GDPR Requirements for Employee Monitoring

Employee monitoring in the European Union is strictly regulated by the General Data Protection Regulation (GDPR). Any organization that monitors employees must comply with the following principles, obligations, and legal safeguards.

Monitoring employees requires a valid legal basis. Acceptable grounds include:

Monitoring must be necessary for purposes such as:

• cybersecurity and IT protection
• preventing data leaks
• verifying compliance
• fraud detection
• performance of business functions

A Legitimate Interest Assessment (LIA) is recommended.

Monitoring mandated by sectoral laws or regulations.

When monitoring is necessary to fulfill contractual work duties.

Before monitoring begins, employees must be clearly informed about:

• the type of monitoring
• what data is collected
• purposes of monitoring
• legal basis
• retention period
• access rights
• who receives or processes the data

Information must be clear, accessible, and provided in advance.

Covert or undisclosed monitoring is nearly always prohibited unless there is an exceptional, legally justified case (e.g., criminal investigation by authorities).

Data collected through monitoring may be used only for the specific, legitimate purpose for which it was gathered. Reuse for unrelated purposes is prohibited.

Only data that is strictly necessary for the defined purpose may be collected.

Monitoring must avoid excessive or intrusive collection, such as:

• constant webcam or microphone access
• capturing personal communications
• keylogging without strict justification
• monitoring outside working hours
• surveillance in private spaces

Monitoring must be proportionate relative to its aims.

This includes:

• assessing whether less invasive alternatives exist
• limiting monitoring to specific tasks or risk areas
• restricting continuous or blanket surveillance
• avoiding 24/7 tracking

Employers must justify why each type of monitoring is necessary.

Organizations must protect monitoring data using appropriate security measures:

• encryption
• access control
• secure storage
• regular audits
• protection against unauthorized access
• secure deletion procedures

Monitoring data is highly sensitive and must be secured accordingly.

Data must not be kept longer than necessary. Organizations must:

• define retention periods
• delete or anonymize data when no longer needed
• ensure automated or scheduled deletion when possible

Employees have the right to:

• access their personal data
• request correction
• request erasure (in applicable cases)
• restrict processing
• object to certain processing
• obtain explanations of automated decision-making

Employers must be able to fulfill these requests within one month.

Monitoring employees is classified as high-risk processing, requiring a DPIA before monitoring begins.

A DPIA must include:

• description of monitoring
• necessity and proportionality assessment
• evaluation of risks to employees
• measures to reduce or eliminate risks

If high risk remains, the supervisory authority must be consulted.

Organizations must be able to demonstrate compliance by maintaining:

• internal policies
• monitoring documentation
• data processing logs
• LIAs and DPIAs
• information notices
• access logs and audit trails

When monitoring data is transferred outside the EU, organizations must ensure:

• adequacy decisions
• Standard Contractual Clauses (SCCs)
• supplementary measures (encryption, pseudonymization)
• restrictions on third-country access

Compliance with Schrems II is mandatory.

GDPR prohibits:

• continuous audio/video surveillance without necessity
• tracking outside working hours
• surveillance in bathrooms, break areas, or private rooms
• monitoring private devices without separation
• hidden monitoring that is not strictly justified

Monitoring must respect workers' dignity and private life.

While the GDPR provides a unified framework for data protection across the European Union, each country may introduce additional rules, interpretations, or enforcement practices, especially in areas such as employee monitoring, transparency obligations, data retention, and workplace privacy. CleverControl employee monitoring software is designed to operate within this legal environment and to be used lawfully in all jurisdictions where GDPR and national regulations apply.

The following section outlines country-level variations and regulatory obligations that exist in addition to the core GDPR principles, helping organizations understand the specific requirements for compliant use of employee monitoring tools across different EU member states.

• GDPR (EU Regulation 2016/679) – fully applicable
• Loi Informatique et Libertés (French Data Protection Act) – national implementation of GDPR
• CNIL Guidelines & Deliberations – primary authority on workplace monitoring practices
• French Labour Code (Code du Travail) – obligations relating to workplace transparency and employee rights
• CNIL List of Processing Requiring a DPIA – explicitly includes employee monitoring

France enforces strict transparency standards. Employers must inform employees before any monitoring begins, specifying:

• purpose of monitoring
• categories of collected data
• legal basis
• duration of data retention
• rights of employees
• access and recipients of data

Undisclosed or silent monitoring is not permitted except in rare, legally justified cases involving serious misconduct.

Before deploying any monitoring solution, including services like CleverControl, employers must consult the Social and Economic Committee (CSE) as required by the French Labour Code (Art. L2312-38). This consultation is mandatory and must occur prior to implementation.

French law requires monitoring to be:

• necessary for a defined purpose
• proportionate to that purpose
• limited strictly to professional use
• restricted to working hours
• non-intrusive and not continuous unless absolutely required

Monitoring methods that are too invasive (e.g., round-the-clock surveillance, indiscriminate screen capture, or audio recording) are typically considered excessive by CNIL.

Under GDPR Art. 35 and CNIL guidelines, employee monitoring always requires a Data Protection Impact Assessment (DPIA) before deployment. The DPIA must evaluate:

• potential risks to employees
• proportionality of monitoring
• mitigation measures
• retention rules
• alternative solutions

Certain monitoring activities are heavily restricted:

• Audio recording is generally prohibited except for narrowly defined exceptions
• Webcam monitoring must be strictly justified
• Monitoring is forbidden in private spaces (break rooms, restrooms, personal areas)
• Monitoring must not extend beyond working hours
• Employers cannot collect personal passwords or private communications
• Biometric data use is heavily regulated and permitted only under strict conditions

CNIL requires retention periods to be:

• minimal
• proportionate
• explicitly defined
• aligned with the stated monitoring purpose

Long-term or indefinite retention is not allowed.

If monitored data leaves the EU, employers must use:

• an adequacy decision, or
• Standard Contractual Clauses (SCCs), plus
• additional safeguards required by Schrems II

Encryption and access limitations are recommended when exporting data outside the EEA.

Employees monitored with lawful tools have the right to:

• access their data
• request correction or deletion (where applicable)
• restrict or object to processing
• receive information about automated processing
• file a complaint with CNIL

Employers must respond to requests within one month.

CleverControl employee monitoring software is designed to align with GDPR and adheres to the strict regulatory standards set by French law and CNIL. The service can be used legally in France when deployed in accordance with the national requirements outlined above, ensuring transparency, proportionality, and full respect for employee rights.

Spain requires particularly detailed and explicit notice to employees when monitoring tools are used. Under the Spanish Workers' Statute (Estatuto de los Trabajadores, Art. 20.3) and Ley Orgánica 3/2018 (LOPDGDD):

• The employer must clearly explain the scope, methods, and intensity of monitoring.
• Employees must be informed not only of monitoring but also of how the monitoring system works (e.g., types of logs, frequency, automated decisions).

Spain places heavier emphasis on the specificity and granularity of notice compared to standard GDPR transparency.

