Wie man Mitarbeiter in der EU legal überwacht: Ein vollständiger GDPR-Leitfaden für 2026

Every employer in Europe faces the same tension. You want to protect your business assets, ensure productivity, and keep your workforce safe. But the moment you deploy a tool to track employee activity — whether it is a CCTV camera in the warehouse, software that monitors internet usage, or a GPS tracker on a company vehicle — you are processing personal data under the GDPR. And that means rules apply.

The EU’s data protection framework does not ban employee monitoring. It governs it. Understanding exactly where that line sits is not just a legal nicety — it is the difference between a security investment that protects you and one that creates liability, triggers regulatory fines, and damages your relationship with your workforce.

This guide covers what EU employee monitoring laws actually permit in 2026, how the GDPR applies, what differs by country, and what steps you need to take before switching on any monitoring tool.

Understanding the GDPR Framework for Employee Monitoring

The GDPR applies whenever you process personal data — that is, any information relating to an identified or identifiable natural person. Video footage of your employees is personal data. Internet browsing logs are personal data. GPS tracking data from a company van is personal data. As soon as any of these are captured, the GDPR applies in full.

The first question is always: what is your lawful basis for this processing?

Choosing the Right Lawful Basis

For employee monitoring, three bases are most relevant:

Legitimate interests (Article 6(1)(f)) is the most commonly applicable basis for workplace monitoring. It allows processing when it is necessary for the purposes of legitimate interests pursued by the controller — typically protecting property, preventing theft, ensuring safety, or investigating misconduct. But legitimate interests are not a blank cheque. You must conduct a balancing test: does your interest in monitoring outweigh your employees’ right to privacy?

The answer is not the same in every situation. Monitoring a warehouse for theft prevention is more likely to pass the test than blanket surveillance of every employee’s keyboard activity. The more intrusive the monitoring, the stronger your justification needs to be.

Legal obligation (Article 6(1)(c)) applies when monitoring is required by law — for example, financial services firms required to record communications under MiFID II, or transport companies subject to tachograph regulations.

Consent (Article 6(1)(a)) is the least recommended option in an employment context. The problem is structural: employees may feel they cannot refuse consent without risking their employment. The GDPR working party (now the EDPB) has been clear that consent obtained under such conditions is unlikely to be freely given. Treat consent as unavailable for most employee monitoring purposes.

The Proportionality Principle

Beyond lawful basis, the GDPR requires that any monitoring be proportionate. This means:

– The monitoring must actually achieve its stated purpose

– You must use the least intrusive method that achieves that purpose

– You must not capture more data than is necessary

– The monitoring must not continue beyond what is genuinely required

A camera that captures your entire warehouse is proportionate for theft prevention. The same camera capturing the employee bathroom is never proportionate. Monitoring internet browsing to catch illegal downloads is proportionate. Logging every keystroke to check whether employees are productive is almost certainly not.

CCTV in the Workplace: What Is and Is Not Permissible

Workplace CCTV is the most common monitoring tool, and the one where employers most frequently misstep. The EDPB’s Guidelines on Video Surveillance provide the EU-wide framework, though national implementation creates important variations.

Where Cameras Are Generally Permitted

Cameras are generally acceptable in:

– Production floors and warehouses — protecting property, monitoring safety

– Entry and exit points — access control and security

– Customer-facing areas — retail floors, reception desks

– Parking areas and perimeters — vehicle and property security

– Storage and stock rooms — inventory protection

These locations have a low reasonable expectation of privacy. Employees working in these areas know they are in a business environment where security cameras are expected.

Where Cameras Are Categorically Prohibited

No EU jurisdiction permits cameras in:

– Toilets and washrooms

– Changing rooms

– Break rooms and canteens

– Smoking areas

– Staff rooms

– Union or works council meeting rooms

– Any space where employees have a legitimate expectation of privacy

Placing cameras in these spaces is not a technical breach — it is a fundamental violation of employee dignity and will typically result in regulatory action and significant reputational damage regardless of the employer\’s intentions.

