ScreenJournal

Is employee monitoring legal under GDPR?

Employee monitoring is legal under GDPR only when it is necessary, proportionate and grounded in a valid lawful basis, which in practice means legitimate interest supported by a documented balancing test, not consent. Systematic monitoring of employees normally also requires a data protection impact assessment before it starts, and regulators have fined disproportionate monitoring heavily.

Updated on 6 July 2026. This page is general information, not legal advice.

What lawful basis can employers use for monitoring?

The GDPR requires every processing operation to rest on one of the six lawful bases in Article 6, and for workplace monitoring the field narrows quickly. Consent is largely unavailable, for reasons covered below. Contractual necessity only stretches to processing genuinely needed to perform the employment contract, which routine surveillance is not. Legal obligation covers narrow duties such as working-time records in some member states.

That leaves legitimate interests under Article 6(1)(f) as the workhorse basis, and the EDPB's Guidelines 1/2024 on legitimate interest set out the three-part test employers must pass: identify a real and lawful interest, show the monitoring is necessary for it with no less intrusive means available, and balance the interest against employees' rights and reasonable expectations. That balancing exercise should be written down as a legitimate interests assessment before monitoring begins. The older Article 29 Working Party Opinion 2/2017 on data processing at work remains the reference point for what proportionate workplace monitoring looks like: least intrusive method, limited scope, clear communication.

Because consent under GDPR must be freely given, and the EDPB has said plainly, in its Guidelines 05/2020 on consent, that the imbalance of power in an employment relationship means consent is rarely free. An employee asked to approve monitoring cannot refuse without fearing consequences, so the consent is invalid, and processing built on it is unlawful from the start. Consent can still work for genuinely optional extras where refusal carries no detriment, but for core monitoring an employer should not ask for consent it could not accept a "no" to.

When is a DPIA required for employee monitoring?

Before deployment, in almost every real case. Article 35 requires a data protection impact assessment where processing is likely to result in high risk to individuals, and the Article 29 Working Party's DPIA guidelines treat systematic monitoring of data subjects in a vulnerable position, which includes employees, as a classic trigger. National regulators in France, Italy, Ireland, the Netherlands and elsewhere list employee monitoring on their DPIA blacklists, making the assessment effectively mandatory by default.

A defensible DPIA documents the purpose and lawful basis, the data flows and categories collected, retention periods, the risks to employees, and the safeguards that reduce them, with the data protection officer's advice recorded. If high residual risk remains, Article 36 requires consulting the supervisory authority before starting. Regulators treat a missing or skeletal DPIA as a standalone violation, not a paperwork slip.

What do national laws add on top of GDPR?

Article 88 lets member states impose more specific rules for employment, and many have. Germany's BDSG Section 26 governs employee data processing, Italy's Statuto dei Lavoratori Article 4 requires a union agreement or labour inspectorate authorisation before tools that enable remote monitoring of workers are installed, France applies Labour Code information and consultation duties alongside CNIL guidance, and the Netherlands expects works council involvement. The UK GDPR mirrors the EU regime, with ICO employment guidance in a similar spirit. The practical rule: clear the national layer, including any works council or union step, before rollout in each country, not after.

What happens when monitoring goes too far?

GDPR fines reach €20 million or 4% of worldwide annual turnover, whichever is higher, and employee monitoring has produced some of the largest employment-related penalties on record. The table below summarises the two cases every employer should know.

CaseRegulator and yearFineWhat went wrong
H&M service centre, GermanyHamburg DPA, 2020€35.3 millionManagers kept extensive records of employees' private lives, including health and family details, visible to dozens of other managers
Amazon France LogistiqueCNIL, 2023€32 million, reduced to €15 million on appeal in December 2025Scanner-based tracking measured warehouse workers minute by minute, kept individual indicators for 31 days when weekly aggregates would have sufficed, and under-informed staff

The Amazon decision is the clearest statement yet of the data minimisation principle in Article 5(1)(c) applied to monitoring: even where a supervision purpose is legitimate, collecting and retaining more granular data than the purpose needs is itself unlawful, and continuous monitoring that puts workers under constant pressure fails the proportionality test. The reduction of the fine on appeal did not rescue the monitoring design.

How does privacy-first monitoring reduce GDPR exposure?

Most GDPR monitoring failures are storage failures. Screenshot and video archives accumulate excessive, unminimised personal data, stretch retention beyond any defensible purpose, and hand the balancing test to the regulator's side of the scale.

ScreenJournal is an AI work visibility tool that reads on-screen work as it happens, turns it into a detailed timeline of what each person actually did, and then deletes the raw screen data. Timelines accumulate into a searchable chronicle of everyone's work history, and from them ScreenJournal generates timesheets and reports automatically and drafts standup summaries on request, answering questions about any of it in plain English.

That derive-and-discard design speaks directly to the principles regulators actually fine against. The transient capture is video, and deleting it immediately during processing is data minimisation and storage limitation by architecture rather than by policy. It is scoped to work apps and work-related activity; personal activity is skipped in real time, which keeps private life out of the record, the exact failure in the H&M case. Employees see the same activity view managers do and can redact entries before a manager sees them, and scores are contestable, which strengthens the transparency and fairness side of a legitimate interests assessment. A redacted entry is erased entirely and never appears in anyone's search; redaction is unavailable only for roles a company flags as a data-leak risk. You can see the derived record on the work timelines page, contrast it with a continuous-recording suite in ScreenJournal vs Teramind, or read the design rationale in We record work, not people.

Two honest caveats. A privacy-first tool narrows the risks a DPIA must weigh, but the employer still owes the full GDPR homework: a lawful basis, a written balancing test, employee notices, national-law steps and the DPIA itself. And ScreenJournal is currently available in India and the Philippines, with California and New York City coming soon, so EU teams should treat this page as background for evaluating any monitoring tool rather than a product invitation today.

Frequently asked questions

Rarely. The EDPB's position is that consent is not freely given where there is an imbalance of power, which is the default in employment. Most employers rely on legitimate interests, supported by a documented balancing test.

Is a DPIA always required for employee monitoring?

Almost always for systematic monitoring. Employees count as vulnerable data subjects and several national regulators list employee monitoring as a processing type that requires a DPIA by default. Complete it before the tool is switched on.

Can an employer secretly monitor staff under GDPR?

Covert monitoring is lawful only in narrow, exceptional cases defined by national law, typically a specific, documented suspicion of serious wrongdoing, and for a limited time. Routine monitoring must be disclosed before it starts.

What fines have regulators issued for unlawful monitoring?

H&M was fined €35.3 million in Germany in 2020 for keeping excessive records of employees' private lives, and the CNIL fined Amazon France Logistique €32 million in 2023 for excessively intrusive performance monitoring, later reduced to €15 million on appeal.

Is ScreenJournal available in the EU?

Not yet. ScreenJournal is currently available in India and the Philippines, with California and New York City coming soon.

See the work itself, not screenshots of it

Timesheets, reports and answers from the work your team actually did. Available for Windows and macOS, with Linux and mobile support coming soon.