Spain's LOPDGDD Art. 89 adds strict rules for any system capable of capturing images or video:

• Video surveillance must be proportionate and strictly limited to work areas.
• Cameras cannot be installed in rest areas, break rooms, canteens, or locker rooms.
• If audio is captured, the monitoring is considered even more intrusive and generally prohibited unless justified by serious security risks.

Although this relates primarily to CCTV, the principles also extend to any employee monitoring tool capable of capturing images or audio.

LOPDGDD reinforces GDPR Art. 22 by requiring employers to:

• Inform employees about the use of automated evaluations, algorithms, or scoring.
• Explain how automated decision logic affects employees' performance assessment or disciplinary process.

If monitoring software contributes to performance evaluation, Spain requires additional disclosure, beyond standard GDPR.

In workplaces with a Works Council ("representación legal de los trabajadores"), employers must:

• Inform and consult the council before implementing monitoring systems.
• Provide the council with details on technology, monitoring scope, and retention.

This obligation mirrors France's system but is slightly less prescriptive.

Spain considers audio recording especially intrusive:

• Audio monitoring is prohibited in almost all cases.
• Only allowed for exceptional security needs or criminal investigations.

If software has optional audio features, employers in Spain must ensure these are disabled unless a lawful exception applies.

CleverControl employee monitoring software can be legally used in Spain when deployed in strict compliance with national rules, including enhanced transparency obligations, restrictions on video and audio capture, and consultation with workers' representatives where required.

• GDPR (EU Regulation 2016/679) – fully applicable
• Italian Data Protection Code (Legislative Decree 196/2003, as amended by 101/2018)
• Garante Privacy Guidelines – Italian Data Protection Authority interpretations
• Workers' Statute – Statuto dei Lavoratori (Law 300/1970) – strict rules on workplace monitoring

Italy has one of the strictest frameworks in Europe regarding employee monitoring.

Under Statuto dei Lavoratori, Article 4:

Monitoring tools may only be installed when one of the following conditions is met:

a) A formal agreement with the Works Council (RSU/RSA)

OR

b) Authorization from the Labour Inspectorate (Ispettorato Nazionale del Lavoro) if no Works Council exists.

This applies to any monitoring system capable of indirectly or directly surveilling workers, including software such as CleverControl.

Italy fully bans hidden, silent, or secret monitoring under Art. 4.

Even temporary or investigative monitoring requires:

• prior authorization, or
• judicial involvement (in cases of criminal investigation).

Italy is stricter than most EU countries on this point.

The Garante Privacy encourages employers to avoid identifying individual workers unless necessary.

Monitoring should ideally collect:

• aggregated data, or
• anonymized/pseudonymized information

when individual identification is not essential.

Beyond GDPR transparency requirements, Italy requires:

• a specific written notice to employees
• posted in the workplace or digitally accessible
• describing the monitoring tool, its scope, retention, and purpose
• written clearly and precisely (generic statements are insufficient)

This notice is mandatory even after Works Council agreement or inspector authorization.

Italian case law restricts employers from using data collected for one purpose (e.g., security) for another (e.g., discipline) unless explicitly stated in:

• the agreement/authorization,
• the employee notice.

Purpose switching is not allowed.

Under Article 4:

• Audio recording in workplaces is almost entirely prohibited.
• Video monitoring must be explicitly covered in the Works Council agreement or inspector authorization.
• Cameras cannot target workers individually unless justified and authorized.

Any tool with audiovisual capabilities falls under enhanced scrutiny.

Authorization from the Labour Inspectorate typically includes:

• maximum retention periods
• mandatory deletion schedules
• limitations on log or screenshot retention

The Italian Garante aggressively enforces:

• access to monitoring data
• deletion and correction rights
• strict separation between private and professional data
• bans on excessive or intrusive tracking (e.g., keystrokes, continuous screenshots)

clevercontrol.com follows all these obligations and operates fully within Italy's regulatory framework.

• GDPR (EU Regulation 2016/679) – fully applicable
• German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG)
• Works Constitution Act (Betriebsverfassungsgesetz – BetrVG)
• German case law (Bundesarbeitsgericht) – strong influence on monitoring rules
• State-level DPA guidelines (Germany has 16 independent state authorities)

Germany has one of Europe's strictest co-determination systems.

Under BetrVG §87(1), implementing any employee monitoring tool (including CleverControl) requires:

• co-determination and approval of the Works Council (Betriebsrat)
• the Works Council has veto power
• monitoring cannot legally start until an agreement ("Betriebsvereinbarung") is reached

German courts and DPAs apply stricter proportionality tests than the GDPR baseline.

Key interpretations:

• Continuous monitoring is usually deemed excessive
• Keylogging is almost always illegal (2017 Federal Labour Court landmark ruling)
• Screenshots, webcam capture, or mic access require very strong justification
• Monitoring outside working hours is strictly prohibited

Germany treats workplace privacy as a constitutional right (Art. 2 & 10), so the bar is high.

Under German case law and BDSG:

• Secret monitoring is almost always unlawful
• Allowed only in very narrow cases of strong suspicion of criminal activity, and
• Only if no milder means exist
• Even then, measures must be immediately terminated once the suspicion is resolved

BDSG §26 adds requirements on top of GDPR, including:

• Monitoring may only be used if "necessary for carrying out the employment relationship"
• Employer interests must be balanced with employee rights
• Employers must consider alternatives before monitoring
• Sensitive data requires explicit heightened protections

This provision significantly narrows what employers can lawfully do.

Germany expects detailed internal documentation, including:

• a dedicated monitoring impact assessment (beyond DPIA)
• detailed Works Council agreements
• technical documentation of how monitoring functions
• clear role-based access rules
• strict data minimization practices

German DPAs often request these documents during audits.

Germany has 16 state-level data protection authorities. Each may interpret workplace monitoring differently.

Many DPAs require:

• stronger justification for telemetry
• short retention periods
• additional risk assessments
• prior consultation for high-risk systems

clevercontrol.com meets mandatory Works Council co-determination, strict proportionality rules, and adherence to the enhanced employee protection standards of the BDSG.

• GDPR (EU Regulation 2016/679) – fully applicable
• Polish Labour Code (Kodeks pracy) – special rules on monitoring at work
• Polish Data Protection Act (Ustawa o ochronie danych osobowych) – national implementation of GDPR
• Guidelines and positions of the Polish DPA (UODO)

Poland has direct, explicit provisions in the Labour Code on monitoring, which go beyond generic GDPR.

The Labour Code regulates in detail:

• Video monitoring (CCTV)
• Email/IT monitoring
• Other forms of monitoring affecting employee privacy (e.g. access control, GPS in some cases)

Employers using tools must ensure their setup is compatible with these specific Labour Code provisions, not only GDPR.

For monitoring to be legal, Polish law explicitly links it to specific purposes, such as:

• ensuring work organization and safety
• protection of property
• controlling production
• safeguarding confidential information

Monitoring may not be used for unlimited, general surveillance or for purposes unrelated to these legitimate aims.

Beyond GDPR's general transparency, Polish law requires that:

• monitoring must be described in internal regulations (e.g. work regulations / workplace policies), and
• employees must be informed in writing, before monitoring begins.