The Covert Monitoring Exception

Some employers wonder whether secret cameras are justified when they suspect misconduct. In most EU countries, covert monitoring — cameras placed without employees’ knowledge — requires specific justification:

– There must be a concrete, documented suspicion of serious wrongdoing

– Normal monitoring has been insufficient

– The monitoring must be time-limited

– A proportionality assessment must confirm it is the only viable option

Covert monitoring that becomes a general surveillance tool almost always fails the proportionality test. It also creates significant risk: if discovered, it destroys employee trust, may constitute a criminal offence in some jurisdictions, and generates evidence that courts may refuse to admit in disciplinary proceedings.

For most businesses, disclosed monitoring is not just legally safer — it works better. Employees who know cameras are present are more likely to comply with procedures, treat property carefully, and behave professionally.

Email, Internet, and Digital Monitoring: Where the Lines Are

Software-based employee monitoring has become increasingly sophisticated — and increasingly scrutinised by data protection authorities. Here is how the GDPR applies to the main categories.

Email Monitoring

Corporate email monitoring sits in a grey zone that requires careful navigation.

Permitted: Monitoring the metadata of corporate emails — who sent a message, to whom, when, and how large the attachment was — is generally proportionate for IT security and resource management purposes. This data does not reveal message content and carries limited privacy implications.

Prohibited or highly restricted: Reading the content of personal messages sent on a corporate email account. If employees use their work email for occasional personal correspondence (which most do, even if prohibited by policy), the employer\’s ability to access that content is sharply limited. An email that is clearly personal — a birthday message, a medical appointment confirmation — cannot be read as part of routine monitoring.

Best practice: Clearly define in your IT and data protection policy what is and is not considered corporate communications data, and train managers not to access personal content even when it appears in monitoring systems.

Internet and IT Activity Monitoring

Monitoring internet browsing on company devices is permissible for:

– IT security (blocking malicious sites, detecting malware)

– Bandwidth management

– Investigating suspected policy violations

It is not permissible as a general productivity surveillance tool — tracking how long employees spend on non-work websites, monitoring every application they open, or building profiles of individual behaviour for performance management purposes.

Key distinction: Monitoring for security is generally proportionate. Monitoring for performance management is not, unless there is a specific, documented concern about an individual employee and less intrusive assessment methods have been considered.

Remote and Home Worker Monitoring

The rise of home working has created new compliance questions. The answer from most data protection authorities — including France\’s CNIL and the UK\’s ICO — is consistent: the same rules apply to remote workers as to office workers.

Specifically:

– Not permitted: Continuous screenshots, keystroke logging, webcam monitoring, software that tracks idle time minute by minute

– Permitted: Monitoring work outcomes (deliverables completed, system access logs, time-tracking for payroll), security tools that run on company devices

The CNIL has published detailed guidance on remote work monitoring in France, emphasising that continuous surveillance is disproportionate regardless of whether the employee is at home or in the office. Employers who have deployed remote monitoring software that goes beyond security logging should review their tools against this standard.

How National Laws Differ Across the EU

The GDPR sets the minimum standard across all 27 member states, but national laws add specific requirements that can significantly change your compliance obligations.

Country	Key National Requirement
Germany	BDSG Section 26 requires strict proportionality; works council co-determination rights on monitoring systems; secret monitoring only with documented concrete suspicion
France	Labour Code + CNIL guidance; works council consultation mandatory before introducing monitoring systems; remote work monitoring has specific restrictions
Poland	Labour Code Art. 22² establishes a closed list of permissible monitoring purposes (safety, property, production, confidentiality); works council agreement required; CCTV retention max 3 months
Netherlands	Stricter than most EU countries on remote monitoring; keystroke logging and screenshot tools treated as disproportionate without documented security justification
Belgium	Social Criminal Code distinguishes between permitted metadata monitoring and prohibited content monitoring
Spain	Employees must be explicitly informed of monitoring through company policy at point of hiring

The practical implication for businesses operating across multiple EU countries is significant: GDPR compliance in Germany does not mean compliance in Poland. You need to assess each national framework separately.

