How to Legally Monitor Employees in the EU: A Complete GDPR Guide for 2026

Every employer in Europe faces the same tension. You want to protect your business assets, ensure productivity, and keep your workforce safe. But the moment you deploy a tool to track employee activity — whether it is a CCTV camera in the warehouse, software that monitors internet usage, or a GPS tracker on a company vehicle — you are processing personal data under the GDPR. And that means rules apply.

The EU’s data protection framework does not ban employee monitoring. It governs it. Understanding exactly where that line sits is not just a legal nicety — it is the difference between a security investment that protects you and one that creates liability, triggers regulatory fines, and damages your relationship with your workforce.

This guide covers what EU employee monitoring laws actually permit in 2026, how the GDPR applies, what differs by country, and what steps you need to take before switching on any monitoring tool.

Understanding the GDPR Framework for Employee Monitoring

The GDPR applies whenever you process personal data — that is, any information relating to an identified or identifiable natural person. Video footage of your employees is personal data. Internet browsing logs are personal data. GPS tracking data from a company van is personal data. As soon as any of these are captured, the GDPR applies in full.

The first question is always: what is your lawful basis for this processing?

Choosing the Right Lawful Basis

For employee monitoring, three bases are most relevant:

Legitimate interests (Article 6(1)(f)) is the most commonly applicable basis for workplace monitoring. It allows processing when it is necessary for the purposes of legitimate interests pursued by the controller — typically protecting property, preventing theft, ensuring safety, or investigating misconduct. But legitimate interests are not a blank cheque. You must conduct a balancing test: does your interest in monitoring outweigh your employees’ right to privacy?

The answer is not the same in every situation. Monitoring a warehouse for theft prevention is more likely to pass the test than blanket surveillance of every employee’s keyboard activity. The more intrusive the monitoring, the stronger your justification needs to be.

Legal obligation (Article 6(1)(c)) applies when monitoring is required by law — for example, financial services firms required to record communications under MiFID II, or transport companies subject to tachograph regulations.

Consent (Article 6(1)(a)) is the least recommended option in an employment context. The problem is structural: employees may feel they cannot refuse consent without risking their employment. The GDPR working party (now the EDPB) has been clear that consent obtained under such conditions is unlikely to be freely given. Treat consent as unavailable for most employee monitoring purposes.

The Proportionality Principle

Beyond lawful basis, the GDPR requires that any monitoring be proportionate. This means:

– The monitoring must actually achieve its stated purpose

– You must use the least intrusive method that achieves that purpose

– You must not capture more data than is necessary

– The monitoring must not continue beyond what is genuinely required

A camera that captures your entire warehouse is proportionate for theft prevention. The same camera capturing the employee bathroom is never proportionate. Monitoring internet browsing to catch illegal downloads is proportionate. Logging every keystroke to check whether employees are productive is almost certainly not.

CCTV in the Workplace: What Is and Is Not Permissible

Workplace CCTV is the most common monitoring tool, and the one where employers most frequently misstep. The EDPB’s Guidelines on Video Surveillance provide the EU-wide framework, though national implementation creates important variations.

Where Cameras Are Generally Permitted

Cameras are generally acceptable in:

– Production floors and warehouses — protecting property, monitoring safety

– Entry and exit points — access control and security

– Customer-facing areas — retail floors, reception desks

– Parking areas and perimeters — vehicle and property security

– Storage and stock rooms — inventory protection

These locations have a low reasonable expectation of privacy. Employees working in these areas know they are in a business environment where security cameras are expected.

Where Cameras Are Categorically Prohibited

No EU jurisdiction permits cameras in:

– Toilets and washrooms

– Changing rooms

– Break rooms and canteens

– Smoking areas

– Staff rooms

– Union or works council meeting rooms

– Any space where employees have a legitimate expectation of privacy

Placing cameras in these spaces is not a technical breach — it is a fundamental violation of employee dignity and will typically result in regulatory action and significant reputational damage regardless of the employer\’s intentions.