The information must cover at least:

• type of monitoring (e.g. CCTV, email/logs)
• areas/devices covered
• purpose of monitoring
• its scope and methods
• retention time

The Labour Code gives special protection to certain spaces, similar to other strict EU countries:

• monitoring is not allowed in areas such as changing rooms, sanitary areas, canteens, or smoking rooms
• exceptions are possible only under very strict conditions and with additional safeguards (like masking, blurring, technical limits)

Any function in employee monitoring software that could be used for visual surveillance must respect these area-based prohibitions.

Poland explicitly regulates monitoring of employee email and electronic communications:

• It must be necessary to ensure organization of work, proper use of work tools, or protection of information
• It must not violate the secrecy of correspondence beyond what is necessary for the stated purpose
• Private correspondence should not be systematically accessed or processed

Where employee representatives or trade unions exist, employers are generally expected to:

• inform and consult them about the introduction of monitoring systems
• present the internal rules and justification

This is less rigid than German-style co-determination but still an important practical requirement in Poland.

• GDPR (EU Regulation 2016/679) – fully applicable
• Act No. 110/2019 Coll. on the Processing of Personal Data – national adaptation of GDPR
• Czech Labour Code (Zákoník práce) – workplace monitoring provisions
• Guidelines from the Czech Data Protection Authority (ÚOOÚ)

ÚOOÚ emphasizes that monitoring must be exceptional, not routine. Employers must justify why monitoring tools are needed, and why less invasive alternatives cannot achieve the same purpose.

Under the Czech Labour Code and ÚOOÚ guidance, acceptable reasons include:

• protecting property
• preventing security incidents
• ensuring safety of employees
• safeguarding sensitive or confidential information

Monitoring cannot be used to systematically track performance if less intrusive methods exist.

Beyond GDPR, Czech law requires:

• explicit, clear, comprehensible information to employees
• specification of which tools are used, what data is collected, and how long it is kept
• posting or providing written rules on monitoring

Employers must also specify what types of behaviour or activities are being supervised.

Broad or vague monitoring statements are not acceptable.

ÚOOÚ explicitly prohibits employers from:

• accessing private emails
• monitoring personal messages
• collecting data that clearly belongs to private use (even on company devices)

If tools like CleverControl log communication channels, employers in Czechia must ensure monitoring remains strictly work-related.

The Czech Labour Code provides strict limitations:

• Audio recording is almost always unlawful in the workplace
• Video surveillance must be necessary and proportionate
• Cameras are forbidden in spaces such as: changing rooms, rest areas, social facilities (bathrooms, showers), break rooms

Monitoring must avoid capturing private behavior.

As in many EU states, Czechia bans secret monitoring.

It is allowed only if:

• there is reasonable suspicion of a criminal offence
• the monitoring is temporary
• no less invasive method exists
• it complies with criminal procedure laws

If a company has employee representatives or a trade union, Czech law requires:

• information
• discussion
• consultation

before introducing workplace monitoring systems.

• UK GDPR – post-Brexit version of GDPR
• Data Protection Act 2018 (DPA 2018)
• Employment Practices Code and Monitoring at Work Guidance (ICO) – non-binding but authoritative
• Relevant case law on privacy at the workplace (e.g., Barbulescu applied in UK context)

The UK's Information Commissioner's Office (ICO) adds an additional interpretive layer not present in EU GDPR:

Monitoring must be fair, which is evaluated through:

• balance of interests
• reasonableness
• transparency
• avoidance of unjustified intrusion into private life

The "fairness test" is uniquely emphasized in the UK.

While GDPR encourages LIAs, the UK effectively treats them as mandatory for employee monitoring.

Employers implementing tools should have:

• a written LIA
• including purpose, necessity, alternatives, proportionality
• and mitigation measures

ICO routinely asks for LIAs during audits.

Unlike Germany or Spain, the UK does not legally require works council approval, but ICO guidance expects:

• open consultation with employees or their representatives
• discussion of why monitoring is needed
• explanation of risks and safeguards

The UK places special protections on employees' private communications or personal device use.

Employers must ensure:

• private emails or messages are not accessed or read
• any monitoring of internet use excludes clearly private content
• BYOD (personal device) monitoring is extremely limited

ICO prioritizes respecting employees' reasonable expectation of privacy.

Covert monitoring in the UK is allowed only in exceptional circumstances, following strict ICO rules:

• where there is reasonable suspicion of criminal activity
• monitoring must be targeted and time-limited
• cannot be used for general performance review
• must be approved at a senior management level
• must stop once the investigation ends

Audio recording in the workplace is treated as highly intrusive under UK law:

• generally discouraged
• allowed only with very strong justification
• covert audio recording is almost always unlawful

Video monitoring requires:

• visible notices
• defined retention periods
• justification for capturing identifiable employees

Although UK GDPR mirrors EU GDPR, the ICO is particularly strict about DPIAs for:

• screen monitoring
• keystroke logging
• webcams
• location tracking

The UK treats these as high-risk by default, and DPIAs are expected even if not explicitly mandated by law.

The ICO requires specific transparency when monitoring tools influence:

• performance evaluation
• behaviour scoring
• automated management decisions

• GDPR (EU Regulation 2016/679) – fully applicable
• Law No. 190/2018 – Romanian national law accompanying GDPR
• Guidance and decisions of the Romanian Data Protection Authority (ANSPDCP)
• Relevant labour legislation regarding employee rights and privacy

Romania is one of the few EU countries with a special law directly regulating employee monitoring.

Article 5 of Law 190/2018 adds conditions stricter than GDPR, including:

• Monitoring must be strictly necessary for the employer's legitimate interest
• No other less intrusive method is available
• Monitoring must be limited in duration, scope, and access
• Monitoring must not "exceed what is necessary" for the stated purpose

Under Law 190/2018, Romania explicitly requires a Data Protection Impact Assessment (DPIA) before deploying any employee monitoring system.

The DPIA must include:

• justification of necessity
• assessment of proportionality
• risks to employee rights
• safeguards to reduce those risks
• alternatives considered

This requirement is written directly into Romanian law.

Romanian law requires that employees be informed:

• in advance
• clearly and explicitly
• about the nature, purpose, duration, methods, and scope of monitoring

The employer must justify:

• why monitoring is needed
• how long the monitoring will last
• how collected data will be used
• who will access it

Law 190/2018 requires that monitoring:

• be limited in time
• not be constant or indefinite
• stop once the monitoring purpose has been achieved

Continuous, always-on monitoring (screenshots, keylogging, webcam) is considered excessive unless narrowly justified.

Similar to other EU states, but with stronger interpretations under ANSPDCP guidance:

• No monitoring in private areas (break rooms, restrooms, social areas)
• Monitoring must avoid collecting private communications
• Employers must implement technical controls to prevent accidental capture of personal content

Romanian law uniquely requires the employer to prove that "there are no other less intrusive means available" to achieve the same purpose.

Many EU countries imply this, Romania explicitly requires it. This is a high threshold.

If trade unions or employee representatives exist, employers should:

• inform them
• discuss monitoring plans
• ensure compliance with collective bargaining agreements

• GDPR (EU Regulation 2016/679) – fully applicable
• Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information
• Hungarian Labour Code (Act I of 2012)
• Guidance from the Hungarian National Authority for Data Protection and Freedom of Information (NAIH)

Hungarian practice is quite strict on monitoring employees' behaviour and performance.