For the UK post-Brexit, the Information Commissioner\’s Office (ICO) Employment Practices Code sets the domestic standard. The ICO has published a CCTV self-assessment checklist that UK employers can use to verify compliance — it is freely available on the ICO website.

The Data Protection Impact Assessment: When You Must Do One

A Data Protection Impact Assessment (DPIA) is required when a monitoring system is likely to result in high risk to the rights and freedoms of individuals. For most employee monitoring scenarios, this threshold will be met.

A DPIA for employee monitoring should document:

– The specific purpose and lawful basis for the monitoring

– Why the monitoring is necessary (and why less intrusive alternatives were rejected)

– The necessity and proportionality of the data collected

– How long data is retained and who has access to it

– What safeguards are in place to protect the data

– How employees are informed

Die DSGVO verlangt, dass DPIAs vor Beginn der Verarbeitung durchgeführt werden. Eine nachträgliche Durchführung, nachdem ein Überwachungssystem bereits eingerichtet ist, verfehlt ihren Zweck – sie sollte Ihre Entscheidung zur Einführung informieren, nicht nachträglich rechtfertigen.

Was Sie Ihren Mitarbeitern mitteilen müssen

Transparenz ist keine Option. Vor der Einführung jeglicher Überwachung müssen Mitarbeiter informiert werden über:

– Die Art der verwendeten Überwachung (CCTV, Softwareüberwachung, GPS usw.)

– Der Zweck der Überwachung

– Wie lange Aufnahmen und Daten aufbewahrt werden

– Wer auf die Daten zugreifen kann

– Was sie tun können, wenn sie Bedenken haben

Diese Informationen sollten schriftlich bereitgestellt werden – durch eine Klausel im Arbeitsvertrag, eine IT- und Datenschutzrichtlinie oder beides. Eine mündliche Offenlegung in einer Teambesprechung ist nicht ausreichend.

In einigen Ländern hat diese Offenlegungspflicht spezifische rechtliche Formen:

– Deutschland: Der Betriebsrat muss vor Einführung eines Überwachungssystems konsultiert werden

– Frankreich: Die interne Datenschutzrichtlinie muss veröffentlicht und der Betriebsrat konsultiert werden

– Polen: Die Überwachung muss in den Arbeitsvorschriften festgelegt und die Zustimmung des Betriebsrats eingeholt werden

Das Versäumnis, Mitarbeiter zu informieren, ist einer der häufigsten DSGVO-Verstöße im Beschäftigungskontext – und einer der am einfachsten zu vermeidenden.

Aufbewahrung: Einer der größten Compliance-Fehler

Bei der Datenaufbewahrung liegen viele Unternehmen im Rückstand, und hier konzentrieren Aufsichtsbehörden zunehmend ihre Aufmerksamkeit.

Die Regel ist einfach: Personenbezogene Daten dürfen nicht länger als nötig aufbewahrt werden. Für die meisten CCTV- und Überwachungssysteme bedeutet dies:

– CCTV-Aufnahmen: 30 Tage oder weniger sind der praktische Standard. Die Aufbewahrung von Aufnahmen für 6–12 Monate “nur für den Fall” ist nicht rechtmäßig, es sei denn, es gibt einen spezifischen, dokumentierten Grund.

– E-Mail- und Internetprotokolle: Nur so lange aufbewahren, wie der spezifische Sicherheits- oder Verwaltungszweck es erfordert. Routineprotokolle, die älter als 90 Tage sind, sind schwer zu rechtfertigen.

– GPS-Tracking-Daten: Löschen, sobald die Fahrt abgeschlossen ist, es sei denn, es wird für einen bestimmten Zweck benötigt (Streitigkeit, Untersuchung).

Automatische Löschung ist die zuverlässigste Methode, um die Einhaltung der Aufbewahrungsfristen durchzusetzen. Wenn Sie Ihre Systeme so konfigurieren, dass Aufnahmen in einem rollierenden 30-Tage-Zyklus überschrieben oder gelöscht werden, entfernen Sie das Risiko einer unbegrenzten Aufbewahrung und zeigen, dass Sie das Erforderlichkeitsprinzip ernst nehmen.

