We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.

How to monitor employees lawfully?


by Katarzyna Małaniuk

31 January 2018 

We are monitored and tracked every day – on the streets, in shops, in car parks, within housing estates, at entrances to buildings and at work. We use GPS navigation – in mobile phones, cars. It is very easy to locate us. This article focuses on the monitoring of employees at work and the related requirements.

Legal status as of today

First of all, it should be emphasised that currently there are no labour laws in Poland which set the requirements for the monitoring of employees at work. Of course, this does not mean that employees are not monitored in Poland. So far, the question of requirements concerning the monitoring of employees at work has remained contentious both in the case law and in the literature. In practice, employee monitoring was often justified with Article 23(1)(5) of the Personal Data Protection Act (Journal of Laws No. 2016, item 922) which says that personal data processing is permitted only if it is indispensable for the fulfilment of legitimate purposes of the data controllers or data recipients and if the processing infringes neither rights nor freedoms of the data subject. Therefore, court judgements say that data subjects should be informed about the fact that they are monitored. Furthermore, the proportionality of the applied measures to the purpose should be assessed, just like the degree of such person's privacy infringement. Information about monitoring should also be included in the company's internal regulations (e.g. work rules).

It is worth mentioning that in the draft act of 12 September 2017 (regulations implementing the Personal Data Protection Act) the Polish lawmakers intend to amend Article 221 Labour Code by giving employees an option to consent to the processing of other data than those indicated in Article 221(1) and (2) Labour Code and by an express provision allowing the supervision of the workplace or the employee's work premises by technical means to record images (CCTV) if the employer deems it necessary.

Information obligation in the context of the GDPR

The General Data Protection Regulation (GDPR) regulates the information obligation in more detail than the Personal Data Protection Act which is currently in force. The GDPR applies also to monitoring of employees. Pursuant to Article 13 GDPR, the controller (i.e. the employer) will be obliged to provide the data subject (i.e. the employee) with the following information on collected data:


  1. address and full name of the personal data controller,
  2. the contact details of the controller (such as telephone number, e-mail),
  3. the legal basis for personal data processing (together with a description of legitimate interests pursued by the controller, if any),
  4. the purpose of personal data processing,
  5. information on:


  • the recipients of the personal data,
  • the intention to transfer personal data to a third country,
  • the period for which the personal data will be stored,
  • the right to access the data and to their rectification,
  • the right to erasure of personal data or restriction of processing, the right to object to processing as well as the right to data portability,
  • the right to withdraw consent to processing,
  • the right to lodge a complaint with a supervisory authority,

6. whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.

The foregoing suggests that employers should thoroughly describe the employee monitoring in their internal regulations.

Employee monitoring vs human rights

We would also like to draw your attention to the rulings of the European Court of Human Rights concerning employee monitoring, as well as to aspects of the violation of Article 8 of the European Convention on Human Rights, i.e. the right to respect for private and family right (Article 8 ECHR).

On 5 September 2017 the European Court of Human Rights issued a judgement in the case of Bărbulescu v. Romania (Application no. 61496/08). The Grand Chamber specified the criteria which must be taken into consideration when deciding whether or not it is justified to monitor the employee's communications, so that they can be effectively used in court.

The Court indicated six significant criteria:


  1. Initial information about monitoring: the interested party must be informed in advance about the type of monitoring and its implementation.
  2. The extent of the monitoring by the employer and the degree of intrusion into the employee's privacy:
  • whether the flow of communications or their content is monitored,
  • whether all communications or only part of them have been monitored,
  • whether the monitoring was limited in time and the number of people who had access to the results.


3. Justification of the monitoring: whether there are legitimate reasons to justify the individual monitoring. Monitoring of the content of communications is by nature a distinctly more invasive method than mere detection of communications, thus it requires weightier justification.

4. Necessity of the actions taken: whether the aim pursued by the employer could have been achieved without directly accessing the full contents of the employee's communications.

5. The consequences of the monitoring for the employee subjected to it and the use made by the employer of the results of the monitoring operation (in particular whether the results were used to achieve the declared aim of the measure).

6. Existence of justified safeguards: whether the employee had been provided with adequate safeguards to ensure that the employer cannot access the actual content of the communications concerned unless the employee has been notified in advance of that eventuality.

The judgement means that although the DGPR is not going to be applied until 25 May 2018, courts may already control the monitoring of employees in accordance with the corresponding criteria indicated in Article 13 GDPR. We recommend that employers do not wait with the introduction of the relevant changes in the work rules or employment contracts but implement them as soon as possible.


Contact Person Picture

Katarzyna Małaniuk

Attorney at law (Poland)

Associate Partner

Send inquiry


Deutschland Weltweit Search Menu