• Monitoring tools (including software like CleverControl) may be used only if strictly necessary to protect a legitimate interest (property, security, trade secrets, etc.).
• Pure productivity or "general control" without concrete risk is often seen as disproportionate.
• Employers must be able to prove why each specific type of monitoring (e.g., website use, screenshots, app tracking) is needed.

The necessity/proportionality test is applied very tightly by NAIH.

Beyond standard GDPR transparency, Hungarian practice expects:

a written internal policy (e.g., IT / monitoring policy) that clearly regulates:

• what is monitored
• on which devices
• during which time period
• with which technical means
• for what exact purposes

individual information to each employee, not just a generic clause in the contract.

Hungarian authorities take a strict stance on private use of company tools:

• Employers may restrict or forbid private use of company devices, but
• if private use is allowed at all, systematic access to private content (emails, messages, websites clearly marked as private) is not permitted.
• Even if private use is forbidden, employees keep a residual expectation of privacy, so deep-content inspection is risky.

Although GDPR generally disfavours covert monitoring, Hungarian interpretation is extremely narrow:

• Secret monitoring of employees is considered almost always unlawful.
• It may be acceptable only in very rare cases involving criminal offences, and even then usually conducted by law-enforcement, not employers.

NAIH considers location monitoring (GPS) particularly sensitive:

• Constant live tracking of employees is seen as excessive except for very specific jobs (e.g., certain transport, security, field services).
• Even then, tracking must be limited to working time and minimized.

• GDPR (EU Regulation 2016/679) – fully applicable
• Belgian Data Protection Act of 2018 (Loi du 30 juillet 2018 / Wet van 30 juli 2018)
• Guidance & decisions of the Belgian Data Protection Authority (APD/GBA)
• Relevant Labour Code provisions (workplace privacy & employee rights)

Belgium applies a stricter-than-average proportionality test:

• Monitoring must be demonstrably the least intrusive method available.
• Employers must show a specific, concrete need, not general productivity justification.
• Blanket or continuous monitoring (e.g., always-on screen capture, keystroke logging) is often deemed excessive.

APD/GBA places employee dignity and autonomy as core values, making Belgium stricter than most EU states.

While GDPR discourages hidden monitoring, Belgium is one of the strictest jurisdictions:

• Secret monitoring is virtually never lawful, even for misconduct.
• APD/GBA decisions consistently reject covert tools unless immediate, very serious criminal activity is involved and even then on a temporary basis.

Belgian labour law requires that:

If a Works Council, Trade Union Delegation, or Committee for Prevention and Protection at Work exists, employers must consult them before implementing monitoring systems.

This includes:

• monitoring rules
• technical means
• purposes
• retention periods
• usage policies

Belgium is not as rigid as Germany, but consultation is legally mandatory in organizations with representative bodies.

Belgium applies detailed rules similar to the strictest EU countries:

• Employers must avoid reading contents of personal communications.
• Even business communications may only be accessed for legitimate, necessary reasons.
• If private use is allowed at all, monitoring tools must be configured to avoid collecting private content.

Belgian law requires:

• A very high level of justification for audio or video capture
• No monitoring in private or semi-private spaces (break rooms, restrooms, etc.)
• Clear, visible signage for cameras
• A strict retention schedule (often only days or weeks)

Audio monitoring in particular is strongly disfavored and nearly always unlawful in office environments.

Belgium treats many employee-monitoring scenarios as presumed high-risk, requiring:

• a full DPIA
• detailed documentation of monitoring scope
• precise identification of alternatives
• strong mitigation measures

The Belgian DPA frequently requests DPIA documentation in audits.

• GDPR (EU Regulation 2016/679) – fully applicable
• Dutch Implementation Act (Uitvoeringswet AVG – UAVG)
• Guidance from the Dutch Data Protection Authority (Autoriteit Persoonsgegevens – AP)
• Relevant provisions from the Dutch Civil Code (Burgerlijk Wetboek) and Works Councils Act (Wet op de ondernemingsraden – WOR)

The Netherlands strictly requires Works Council consent before implementing any employee monitoring system.

Under WOR Article 27:

• Monitoring systems affecting the privacy of employees cannot be introduced without Works Council approval
• This is not just consultation - the Works Council has true co-decision rights
• Without approval, monitoring is unlawful

The AP is one of the strictest data protection authorities in Europe.

Its standard requires:

• Monitoring must be the last resort, after evaluating all less intrusive alternatives.
• Even justified monitoring must be configured to be as minimal as possible.
• Continuous or highly invasive monitoring (e.g., keylogging, webcam use, mic recording) is almost always considered excessive.

Employers must document in detail why monitoring is needed and how alternatives were considered.

Dutch rules are extremely strict:

Secret monitoring is prohibited in nearly all situations.

It is allowed only when:

• there is serious suspicion of a crime
• monitoring is temporary
• the employer cannot achieve the same result by other means
• and only after notifying the AP if high risk is involved.

The Netherlands strongly protects employee privacy even on work assets:

• If private use of work devices is allowed (formally or informally), monitoring tools must be configured to exclude private content.
• Reading personal emails, chats, or private messages is almost always unlawful.
• Internet-use monitoring must focus on categories and patterns, not private content.

Strict separation of private and work data is expected.

The AP considers audio and video monitoring very intrusive:

• Audio recording is almost always inadmissible.
• Video monitoring must be strictly justified and never continuous.
• Cameras cannot film employees at their workspace unless needed for serious safety/security reasons.
• Monitoring must never capture break areas, restrooms, or personal spaces.

The AP expects a full DPIA for:

• screen monitoring
• keystroke logging
• webcam/microphone use
• location tracking
• any continuous or behaviour-based monitoring

The DPIA must be detailed, including alternatives considered and mitigation measures.

• GDPR (EU Regulation 2016/679) – fully applicable
• Austrian Data Protection Act (Datenschutzgesetz – DSG)
• Austrian Labour Constitution Act (Arbeitsverfassungsgesetz – ArbVG) – works council rights
• Guidance from the Austrian Data Protection Authority (Datenschutzbehörde – DSB)

In companies with a works council (Betriebsrat), Austria requires a shop agreement (Betriebsvereinbarung) for any system that monitors employees' behaviour or performance.

• The works council has co-determination rights, not just consultation.
• Without a valid shop agreement, introducing a monitoring system can be unlawful and also a labour-law violation.

Austrian practice considers permanent, detailed monitoring of performance/behaviour highly problematic:

• Continuous tracking (e.g. detailed activity logs, constant screen capture, keylogging) is usually seen as disproportionate.
• Monitoring must be targeted, limited in scope and time, and clearly justified.

The DSB tends to apply a strict proportionality lens for workplace tools.

Austria treats audio and image/video recording in the workplace as particularly intrusive:

• Audio recording is almost never acceptable in normal office environments.
• Video/screen capture must be strongly justified (e.g. safety-critical environments) and configured to the minimum necessary scope.
• Any monitoring that allows observation of employees at their workstation over longer periods is subject to especially strict scrutiny.