Mitarbeiterrechte unter Überwachung

Selbst wenn die Überwachung vollkommen rechtmäßig ist, behalten Mitarbeiter Rechte, die Sie respektieren müssen:

Recht auf Zugang: Mitarbeiter können einen Antrag auf Auskunft (DSAR) stellen, um Kopien von Aufnahmen und Daten, in denen sie erscheinen, zu erhalten. Sie müssen innerhalb eines Monats antworten. Wenn die Aufnahmen andere Personen enthalten, müssen Sie diese möglicherweise vor der Offenlegung unkenntlich machen oder schwärzen.

Recht auf Löschung: Wenn der Zweck der Überwachung erfüllt ist und keine laufende rechtliche Grundlage für die Aufbewahrung besteht, können Mitarbeiter die Löschung beantragen.

Widerspruchsrecht: Mitarbeiter können Einwände gegen Überwachung erheben, die sie als unverhältnismäßig erachten. Sie müssen nachweisen können, dass die Überwachung notwendig und verhältnismäßig ist – falls nicht, müssen Sie die Überwachung möglicherweise anpassen oder entfernen.

Recht auf Gehör: In Disziplinarverfahren, die auf Überwachungsbeweise gestützt werden, haben Mitarbeiter das Recht, die gegen sie vorgebrachten Beweise einzusehen und darauf zu antworten.

Folgen von Fehlern

Die Durchsetzungsmaßnahmen der Datenschutzbehörden in der gesamten EU haben seit dem Inkrafttreten der DSGVO erheblich zugenommen, und Fälle der Mitarbeiterüberwachung machen einen erheblichen Teil der Durchsetzungsaktivitäten aus.

Die häufigsten Verstöße, die zu behördlichen Maßnahmen führen:

– Kameras in verbotenen Bereichen (Toiletten, Umkleideräume)

– Aufnahmen, die länger als nötig aufbewahrt werden

– Mitarbeiter nicht über die Überwachung informiert

– Verdeckte Überwachung als allgemeines Werkzeug statt als gezielte Ausnahme eingesetzt

– Überwachungssysteme, die ohne vorherige Verhältnismäßigkeitsprüfung eingesetzt werden

Bußgelder gemäß der DSGVO können bis zu 20 Millionen Euro oder 4 % des weltweiten Jahresumsatzes betragen, je nachdem, welcher Betrag höher ist. Praktisch gesehen können Datenschutzbeschwerden von Mitarbeitern Untersuchungen auslösen, die kostspielig zu beheben sind und dem Ruf des Arbeitgebers schaden.

Vielleicht am bedeutendsten ist, dass Beweise, die durch unrechtmäßige Überwachung erlangt wurden, in Arbeitsgerichtsurteilen möglicherweise nicht zulässig sind. Ein Arbeitgeber, der einen Mitarbeiter aufgrund heimlich aufgenommener Aufnahmen entlässt, die das Gericht als unverhältnismäßig erlangt ansieht, muss nicht nur mit einer unrechtmäßigen Kündigungsklage rechnen, sondern auch mit Reputationsschäden, die weit über die Gerichtsverfahren hinausgehen.

Aufbau eines konformen Überwachungsprogramms

Ein rechtmäßiges Mitarbeiterüberwachungsprogramm wird nicht nach der Installation der Kameras aufgebaut – es wird im Voraus entworfen. Hier ist die Abfolge:

1. Definieren Sie das Problem, das Sie lösen. Vague purposes (“productivity”, “security”) are not sufficient. Be specific: “preventing theft of inventory from the warehouse”, “ensuring compliance with health and safety protocols in the production area”.

2. Choose the least intrusive method that achieves the purpose. If a fence, better lighting, and better inventory controls can address theft, you cannot jump straight to cameras.

3. Conduct a balancing test. Document why your legitimate interest outweighs employee privacy. The more intrusive the monitoring, the stronger the justification must be.