The Covert Monitoring Exception

Some employers wonder whether secret cameras are justified when they suspect misconduct. In most EU countries, covert monitoring — cameras placed without employees’ knowledge — requires specific justification:

– There must be a concrete, documented suspicion of serious wrongdoing

– Normal monitoring has been insufficient

– The monitoring must be time-limited

– A proportionality assessment must confirm it is the only viable option

Covert monitoring that becomes a general surveillance tool almost always fails the proportionality test. It also creates significant risk: if discovered, it destroys employee trust, may constitute a criminal offence in some jurisdictions, and generates evidence that courts may refuse to admit in disciplinary proceedings.

For most businesses, disclosed monitoring is not just legally safer — it works better. Employees who know cameras are present are more likely to comply with procedures, treat property carefully, and behave professionally.

Email, Internet, and Digital Monitoring: Where the Lines Are

Software-based employee monitoring has become increasingly sophisticated — and increasingly scrutinised by data protection authorities. Here is how the GDPR applies to the main categories.

Email Monitoring

Corporate email monitoring sits in a grey zone that requires careful navigation.

Permitted: Monitoring the metadata of corporate emails — who sent a message, to whom, when, and how large the attachment was — is generally proportionate for IT security and resource management purposes. This data does not reveal message content and carries limited privacy implications.

Prohibited or highly restricted: Reading the content of personal messages sent on a corporate email account. If employees use their work email for occasional personal correspondence (which most do, even if prohibited by policy), the employer\’s ability to access that content is sharply limited. An email that is clearly personal — a birthday message, a medical appointment confirmation — cannot be read as part of routine monitoring.

Best practice: Clearly define in your IT and data protection policy what is and is not considered corporate communications data, and train managers not to access personal content even when it appears in monitoring systems.

Internet and IT Activity Monitoring

Monitoring internet browsing on company devices is permissible for:

– IT security (blocking malicious sites, detecting malware)

– Bandwidth management

– Investigating suspected policy violations

It is not permissible as a general productivity surveillance tool — tracking how long employees spend on non-work websites, monitoring every application they open, or building profiles of individual behaviour for performance management purposes.

Key distinction: Monitoring for security is generally proportionate. Monitoring for performance management is not, unless there is a specific, documented concern about an individual employee and less intrusive assessment methods have been considered.

Remote and Home Worker Monitoring

The rise of home working has created new compliance questions. The answer from most data protection authorities — including France\’s CNIL and the UK\’s ICO — is consistent: the same rules apply to remote workers as to office workers.

Specifically:

– Not permitted: Continuous screenshots, keystroke logging, webcam monitoring, software that tracks idle time minute by minute

– Permitted: Monitoring work outcomes (deliverables completed, system access logs, time-tracking for payroll), security tools that run on company devices

The CNIL has published detailed guidance on remote work monitoring in France, emphasising that continuous surveillance is disproportionate regardless of whether the employee is at home or in the office. Employers who have deployed remote monitoring software that goes beyond security logging should review their tools against this standard.

How National Laws Differ Across the EU

The GDPR sets the minimum standard across all 27 member states, but national laws add specific requirements that can significantly change your compliance obligations.

Country	Key National Requirement
Germany	BDSG Section 26 requires strict proportionality; works council co-determination rights on monitoring systems; secret monitoring only with documented concrete suspicion
France	Labour Code + CNIL guidance; works council consultation mandatory before introducing monitoring systems; remote work monitoring has specific restrictions
Poland	Labour Code Art. 22² establishes a closed list of permissible monitoring purposes (safety, property, production, confidentiality); works council agreement required; CCTV retention max 3 months
Netherlands	Stricter than most EU countries on remote monitoring; keystroke logging and screenshot tools treated as disproportionate without documented security justification
Belgium	Social Criminal Code distinguishes between permitted metadata monitoring and prohibited content monitoring
Spain	Employees must be explicitly informed of monitoring through company policy at point of hiring

The practical implication for businesses operating across multiple EU countries is significant: GDPR compliance in Germany does not mean compliance in Poland. You need to assess each national framework separately.

For the UK post-Brexit, the Information Commissioner\’s Office (ICO) Employment Practices Code sets the domestic standard. The ICO has published a CCTV self-assessment checklist that UK employers can use to verify compliance — it is freely available on the ICO website.

The Data Protection Impact Assessment: When You Must Do One

A Data Protection Impact Assessment (DPIA) is required when a monitoring system is likely to result in high risk to the rights and freedoms of individuals. For most employee monitoring scenarios, this threshold will be met.