Even when devices are company-owned, Austrian law and DSB practice emphasize:

• Respect for the employee's private sphere, especially where private use is tolerated.
• Monitoring tools must be configured to avoid reading clearly private content (personal emails, private chats, etc.).

Deep content inspection of communications is risky and usually excessive when less intrusive options (metadata, categories) exist.

Beyond generic GDPR transparency, Austrian practice expects:

clear internal policies / Betriebsvereinbarungen that precisely describe:

• what is monitored
• which tools are used
• purposes and legal basis
• retention periods
• who has access

written information to employees, not only a general reference in a contract.

This written framework is essential when deploying monitoring tools.

• Federal Act on Data Protection (FADP / revDSG, in force since 2023)
• Ordinance to the FADP (DPO / VDSG)
• Guidance and decisions of the Swiss Federal Data Protection and Information Commissioner (FDPIC)
• Swiss Code of Obligations and Labour Law (employee privacy considerations)

Swiss labour law prohibits monitoring of:

• employee behaviour
• movement/activity
• continuous observation
• detailed performance tracking

if it leads to health risks, stress, pressure or violates employee dignity.

Under the FADP and Swiss labour principles:

• Tools must not intrude into the private sphere, even on company devices.
• If private use is allowed (even occasionally), employers must configure monitoring tools to avoid capturing private content.

This expectation is more explicit and protective compared to many EU states.

Swiss law requires employees to receive clear, advance information on:

• what is monitored
• how it is monitored
• the purpose
• the type of data collected
• retention duration
• access rules

Generic or vague notices are insufficient.

According to the FDPIC:

• Monitoring that evaluates productivity or behaviour is admissible only if strictly necessary.
• Even then, data must be aggregated or anonymized whenever possible.
• Direct employee identification should be avoided unless no alternative exists.

This goes beyond GDPR by imposing more limitations on performance evaluation.

Swiss law forbids hidden monitoring except in extremely rare cases involving:

• strong suspicion of criminal activity
• temporary, targeted measures
• proportionality assessment
• usually with criminal-law oversight

Switzerland has its own list of "adequate countries."

Transfers outside Switzerland require:

• adequacy decision, OR
• Swiss SCCs (not the EU versions), OR
• equivalent safeguards

Swiss SCCs differ slightly from EU SCCs, so employers must use the correct version.

Switzerland does not require works councils by default, but:

• where employee representative bodies exist
• consultation is expected before introducing monitoring.

• GDPR (EU Regulation 2016/679) – fully applicable
• Greek Data Protection Law 4624/2019 – national implementation of GDPR
• Guidance and decisions of the Hellenic Data Protection Authority (HDPA / DPA)
• Greek Labour Law (employee rights & workplace privacy)

The Hellenic DPA interprets proportionality very strictly:

• Employee monitoring tools must be used only if no less intrusive alternative exists.
• Employers must justify why monitoring is necessary and why softer solutions are insufficient.
• General productivity or routine performance tracking is often considered disproportionate.

Greek law expects:

• a written internal company policy describing monitoring
• details on purpose, scope, method, and access
• clear distinction between permitted and prohibited uses
• direct communication to employees before monitoring begins

A generic GDPR privacy notice is not enough.

Greece strongly protects employees' private life:

• Private emails, chats, and personal communications cannot be accessed, monitored, or reviewed.
• Even on corporate devices, employers must ensure monitoring tools do not capture private content.
• If personal use is permitted at all, deeper monitoring is effectively forbidden.

Greek DPA follows an extremely strict view:

Hidden or secret monitoring is almost always unlawful.

Permitted only in rare cases of serious criminal suspicion, with:

• strict necessity
• short duration
• strong documentation
• limited scope

Although designed for CCTV, Greek DPA applies similar standards to any system capable of watching or recording employees:

• Must not monitor workstations continuously.
• Must not target employees individually unless absolutely necessary.
• Must not cover break rooms, cafeterias, rest areas, or private zones.
• Recordings must have short retention periods.

Law 4624/2019 and HDPA guidance treat employee monitoring as high-risk:

• DPIA is required for most implementations
• Must document alternatives, risks, and mitigation
• HDPA may request evidence in case of inspections

Where trade unions, employee committees, or staff representatives exist:

• employers must consult them before introducing monitoring
• and discuss the written internal policy

• GDPR (EU Regulation 2016/679) – fully applicable
• Cyprus Law 125(I)/2018 – national implementation of GDPR
• Guidance & decisions of the Office of the Commissioner for Personal Data Protection (Cypriot DPA)
• Relevant provisions of the Cyprus Labour Law

The Cypriot DPA applies a strict proportionality test, similar to Greece:

• Monitoring must be clearly necessary for a specific, legitimate purpose.
• Less intrusive alternatives must be considered first.
• Continuous or highly intrusive monitoring (constant tracking, screenshots, keylogging) is typically disfavored.

Employers must be able to justify why the monitoring method used is required.

Cyprus requires a more explicit and detailed notice than standard GDPR transparency:

Employees must be informed about:

• purpose and necessity of monitoring
• specific tools used
• methods and frequency of data collection
• who has access
• retention periods
• rights and complaint mechanisms

A generic privacy notice is not considered sufficient.

The Cypriot DPA expressly prohibits monitoring:

• break rooms
• restrooms
• dining areas
• any "private" or semi-private space
• private chats, personal messages, or personal email accounts
• clearly private browsing content

If employers permit limited private use of devices, monitoring must exclude any private content capture.

Cyprus strongly restricts hidden monitoring:

• Covert monitoring is unlawful except in severe cases of criminal suspicion.
• Even then, it must be targeted, time-limited, and proportionate.
• Secret surveillance for productivity, performance, or routine supervision is completely prohibited.

While GDPR requires DPIA for high-risk tools, the Cypriot DPA treats employee monitoring in general as a high-risk category, meaning employers should:

• conduct a DPIA before deployment
• document risks and mitigation measures
• justify necessity
• evaluate alternative solutions
• provide evidence upon DPA request

If employee committees or unions exist:

• employers must consult with them before deploying monitoring systems
• must present the monitoring policy and justification

This is a legal expectation under Cypriot labour practices.

• GDPR (EU Regulation 2016/679) – fully applicable
• Danish Data Protection Act (Databeskyttelsesloven)
• Guidance from the Danish Data Protection Authority (Datatilsynet)
• Relevant provisions of Danish Employment Law

Denmark is one of the strictest EU countries regarding transparency:

Employees must be informed clearly, specifically, and individually about any monitoring.

The employer must explicitly describe:

• which monitoring tools are used
• what data is gathered
• how often data is collected
• who has access
• retention periods

The Danish DPA has sanctioned companies for insufficient detail in employee monitoring notices.

Danish law and Datatilsynet guidance require monitoring to be:

• necessary
• proportionate
• relevant to the job task

The DPA routinely finds violations when employers use:

• continuous screen monitoring
• excessive internet tracking
• keylogging or metadata collection beyond what is required.

