does not create a lawful basis for the monitoring period that preceded it.
Format: Employment contracts or handbooks referencing monitoring policies are the standard approach, provided the disclosure is specific enough to meet the Article 13/14 requirements. Generic statements ("we may monitor company systems for security purposes") without specifying what is monitored, how, and for how long are insufficient.
National law considerations
GDPR is a minimum standard — member states have significant room to add requirements in the employment context under Article 88. Several impose materially higher standards:
Germany: Federal works council law (Betriebsverfassungsgesetz) requires works council consent before introducing or substantially modifying monitoring systems. This applies even where the monitoring has a valid GDPR basis — the works council right is separate and prior.
Netherlands: Works Councils Act Article 27(1)(l) gives the works council a consent right over any system that monitors employee behaviour or performance. Dutch DPA guidance: the AP actively investigates whether this prior consent was obtained as part of any employee monitoring enforcement investigation.
France: Employees must be informed of monitoring and have the right to access all data collected about them. The works council (CSE) must be consulted before introducing monitoring systems. The CNIL has developed sector-specific guidance on proportionate monitoring.
Sweden: The Datainspektionen (Swedish DPA) has issued employment data processing guidelines that emphasise the consent-freely-given problem and require necessity documentation for any monitoring of employee communications.
UK (post-Brexit): UK GDPR applies, administered by the ICO. The ICO's October 2023 monitoring guidance is the primary reference. It emphasises that home-based workers have higher privacy expectations and that monitoring in home settings must be treated as higher risk. UK law does not have the same works council structures as EU member states, but implied terms in employment contracts and Equality Act obligations constrain certain forms of monitoring independently of data protection.
Compliance checklist by monitoring type
| Monitoring type | Legal basis | DPIA required | Special notice required |
|---|---|---|---|
| Network traffic monitoring (metadata level) | Legitimate interest | Recommended | Yes — disclose in policy |
| Email content scanning (automated, targeted) | Legitimate interest + Article 9 condition | Yes | Yes — specifics of what is scanned |
| Email content scanning (blanket) | Almost certainly not permissible | N/A | N/A |
| CCTV on business premises | Legitimate interest | Yes | Yes — signage + policy |
| Keystroke logging (blanket) | Not permissible under current DPA guidance | N/A | N/A |
| Keystroke logging (targeted, security-scoped) | Legitimate interest (narrow) | Yes | Yes — detailed |
| Screen capture (periodic, disclosed) | Legitimate interest | Yes | Yes — frequency + access |
| Screen capture (continuous, covert) | Not permissible | N/A | N/A |
| Time and attendance (swipe/card) | Contract or legitimate interest | Recommended | Yes |
| Time and attendance (biometric) | Contract + Article 9 condition + national law check | Yes + prior consultation likely | Yes + biometric-specific |
| GPS tracking (company vehicles, work hours only) | Legitimate interest | Recommended | Yes |
| GPS tracking (personal devices or off-hours) | Legitimate interest (narrow) or consent | Yes | Yes — with opt-out mechanism |
| Productivity scoring (AI-generated) | Legitimate interest + Article 22 exception | Yes | Yes + Article 22 rights |
Frequently asked questions
Can we monitor employees without telling them?
No. Covert monitoring is the highest-risk category in GDPR enforcement. The ICO's guidance permits covert monitoring only in exceptional circumstances — specific, time-limited investigation of suspected criminal activity or serious misconduct — where notifying the employee would prejudice the investigation, and where a prior DPIA has been conducted. Routine productivity monitoring cannot be conducted covertly under any valid GDPR basis.
Does GDPR allow monitoring remote workers differently from office workers?
GDPR applies identically. What differs is the risk assessment: the ICO states home-based workers have higher privacy expectations, and that home-environment monitoring carries higher risks (capturing household members' data, monitoring private spaces). This means the DPIA must treat remote monitoring as inherently higher risk, the necessity analysis must be stronger, and measures must minimise the scope of monitoring to work-related activity.
Can we use monitoring data in disciplinary proceedings?
Yes, provided the monitoring was lawful and the data was collected for a purpose compatible with its use in disciplinary proceedings. Article 5(1)(b) purpose limitation: if the monitoring policy disclosed disciplinary use as a purpose, using the data in a disciplinary hearing is compatible. Using data collected for "security monitoring" to discipline an employee for productivity without disclosing that use in advance is more likely to fail the purpose limitation test.
Our employees signed a monitoring consent clause in their contracts. Is that sufficient?
Probably not, if it functions as a condition of employment. A consent clause in an employment contract is contractual consent, not genuine data protection consent — the EDPB position is that in the employment relationship, consent to monitoring is typically not freely given. The clause may demonstrate transparency (employees were informed) but does not provide a valid Article 6 legal basis. The contract's monitoring provisions may, however, support a contractual necessity basis (Article 6(1)(b)) where monitoring is genuinely necessary to perform the contract.
We use a third-party HR or productivity platform that collects employee data. Who is responsible?
The employer is the controller. The platform provider is the processor. A GDPR-compliant Data Processing Agreement (DPA) under Article 28 must be in place before data flows to the platform. The DPA must specify what data is processed, for what purposes, with what security measures, and how the employer's instructions are honoured. If the platform uses employee data for its own purposes (product improvement, benchmarking, model training), this is not processor activity — it is joint or independent controller activity, which requires separate analysis and additional transparency to employees.
Is employee monitoring covered by the EU AI Act?
Where the monitoring system uses AI to generate risk scores, performance evaluations, or decisions about workers, the EU AI Act (applying from August 2026) may classify it as a high-risk AI system under Annex III, which covers AI systems used in employment and workers management contexts. High-risk classification adds transparency obligations toward the employee, a conformity assessment requirement before deployment, and registration in the EU AI database. This is separate from GDPR and runs in parallel.