A DPIA for employee monitoring should document:

– The specific purpose and lawful basis for the monitoring

– Why the monitoring is necessary (and why less intrusive alternatives were rejected)

– The necessity and proportionality of the data collected

– How long data is retained and who has access to it

– What safeguards are in place to protect the data

– How employees are informed

The GDPR requires DPIAs to be conducted before processing begins. Doing one after a monitoring system is already in place defeats its purpose — it should inform your decision to deploy, not justify it after the fact.

What You Must Tell Your Employees

Transparency is not optional. Before introducing any monitoring, employees must be informed about:

– The type of monitoring in use (CCTV, software monitoring, GPS, etc.)

– The purpose of the monitoring

– How long footage and data are retained

– Who can access the data

– What they can do if they have concerns

This information should be provided in writing — through an employment contract clause, an IT and data protection policy, or both. Verbal disclosure at a team meeting is not sufficient.

In some countries, this disclosure requirement has specific legal forms:

– Germany: Works council must be consulted before any monitoring system is introduced

– France: Internal data protection policy must be published and the works council consulted

– Poland: Monitoring must be specified in work regulations and the works council agreement obtained

Failing to inform employees is one of the most common GDPR violations in the employment context — and one of the easiest to avoid.

Retention: One of the Biggest Compliance Failures

Data retention is where many businesses fall short, and where regulators are increasingly focusing their attention.

The rule is simple: personal data must not be kept longer than necessary. For most CCTV and monitoring systems, this means:

– CCTV footage: 30 days or less is the practical standard. Retaining footage for 6–12 months “just in case” is not lawful unless there is a specific, documented reason.

– Email and internet logs: Retain only as long as the specific security or management purpose requires. Routine logs older than 90 days are difficult to justify.

– GPS tracking data: Delete when the journey is complete unless needed for a specific purpose (dispute, investigation).

Automatic deletion is the most reliable way to enforce retention compliance. Configuring your systems to overwrite or delete footage on a rolling 30-day cycle removes the risk of indefinite retention and demonstrates that you take the necessity principle seriously.

Employee Rights Under Monitoring

Even when monitoring is entirely lawful, employees retain rights that you must respect:

Right of access: Employees can submit a Data Subject Access Request (DSAR) to obtain copies of footage and data in which they appear. You must respond within one month. If the footage includes other individuals, you may need to blur or redact them before disclosure.

Right to erasure: When the purpose of monitoring has been fulfilled and there is no ongoing legal basis for retention, employees can request deletion.

Right to object: Employees can raise objections to monitoring they consider disproportionate. You must be able to demonstrate that the monitoring is necessary and proportionate — if you cannot, you may need to modify or remove the monitoring.

Right to be heard: In disciplinary proceedings that rely on monitoring evidence, employees have the right to see the evidence against them and to respond.

Consequences of Getting It Wrong

Enforcement action by data protection authorities across the EU has increased substantially since the GDPR came into force, and employee monitoring cases represent a significant share of enforcement activity.

The most common violations that lead to regulatory action:

– Cameras placed in prohibited areas (toilets, changing rooms)

– Footage retained beyond what is necessary

– Employees not informed about monitoring

– Covert monitoring used as a general tool rather than a targeted exception

– Monitoring systems deployed without prior assessment of proportionality

Fines under the GDPR can reach up to €20 million or 4% of global annual turnover, whichever is higher. More practically, data protection complaints from employees can trigger investigations that are expensive to resolve and damaging to employer reputation.

Perhaps most significantly, evidence obtained through unlawful monitoring may be inadmissible in employment tribunal proceedings. An employer who dismissed an employee based on secretly recorded footage that the tribunal finds was obtained disproportionately will face not just a wrongful dismissal claim, but reputational damage that extends well beyond the legal proceedings.

Building a Compliant Monitoring Programme

A lawful employee monitoring programme is not built after the cameras are installed — it is designed before. Here is the sequence:

1. Define the problem you are solving. Vague purposes (“productivity”, “security”) are not sufficient. Be specific: “preventing theft of inventory from the warehouse”, “ensuring compliance with health and safety protocols in the production area”.

