GDPR

GDPR and Employee Monitoring: What's Permitted

5 min readUpdated 27 May 2026

Employee monitoring is one of the most contested areas of GDPR compliance. The pressure to monitor remote workers has increased since 2020 — but the legal constraints have not relaxed. Employers who implemented email surveillance, screen recording, productivity tracking, or location monitoring without proper assessment now face real regulatory exposure.

This article sets out what GDPR permits for employee monitoring and what crosses the line.

The Fundamental Principle: Necessity and Proportionality

Employee monitoring is not prohibited under GDPR. But it must be:

  • Necessary for a legitimate business purpose
  • Proportionate — the least intrusive means of achieving that purpose
  • Transparent — employees must know what is monitored and why

These three requirements operate together. Monitoring that is necessary but not disclosed is unlawful. Monitoring that is disclosed but more intrusive than necessary is also unlawful.

What Basis Can Employers Use for Monitoring?

Consent is almost never appropriate for employee monitoring. The EDPB and most supervisory authorities take the position that employment creates a power imbalance that makes consent non-free. An employee who refuses monitoring may reasonably fear employment consequences — which means the consent is not freely given.

The appropriate bases are:

  • Legitimate interests (Article 6(1)(f)): For most monitoring with a genuine business justification — fraud prevention, data security, performance management. Requires a balancing test showing the business interest outweighs the employee's privacy expectation.
  • Legal obligation (Article 6(1)(c)): For monitoring required by law — regulated industries with mandatory surveillance requirements, financial services firms required to record communications.
  • Contract performance (Article 6(1)(b)): For limited monitoring necessary to manage the employment relationship — timekeeping, work output tracking.

Types of Monitoring and Their GDPR Status

Email and Communications Monitoring

Low-level monitoring (metadata only — who emailed whom, volume, patterns): Permitted with legitimate interest basis and disclosure, subject to necessity.

Content-level monitoring (reading emails, reviewing message content): High privacy impact. Justified only for specific, documented purposes (regulatory compliance in financial services, active investigation of a specific concern, not blanket surveillance). Must be disclosed and proportionate.

Automated keyword surveillance (scanning all emails for specific terms): High-risk processing. Requires a DPIA. The surveillance must be necessary and targeted — not continuous scanning of all employee communications for general monitoring purposes.

Computer and Activity Monitoring

Activity logging (login times, file access, application usage): Permitted with legitimate interest and transparency, subject to necessity.

Screen recording or continuous screenshot capture: Very high privacy impact. Difficult to justify under GDPR for routine monitoring. May be justified in limited contexts (handling highly sensitive financial information, investigative situations with prior suspicion). Continuous screenshot capture of all employees at all times is very unlikely to survive necessity and proportionality assessment.

Keystroke logging: Extremely intrusive. Only justified in very specific, documented circumstances, not as general monitoring.

Location and Remote Work Monitoring

Recording work hours (clock-in/clock-out): Proportionate and generally lawful.

Location tracking for field workers (delivery drivers, mobile teams): Permitted where necessary for legitimate operational reasons (route planning, safety, proof of service delivery). Must be disclosed.

Continuous location tracking of remote office workers: Not necessary for office workers. Very difficult to justify proportionality.

Productivity Scoring Tools

Tools like Prodoscore, Microsoft Productivity Score, or similar that aggregate activity data into individual productivity scores are high-risk processing. Requirements:

  • DPIA required
  • Employees must know about the tool and how scores are calculated
  • Scores must not be used for significant employment decisions without human review (Article 22)
  • Individual scores must not be compared in ways that lead to discriminatory treatment

Covert Monitoring

Covert monitoring — monitoring without the employee's knowledge — is not categorically prohibited, but the threshold is very high. Most supervisory authorities take the view that covert monitoring can only be justified when:

  • There is reasonable suspicion of specific wrongdoing by a specific individual
  • Overt monitoring would undermine the investigation
  • Covert monitoring is limited in scope and duration
  • Legal advice has been obtained

General, ongoing covert monitoring of all employees is not lawful under GDPR.

What You Must Do Before Implementing Monitoring

  1. Document the business purpose: Why is this monitoring necessary? What specific risk or objective does it address?
  2. Conduct a necessity assessment: Is this the minimum necessary monitoring to achieve the purpose?
  3. Balancing test / DPIA: For high-impact monitoring, conduct a DPIA before implementation
  4. Update the employee privacy notice: Employees must be told about monitoring before it starts, not afterwards
  5. Establish access controls: Only people who need to review monitoring data should be able to do so
  6. Define retention limits: How long is monitoring data kept? It should not be retained indefinitely

Works Councils and Collective Agreements

In Germany, France, and other member states with strong works council regimes, employee monitoring must be agreed with the works council or employee representatives before implementation. A monitoring programme that is technically GDPR-compliant but introduced without the required co-determination process may be unlawful under national employment law.

ComplyOne generates your GDPR documentation — RoPA, DPA, privacy notices, and gap assessment — in one workflow.

Run your GDPR gap check →

Related guides

Do You Need a DPO? GDPR Decision Tree for SMEs

Most SaaS companies don't need a Data Protection Officer — but the mandatory appointment criteria are broader than many founders realise. This guide explains when a DPO is required, what the role involves, and what to do instead.

GDPR Article 28 Explained for Startup Founders

Article 28 governs controller-processor relationships under GDPR. This guide explains what a Data Processing Agreement must contain, who needs one, and the common mistakes that cause compliance failures in enterprise deals.

GDPR Cookie Compliance in Germany (2026 Guide)

Germany has the strictest cookie compliance requirements in the EU. This guide covers the GDPR and TTDSG framework, what valid consent looks like, cookie banner requirements, and practical steps to comply.

View all guides in this module