the Dutch DPA
Close menu

Filter search results

Conditions for monitoring employees

As an employer, you are only allowed to monitor your employees if you meet the requirements of privacy legislation. For example, you must be able to clearly substantiate why monitoring your employees is necessary. And that this organisational interest outweighs the invasion of your employees’ privacy. The do’s and don’ts may differ, depending on the case and sector.

On this page

Monitoring employees

There are many technological options for monitoring employees. For example:

  • tracking software that records what employees do on their computer (such as logging in and out, keystrokes, use of email and the Internet);
  • a track & trace system in commercial vehicles (such as a GPS tracker or black box);
  • apps or wearables (such as a smartwatch) that measure health.

In addition, there are traditional methods such as recording telephone conversations or a camera in the workplace. All forms of employee monitoring are subject to the same general rules under privacy legislation.

General rules for monitoring employees

The most important conditions for monitoring personnel are set out in the General Data Protection Regulation (GDPR) and the GDPR Implementation Act (UAVG). These conditions are:

Legitimate interest

You must have a legitimate interest in monitoring your staff. This interest must outweigh the rights and interests of your employees, such as their right to privacy. You must be able to substantiate this.

Necessity

Monitoring your staff must be necessary. This means that you cannot achieve your goal in any other way that is less intrusive on your employees’ privacy.

Informing personnel

You must inform your employees about:

  • what is allowed and what is not;
  • that monitoring may be used;
  • why and when you monitor;
  • how you monitor;
  • what data are involved.

You can inform your employees with internal guidelines, such as rules of conduct or a protocol.

Right to confidential communications

You must take into account your employees’ right to confidential communications. For example, when monitoring emails or telephone calls. You are not allowed to read emails that are evidently private, for instance.

Consent works council

If your organisation has a works council, you must first ask the works council for its consent in the event of regulations about monitoring personnel such as a staff tracking system. If the works council does not agree, you are not allowed to monitor.

DPIA

If you want to use large-scale processing and/or systematic monitoring of personal data to monitor the activities of your employees, such as checking email and Internet use, GPS trackers in employees’ cars or trucks or camera surveillance to combat theft and fraud, you must first carry out a data protection impact assessment (DPIA).

During a DPIA, you look at the privacy risks of the monitoring system, which enables you to take measures to mitigate the risks. Does your organisation have a Data Protection Officer (DPO)? Then you must ask the DPO for advice on carrying out the DPIA.

Prior consultation

If the DPIA shows that the envisaged monitoring entails a high risk, and you are unable to find measures to mitigate this risk, then you have to consult with the Dutch Data Protection Authority (DPA) before you start monitoring personnel. This is called prior consultation. If you have a DPO, they can advise on whether prior consultation is necessary.

Covert monitoring of employees

If you want to covertly monitor your employees, you must also meet the additional conditions for covert monitoring.

Back to subject Monitoring employees

Also view

Back to subject Monitoring employees