2. Choose the least intrusive method that achieves the purpose. If a fence, better lighting, and better inventory controls can address theft, you cannot jump straight to cameras.

3. Conduct a balancing test. Document why your legitimate interest outweighs employee privacy. The more intrusive the monitoring, the stronger the justification must be.

4. Carry out a DPIA before deploying the monitoring system.

5. Inform employees in writing before monitoring begins.

6. Configure automatic deletion to enforce retention limits.

7. Restrict access to footage and monitoring data to those who genuinely need it.

8. Review periodically. Is the monitoring still necessary? Has the balance changed?

Country-Specific Checklist

Before deploying any monitoring tool in a new EU country, verify:

– [ ] Germany: Works council consultation required; BDSG Section 26 proportionality test; secret monitoring only with documented suspicion

– [ ] France: Works council consultation; CNIL notification; internal policy published; remote monitoring has specific restrictions

– [ ] Poland: Closed statutory list of permissible purposes; works council agreement; CCTV max 3-month retention; mandatory in work regulations

– [ ] Netherlands: Each monitoring use case individually assessed; remote monitoring especially restricted; high threshold for productivity monitoring

– [ ] Belgium: Metadata vs. content monitoring distinction; works council consultation for electronic monitoring

– [ ] UK (post-Brexit): ICO Employment Practices Code; DPIA before deployment; CCTV self-assessment checklist available on ICO website

For businesses operating across multiple EU jurisdictions, engaging a local employment lawyer or data protection consultant before introducing monitoring systems is strongly recommended. The cost of that advice is a fraction of the cost of a regulatory investigation.

Ready to review your current monitoring systems or implement new ones compliantly? Contact us today to explore our range of CE-certified workplace security cameras — designed for businesses that take both safety and data protection seriously.

---

Frequently Asked Questions

Does GDPR apply to employee monitoring in the EU?

Yes, fully. CCTV footage, GPS tracking data, email logs, internet browsing records, and any other information that can identify an individual employee is personal data under the GDPR. Every monitoring activity requires a lawful basis (typically legitimate interests), must be proportionate, and must be accompanied by transparent disclosure to employees.

Where can I legally place workplace CCTV cameras in the EU?

Cameras are generally permitted in production areas, warehouses, entry and exit points, customer-facing spaces, and parking areas. They are prohibited in toilets, changing rooms, break rooms, smoking areas, and any space where employees have a reasonable expectation of privacy. National laws in Germany, France, and Poland add further restrictions, and some countries require works council or employee representative consultation before cameras are installed.

How long can I retain CCTV footage under GDPR?

The GDPR requires that footage not be kept longer than necessary. For most businesses, 30 days is the practical and defensible standard. Retaining footage for 6–12 months without a specific documented reason is likely to be considered excessive and non-compliant. Automatic deletion on a rolling cycle is the most reliable way to demonstrate compliance.

Do I need employee consent to monitor them at work?

Consent is generally not recommended as the lawful basis for employee monitoring. In an employment context, consent may not be freely given because employees may feel they cannot refuse without consequences. Use legitimate interests instead, supported by a documented balancing test. Where consent is relevant — for example, monitoring personal devices with BYOD arrangements — it must be genuine and freely given.

What is a DPIA and when is it required for employee monitoring?

A Data Protection Impact Assessment is a documented evaluation of the risks that a monitoring system poses to employee privacy. It is required whenever the monitoring is likely to result in high risk to individual rights and freedoms. For most significant monitoring deployments — new CCTV systems, email monitoring software, GPS tracking programmes — a DPIA should be completed before the monitoring begins.

Can I use covert (secret) cameras to monitor employees?

In most EU countries, covert monitoring requires exceptional justification: a concrete suspicion of serious misconduct, a determination that less intrusive alternatives will not work, and a time-limited scope. General workplace surveillance conducted secretly almost always fails the proportionality test. Even when covert monitoring is justified, it should be reviewed regularly and discontinued as soon as the investigation is complete.

Can employees access CCTV footage of themselves?

Yes. Employees can submit a Data Subject Access Request (DSAR) to obtain footage in which they appear. You must respond within one month. If the footage includes other identifiable individuals, you should blur or redact their images before disclosure. Refusing or delaying a legitimate DSAR is itself a GDPR violation.