Conditions for covert monitoring of employees
Normally, covert monitoring is not allowed. Covert monitoring means that you as an employer monitor your employees without their knowledge. Sometimes covert monitoring is permitted, but strict conditions apply. This is because covert monitoring can be very intrusive on employees. The conditions for covert monitoring apply in addition to the conditions for ‘normal’ (non-covert) monitoring.
On this page
Step 1: conditions for ‘normal’ monitoring of employees
If you want to covertly monitor your employee(s), you must first comply with the conditions for ‘normal’ monitoring of employees. The second step is to meet the additional conditions for covert monitoring. You must therefore meet all conditions.
Step 2: additional conditions for covert monitoring
These additional conditions apply to the covert monitoring of employees.
Reasonable suspicion
You have a reasonable suspicion that one or more employees are doing something that is punishable or prohibited, such as theft or fraud.
No other option
Despite your best efforts, you are unable to put an end to the theft or fraud. So you really have no other option but to covertly monitor your employee(s).
Temporary
Covert monitoring is temporary in nature. This means you may only use covert monitoring during a predetermined period. You are not allowed to covertly monitor your employee(s) continuously.
Informing
You must always inform the employee(s) involved about the covert monitoring afterwards, also if the monitoring did not reveal that the suspicion was justified.
Carrying out a DPIA
If you want to covertly monitor for the first time, you must first carry out a data protection impact assessment (DPIA).
Does your organisation have a Data Protection Officer (DPO)? Then you must ask the DPO for advice on carrying out the DPIA.
You do not need to perform a DPIA every time you want to covertly monitor employees, provided the method is the same as the first time.
If you carry out a DPIA, it is advisable to review it periodically, even if the data processing itself has not changed. For example, every 3 years.
If, rather than doing it yourself, you leave the covert monitoring to a private detective agency, the private detective agency must carry out a DPIA.
Prior consultation
If the DPIA shows that the proposed covert monitoring entails a high risk, and you are unable to find measures to mitigate this risk, you have to consult with the Dutch Data Protection Authority (DPA) before you start covert monitoring.
This is called prior consultation. If you have a DPO, they can advise on whether prior consultation is necessary.