Denmark prohibits all forms of covert monitoring except in extremely specific criminal-investigation contexts, and even then:

• the employer must have very strong reasons
• monitoring must be temporary
• only for a clearly defined suspicion

When a workplace has employee representatives or a cooperation committee:

• they must be informed and involved in discussions about monitoring
• although not as strict as Germany or the Netherlands, Denmark expects documented internal dialogue
• employee representation must receive all relevant information before deployment

Datatilsynet strongly encourages such consultation.

Danish practice imposes higher standards for digital communication monitoring:

• Reading the contents of employee emails is allowed only in exceptional situations.
• Employers must avoid capturing or reading personal communications even if sent from work devices.
• Internet tracking must focus on categories or patterns, not specific page content.

Datatilsynet treats:

• keylogging
• continuous screen capture
• webcam recording

as highly intrusive and rarely lawful unless strictly required for security or compliance purposes.

A DPIA is strongly recommended (and effectively expected) for such features.

Danish DPA requires:

• short, well-defined retention periods for monitoring data
• regular deletion
• retention policies easily accessible to employees

• GDPR (EU Regulation 2016/679) – fully applicable
• Swedish Data Protection Act (Dataskyddslagen 2018:218)
• Guidance from the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten – IMY)
• Relevant provisions of the Swedish Employment Protection and Co-Determination Acts

Sweden has one of the strictest transparency expectations in the EU.

IMY requires employers to clearly inform employees about:

• reasons for monitoring
• exact tools used
• data collected and "how often"
• retention periods
• who accesses the information
• whether monitoring affects work evaluation

Generic information is not enough, the notice must be concrete, specific, and predictable.

Under Swedish labour principles and IMY practice:

• Monitoring must not undermine employee dignity, autonomy, or trust.
• Systems that create pressure, stress, or a sense of constant oversight may be deemed unlawful.

Sweden does not permit covert monitoring except in extremely rare, criminal-investigation situations handled by law enforcement:

• Routine or workplace covert monitoring is illegal.
• Employers must never use monitoring tools in a hidden mode.

Swedish guidance treats monitoring of digital communications as highly intrusive:

• Accessing email content is only allowed in specific, exceptional cases (e.g., absence handling, security incidents).
• Monitoring private communication is strictly prohibited.
• Even metadata collection must be limited to what is needed.

Monitoring tools must be configured to avoid capturing personal messages or clearly private material.

IMY considers:

• keylogging
• frequent screenshots
• live-screen monitoring
• webcam capture

to be very intrusive forms of surveillance.

Sweden requires employers to:

• define short retention periods
• delete monitoring data regularly
• apply strict access control
• store only minimum necessary information.

If a workplace has union representation or a local worker committee:

• employers must inform or consult them before introducing monitoring systems
• provide documentation and justification
• allow dialogue about proportionality and necessity.

• GDPR (EU Regulation 2016/679) – fully applicable
• Data Protection Act 2018 (Ireland) – national implementation and additional conditions
• Guidance from the Irish Data Protection Commission (DPC)
• Relevant provisions of Irish employment and labour law

Ireland follows GDPR but places special emphasis on fairness:

• Monitoring must be clearly predictable for employees.
• Employers must assess employees' reasonable expectation of privacy in any given situation.
• Surprise monitoring or monitoring beyond what employees reasonably foresee can be unlawful even if transparent on paper.

The DPC expects very explicit and detailed employee notices, including:

• technical description of what the monitoring tool actually records
• frequency of monitoring
• whether automated analytics are used
• who in the organization reviews the data
• whether the monitoring can influence disciplinary or performance decisions

DPC guidance is strict on excessive monitoring:

• continuous or real-time tracking (screens, keystrokes, surveillance-style methods) is normally excessive
• monitoring must be minimal, necessary, and justified
• activity that appears to "watch everything an employee does" is considered a violation of Irish employment rights

The DPC prohibits hidden monitoring except where:

• there is serious suspicion of criminal activity
• monitoring is targeted and short-term
• no reasonable alternative exists
• senior management authorizes it
• the purpose is strictly investigative

Even on company devices, employers must not:

• access private emails
• read personal messages
• collect clearly private browsing content

The DPC considers employee monitoring high-risk by default, meaning:

• DPIAs must be completed before implementation
• risks and alternatives must be fully assessed
• DPIA documentation may be requested during inspections

While not as strict as Germany's co-determination system, Irish workplace practice expects:

• consultation with unions or employee committees
• disclosure of monitoring plans and DPIA results
• internal dialogue on necessity, proportionality, and safeguards

This expectation flows from employment relations principles rather than strict statutory mandate.

• GDPR – fully applicable
• Portuguese Data Protection Law 58/2019
• Portuguese Labour Code (Law 7/2009) – Articles 20–21 on workplace and remote surveillance
• Guidance from the Portuguese Data Protection Authority (CNPD)

Portugal strictly prohibits:

• hidden cameras
• covert video monitoring
• secret observation of employees

All visual monitoring must be visible, declared, and justified. Covert monitoring (even for disciplinary purposes) is never allowed.

Portugal applies stricter standards than GDPR for digital communication monitoring:

• Permanent or systematic monitoring of employee email is not permitted.
• Monitoring must be occasional, targeted, and tied to legitimate, specific risks.
• Employers must have clear internal rules describing private use, boundaries, and monitoring practices.
• Monitoring must always follow a least-intrusive approach.

Portuguese practice requires a detailed internal policy explaining:

• what monitoring occurs
• which tools are used
• the scope and purpose
• how data is collected and stored
• whether private use of devices is allowed
• safeguards protecting employees' privacy

Portugal introduced some of the strictest remote-work monitoring rules in the EU:

• Employers cannot monitor employees working from home using surveillance, behavioural-tracking, or intrusive monitoring tools.
• Employers cannot contact workers outside working hours ("right to disconnect").
• Monitoring of remote work must be minimal, justified, and must not intrude into the private home environment.

Portuguese authorities apply:

• strict necessity (monitoring only when absolutely required)
• strict proportionality (minimal data, minimal duration)
• strict relevance (no general-purpose surveillance).

Monitoring must be clearly tied to security, compliance, or asset protection — not general productivity control.

• GDPR (EU Regulation 2016/679) – fully applicable
• Act No. 18/2018 Coll. on Personal Data Protection – Slovak GDPR adaptation
• Guidance from the Slovak Data Protection Authority (Úrad na ochranu osobných údajov SR)
• Relevant provisions of the Slovak Labour Code

Slovakia goes beyond GDPR in requiring:

clear, written, detailed information before any monitoring begins

information must explicitly state:

• the tool used
• the exact purpose
• data collected
• retention duration
• frequency of monitoring
• methods and technologies used

The Slovak DPA frequently penalizes employers for vague or incomplete monitoring notices.

Slovakia interprets necessity and proportionality strictly:

• monitoring must be tied to a specific, justified purpose (e.g., safety, security, protection of assets)
• general productivity monitoring is viewed as excessive
• continuous or all-encompassing monitoring (screenshots, keylogging, constant recording) is likely disproportionate

Slovak regulatory practice generally favours the employee's privacy interest in borderline cases.