4. Carry out a DPIA before deploying the monitoring system.

5. Inform employees in writing before monitoring begins.

6. Configure automatic deletion to enforce retention limits.

7. Restrict access to footage and monitoring data to those who genuinely need it.

8. Review periodically. Is the monitoring still necessary? Has the balance changed?

Country-Specific Checklist

Before deploying any monitoring tool in a new EU country, verify:

– [ ] Deutschland: Works council consultation required; BDSG Section 26 proportionality test; secret monitoring only with documented suspicion

– [ ] Frankreich: Works council consultation; CNIL notification; internal policy published; remote monitoring has specific restrictions

– [ ] Polen: Closed statutory list of permissible purposes; works council agreement; CCTV max 3-month retention; mandatory in work regulations

– [ ] Netherlands: Each monitoring use case individually assessed; remote monitoring especially restricted; high threshold for productivity monitoring

– [ ] Belgium: Metadata vs. content monitoring distinction; works council consultation for electronic monitoring

– [ ] UK (post-Brexit): ICO Employment Practices Code; DPIA before deployment; CCTV self-assessment checklist available on ICO website

For businesses operating across multiple EU jurisdictions, engaging a local employment lawyer or data protection consultant before introducing monitoring systems is strongly recommended. The cost of that advice is a fraction of the cost of a regulatory investigation.

Ready to review your current monitoring systems or implement new ones compliantly? Wie man die beste versteckte Kamera in 2026 auswählt to explore our range of CE-certified workplace security cameras — designed for businesses that take both safety and data protection seriously.

---

Häufig gestellte Fragen

Does GDPR apply to employee monitoring in the EU?

Yes, fully. CCTV footage, GPS tracking data, email logs, internet browsing records, and any other information that can identify an individual employee is personal data under the GDPR. Every monitoring activity requires a lawful basis (typically legitimate interests), must be proportionate, and must be accompanied by transparent disclosure to employees.

Where can I legally place workplace CCTV cameras in the EU?

Cameras are generally permitted in production areas, warehouses, entry and exit points, customer-facing spaces, and parking areas. They are prohibited in toilets, changing rooms, break rooms, smoking areas, and any space where employees have a reasonable expectation of privacy. National laws in Germany, France, and Poland add further restrictions, and some countries require works council or employee representative consultation before cameras are installed.

How long can I retain CCTV footage under GDPR?

The GDPR requires that footage not be kept longer than necessary. For most businesses, 30 days is the practical and defensible standard. Retaining footage for 6–12 months without a specific documented reason is likely to be considered excessive and non-compliant. Automatic deletion on a rolling cycle is the most reliable way to demonstrate compliance.

Do I need employee consent to monitor them at work?

Consent is generally not recommended as the lawful basis for employee monitoring. In an employment context, consent may not be freely given because employees may feel they cannot refuse without consequences. Use legitimate interests instead, supported by a documented balancing test. Where consent is relevant — for example, monitoring personal devices with BYOD arrangements — it must be genuine and freely given.

What is a DPIA and when is it required for employee monitoring?

A Data Protection Impact Assessment is a documented evaluation of the risks that a monitoring system poses to employee privacy. It is required whenever the monitoring is likely to result in high risk to individual rights and freedoms. For most significant monitoring deployments — new CCTV systems, email monitoring software, GPS tracking programmes — a DPIA should be completed before the monitoring begins.

Can I use covert (secret) cameras to monitor employees?

In most EU countries, covert monitoring requires exceptional justification: a concrete suspicion of serious misconduct, a determination that less intrusive alternatives will not work, and a time-limited scope. General workplace surveillance conducted secretly almost always fails the proportionality test. Even when covert monitoring is justified, it should be reviewed regularly and discontinued as soon as the investigation is complete.

Can employees access CCTV footage of themselves?

Ja. Mitarbeiter können eine Betroffenenanfrage (DSAR) stellen, um Aufnahmen zu erhalten, auf denen sie zu sehen sind. Sie müssen innerhalb eines Monats antworten. Wenn die Aufnahmen andere identifizierbare Personen enthalten, sollten Sie deren Bilder vor der Offenlegung unkenntlich machen oder schwärzen. Die Ablehnung oder Verzögerung einer berechtigten DSAR stellt selbst einen Verstoß gegen die DSGVO dar.