Slovak law does not permit hidden or covert workplace monitoring, except if:

• there is serious suspicion of a criminal offence
• monitoring is time-limited and targeted
• no alternative exists
• and it complies with criminal-law procedures.

Slovakia imposes strict controls on any form of visual or audio monitoring:

• No monitoring in private or semi-private spaces
• Audio recording is almost always unlawful
• Screen or video capture must be extremely limited in scope and duration
• Recording workflows or desktops for continuous oversight is usually considered excessive

Under Slovak practice:

• employers must not access private emails or personal messages
• even business email content monitoring must meet strict necessity
• if private use is permitted on company devices, more intrusive forms of monitoring cannot be used

Monitoring must focus on metadata and patterns, not the content of private communications.

If trade union bodies or employee councils exist:

• employers must consult them prior to introducing monitoring
• must explain necessity, scope, and processes
• must provide documentation and internal rules

Although not always expressly mandated, the Slovak DPA expects a Data Protection Impact Assessment (DPIA) for:

• screen monitoring
• keystroke or behaviour tracking
• camera or audio monitoring
• any continuous or automated supervision

• GDPR (EU Regulation 2016/679) – fully applicable
• Data Protection Act, Chapter 586 (Malta) – national implementation of GDPR
• Guidance and decisions of the Information and Data Protection Commissioner (IDPC)
• Relevant provisions of Maltese employment law

Malta follows GDPR but places a strong emphasis on written, explicit communication to employees.

Before any monitoring, employers must provide:

• a clear written explanation of what is monitored
• why monitoring is necessary
• which tools are used
• how data is collected and stored
• who will access it
• defined retention periods

According to IDPC practice:

• monitoring must be strictly necessary for a legitimate, specific purpose
• employers must justify why less intrusive alternatives cannot achieve the same goal
• continuous or overly broad monitoring (screens, keystrokes, camera, mic) is often considered excessive

Malta strongly protects employee privacy even on company-owned devices:

• accessing private emails or messages is unlawful
• monitoring must be configured so that clearly private content is not captured
• employers must ensure separation between work and personal data on devices where private use is allowed

Hidden or secret monitoring is prohibited unless:

• there is strong suspicion of criminal activity
• the monitoring is temporary and targeted
• no alternative exists
• legal advice or law-enforcement involvement supports the measure

Malta applies enhanced protection to monitoring that can capture employee behavior visually or audibly:

• audio recording is almost always unlawful
• video or screen capture must be very limited, necessary, and justified
• monitoring cannot occur in: rest areas, dining areas, bathrooms, any space considered private

While not always mandatory under GDPR, in Malta the IDPC strongly expects DPIAs for:

• screen monitoring
• logging of employee actions
• location tracking
• webcam or audio use
• systematic or automated monitoring

A DPIA helps demonstrate compliance and is often requested by IDPC in audits or complaint cases.

Where employee committees or unions exist:

• employers must inform and consult them
• explain the purpose, necessity, and safeguards
• discuss internal monitoring policies

• GDPR – fully applicable
• Personal Data Protection Act (PDPA) – Bulgarian GDPR implementation
• Guidance and decisions of the Commission for Personal Data Protection (CPDP)
• Bulgarian Labour Code – employee rights, dignity, and workplace obligations

Under the Bulgarian Constitution, no one may be filmed, recorded or subjected to similar actions without their knowledge or against their express objection, except in cases provided by law.

This means:

• any visual or audio monitoring of employees (CCTV, screen recording, audio) is treated as highly intrusive
• monitoring must be clearly communicated and justified
• forced or "silent" image/audio capture is particularly problematic.

The Bulgarian CPDP has explicitly held that:

• further processing CCTV or video recordings (with or without sound) to assess individual performance or determine bonuses is inadmissible
• such use is considered incompatible with the original purpose of security/safety and violates GDPR purpose limitation.

The Labour Code obliges employers to protect the dignity and fundamental rights of employees throughout the employment relationship.

In practice this means:

• monitoring may not be oppressive, constant, or humiliating
• "over-monitoring" that creates psychological pressure is likely unlawful
• intrusive tools (e.g., keylogging, continuous screenshots, webcams) face a very high proportionality bar.

CPDP and Bulgarian practice require that:

• monitoring is necessary for a concrete, legitimate purpose (security, protection of property, compliance)
• less intrusive alternatives must be considered first
• continuous or wide-ranging behavioural monitoring is generally disfavoured.

The authority has specifically criticised the use of video with audio to evaluate staff performance, holding it incompatible with GDPR.

Any employee monitoring software deployment in Bulgaria should therefore avoid:

• audio recording altogether
• screen or video recording used as a continuous evaluation tool.

Beyond general GDPR transparency, Bulgarian practice expects:

• clear internal policies describing monitoring
• specific notice to employees (tools, purposes, scope, retention)
• documented storage periods and deletion rules for monitoring data.

• GDPR (as incorporated into Norwegian law) – fully applicable
• Personal Data Act (Norway) – implements GDPR domestically
• Guidance from the Norwegian Data Protection Authority (Datatilsynet)
• Relevant provisions of the Working Environment Act (Arbeidsmiljøloven) – strong workplace privacy rules

Norway has some of Europe's strongest employee-privacy protections.

The Working Environment Act requires that all forms of monitoring:

• must have a clear, necessary purpose
• must be proportionate
• must be limited in scope
• must not place undue pressure or stress on the employee
• must consider the worker's dignity and autonomy

Continuous or behaviour-tracking monitoring (screenshots, keylogging, webcam) is typically seen as disproportionate unless justified by very strong reasons.

If the workplace has union representation or a working-environment committee, the employer must:

• consult them before introducing any monitoring
• provide documentation on purpose, scope, tools, retention
• discuss alternative solutions and proportionality

Norwegian law does not allow hidden or secret monitoring of employees except in very rare, serious criminal situations.

Covert monitoring can only occur when:

• there is clear suspicion of criminal activity
• it is narrowly targeted and time-limited
• all less intrusive options are exhausted

Norway has detailed requirements for monitoring electronic communications:

• employers may access work email accounts only under specific, documented conditions
• private communications must never be accessed
• even business emails can only be opened for limited, necessary reasons
• monitoring must avoid capturing private content
• internet monitoring must focus on categories, not contents or personal details

Datatilsynet treats audiovisual monitoring as highly intrusive:

• audio recording in workplaces is almost never allowed
• webcam monitoring or constant screen capture is strongly discouraged
• cameras cannot be used to observe employees continuously
• video monitoring must be limited, targeted, and fully transparent

Norway considers employee monitoring a high-risk activity.

A Data Protection Impact Assessment must be performed when monitoring involves:

• screens
• behavioural logging
• audio/video
• location tracking
• automated evaluation

Norwegian regulators require:

• minimal retention periods
• documented deletion routines
• strict access control (very few people may view data)
• clear justification for each category of stored data

• GDPR (EU Regulation 2016/679) – fully applicable in Serbia as part of the EU accession process
• Law on Personal Data Protection (LPDP, 2018) – Serbian adaptation of GDPR
• Labour Law (Zakon o radu) – provisions on employee rights and privacy in the workplace
• Guidance from the Commissioner for Information of Public Importance and Personal Data Protection (PDP)

In Serbia, employers must consult with:

• employee representatives or trade unions if they exist, before introducing any monitoring system, including systems like CleverControl.
• The consultation process must include providing detailed information about the purpose, scope, and methods of monitoring.
• Monitoring must not be imposed unilaterally without prior dialogue.

Serbia treats audio and video surveillance as highly sensitive:

• Audio monitoring is almost always prohibited unless it is necessary for a highly specific, legitimate purpose (e.g., criminal investigation).
• Video monitoring is allowed but must be proportionate and must not be used for performance evaluation.

Serbia's PDP places a strong emphasis on necessity and proportionality:

• Monitoring is allowed only if it is necessary for a legitimate purpose (e.g., protecting property, ensuring security).
• The monitoring must be proportional to the legitimate goal.
• Employers must demonstrate that no less intrusive means exist to achieve the same purpose.

This means that general monitoring (e.g., tracking employee productivity) without a clear and compelling purpose would be considered unlawful in Serbia.

Serbian law closely follows GDPR's retention principle, but with more explicit limitations on retention periods:

• Data collected through monitoring must not be kept longer than necessary for the purpose for which it was collected.
• Employers must establish clear data retention policies and implement automatic deletion or anonymization after a specified period.

In Serbia, employee monitoring is considered high-risk processing:

• A DPIA is mandatory for tools that involve monitoring employees' behaviour, performance, location, or communications.
• Employers must assess the impact of the monitoring, identify potential risks to employee privacy, and mitigate those risks.

The Serbian Labour Law places significant emphasis on employee privacy and dignity, requiring:

• monitoring systems to be used in a way that does not degrade the employee's dignity or interfere with their privacy.
• Employers must ensure that employees' reasonable expectations of privacy are respected, especially in non-work-related areas.

• GDPR (EU Regulation 2016/679) – fully applicable
• Personal Data Protection Law (Latvia) – national adaptation of GDPR
• Labour Law (Latvijas Darba likums) – governs employee rights and privacy in the workplace
• Guidance from the Data State Inspectorate (Datu valsts inspekcija, DVI)

Latvia interprets GDPR's consent provisions more strictly than other EU countries:

• Consent must be explicit and freely given if it is the basis for monitoring employees (e.g., for access to private data or performance tracking).
• Employers cannot rely solely on consent in employment relationships because of the power imbalance. In Latvia, explicit consent is usually not seen as a valid legal basis for routine monitoring unless it's for personal choices, like monitoring of company assets (e.g., vehicles, equipment).

Latvia follows the strict GDPR principle against covert monitoring:

• Monitoring should be open and transparent, with employees fully informed before it starts.
• Covert monitoring is prohibited except in very narrow cases involving criminal investigations or serious violations, and even then, it requires proper legal justification.

Latvia applies a strict necessity and proportionality test for monitoring:

• Employers must justify why the monitoring is necessary for a specific, legitimate business purpose (e.g., security, fraud prevention).
• The monitoring must be proportionate to the purpose and must not go beyond what is strictly necessary.
• Continuous monitoring or excessive surveillance of employees (e.g., tracking productivity or individual behaviours) may be considered disproportionate.

Latvia has strict restrictions on monitoring private communications:

• Employers are not allowed to monitor private emails or personal communications unless there is a clear and justified business need (e.g., preventing fraud or ensuring work-related security).
• Monitoring of personal devices is strictly regulated, and employers must ensure that private communications are not captured.

The Latvian Labour Law includes specific provisions protecting employees' rights related to monitoring, including:

• Employees' right to access data collected about them through monitoring.
• Employees may request correction or deletion of any personal data that is incorrect or irrelevant.
• Employees must be informed about how long their data will be retained and who has access to it.

Study GDPR to understand its key principles, requirements, and obligations, especially how they apply to the monitoring and processing of employee data. When in doubt, seek legal counsel from experts well-versed in GDPR and data privacy laws to ensure your monitoring practices align with legal requirements.

Honesty is always the best policy, and when it comes to gathering personal data, it is of peak importance. According to GDPR, the person has the right to know that you collect their personal data, so you must implement employee monitoring openly. Before installing CleverControl, inform your employees that you want to monitor their activity on work computers and, consequently, gather their data.

Explain what data exactly you are going to collect and how you are going to process and use it.

GDPR requires that you collect personal data only for specified, explicit, and legitimate purposes and do not process it in a manner that is incompatible with these purposes. Define reasons and clear goals for using CleverControl and explain them to employees. Should these goals change, be sure to inform the staff about these changes.

Ensure that your employees have provided informed consent to monitoring. We recommend doing it in the written form. The document should be very clear about what employees are agreeing to. Employees have the right to withdraw their consent at any time.

GDPR encourages you to collect only the data strictly necessary for legitimate business purposes and your goals for monitoring. Avoid gathering excessive or irrelevant information about your employees.

Depending on your goals, you may want to collect diverse information, and this information may vary from team to team or even from employee to employee. CleverControl comes with flexible monitoring settings, allowing you to easily configure what information the program collects about each employee.

Under GDPR, individuals have the right to access their data, object, rectify inaccuracies, and request data deletion. Have a process in place to respond to these requests promptly.

Here is how CleverControl can help you stay in line with employees' rights:

• you can provide employees with access to collected data with the Reports feature. Reports contain all collected data for any period and user in a convenient format. You can download and send them to employees at any time.
• employees can install CleverControl on their computers by following a special link or using the installer file you provide. This is one of the ways they can explicitly express their consent to monitoring.
• CleverControl stores all collected data on the monitored computer before delivering it to the monitoring dashboard. You can erase all or a specific type of data immediately from that computer using the dashboard.
• CleverControl Cloud stores collected data on the online dashboard for 1 to 12 months, depending on the data type. After that, it is automatically deleted permanently without the possibility of recovery. At the moment, there is no option to erase the data manually. However, you can remove the computer from your dashboard, and all data associated with it will be removed as well.
• CleverControl On-Premise and CleverControl Local for Small Business give you full control over the collected data as data remains within your company premises. Define and adhere to specific data retention periods for employee monitoring data. Once the data is no longer needed for its intended purpose, it should be securely deleted.

GDPR demands that only the personnel who process the data should have access to it.

At CleverControl, we do not have any access to collected monitoring logs - all data is processed automatically and stored in an encrypted way. Only the CleverControl account owner has access to the gathered information. To stay compliant with GDPR, share this access only with managers who conduct employee assessments based on the collected data. Be sure that only authorized personnel can view the monitoring logs.

CleverControl On-Premise and CleverControl Local for Small Business were specifically designed to give the company full control over how the data is stored and processed - and who can access it.

Train your employees on GDPR compliance and your company's data protection policies, especially those involved in data monitoring and processing.

Please note that this article is a recommendation and is not intended to replace legal counsel. GDPR compliance is a complex area of law, and the information provided here is for general guidance purposes only. It is essential to consult with a qualified lawyer in your area who specializes in data protection and privacy laws to ensure your organization's full compliance with GDPR. This article should be considered a starting point for your research, not a substitute for professional legal advice.