Compliance Published April 28, 2026 9 min read

GDPR-Compliant Employee Monitoring: A Practical 25-Point Checklist for 2026

Yes, you can monitor employees under GDPR — but only if your program rests on a lawful basis, gives clear prior notice, collects the minimum data, and keeps it secure. Here is a working 25-point checklist your team can run before you turn anything on.

By gStride Team · Reviewed April 28, 2026

The short answer

Is employee monitoring GDPR-compliant? It can be, when four conditions are met together. [needs-legal-review] The General Data Protection Regulation does not ban workplace monitoring, but it does require employers to satisfy four cumulative tests before deploying any system that observes, records, or scores worker behaviour.

  1. Lawful basis. The employer needs a valid Article 6 ground — usually legitimate interests (Article 6(1)(f)) or, less commonly, contractual necessity (Article 6(1)(b)). [needs-legal-review]
  2. Transparency. Workers must receive a clear, plain-language notice under Articles 12 to 14 before monitoring starts. [needs-legal-review]
  3. Data minimization. Article 5(1)(c) limits collection to what is necessary for the purpose. Continuous keystroke or screenshot capture rarely passes this test. [needs-legal-review]
  4. Security. Article 32 requires appropriate technical and organizational measures so the data does not leak or get repurposed. [needs-legal-review]

Article 88 specifically lets each EU member state adopt more protective rules in the employment context, and many — Germany, France, Italy, the Netherlands — have done exactly that. The European Data Protection Board (EDPB) and its predecessor, the Article 29 Working Party, have repeatedly stressed that consent is generally not a valid basis in the employment context because the worker cannot freely refuse without consequence. [needs-legal-review]

Educational reference, not legal advice. This checklist describes how the GDPR generally treats workplace monitoring. It is not a substitute for advice from a qualified data protection officer or employment lawyer in your jurisdiction. Before launching any program, get the policy reviewed locally. [needs-legal-review]

The four GDPR principles that govern monitoring

Almost every monitoring fine the EU has issued recently traces back to one of four GDPR principles being missed or stretched. Naming them up front makes the checklist easier to read.

1. Lawful basis (Article 6)

Under Article 6, processing is lawful only if one of six grounds applies. In monitoring, the realistic candidates are legitimate interests (6(1)(f)), contractual necessity (6(1)(b)), and legal obligation (6(1)(c)). Consent (6(1)(a)) is theoretically available but weak in practice: Recital 43 and EDPB Guidelines 05/2020 flag that imbalanced relationships make freely given consent hard to demonstrate. [needs-legal-review]

2. Purpose limitation and data minimization (Article 5)

Article 5(1)(b) requires that personal data be collected for "specified, explicit and legitimate purposes" and not further processed in incompatible ways. Article 5(1)(c) requires that collection be "adequate, relevant and limited to what is necessary." If your monitoring tool captures more than the stated purpose needs, the surplus is unlawful. [needs-legal-review]

3. Transparency (Articles 12, 13, 14)

Workers must be told, before monitoring begins, exactly what is collected, why, on what legal basis, who sees it, how long it is kept, and what their rights are. The information has to be "concise, transparent, intelligible and easily accessible" (Article 12). Burying it in a 40-page handbook is not enough. [needs-legal-review]

4. Accountability and the role of Article 88

Article 88 lets member states write more specific rules for employee data, and Germany's BDSG section 26, France's Labour Code, Italy's Statuto dei Lavoratori article 4, and the Dutch UAVG all add layers on top of GDPR. Article 24 holds the controller responsible for demonstrating compliance — documentation matters as much as practice. [needs-legal-review]

The 25-point GDPR compliance checklist

Run through these in order. The grouping mirrors how a Data Protection Impact Assessment under our security and compliance posture tends to flow: scope and purpose first, then tool configuration, then communication, then operations, then review.

Group A — Before you deploy (1–6)

  1. Define the specific purpose in writing. "Productivity," "time tracking," and "security" are three different purposes with three different proportionality analyses. Pick one or two and name them.
  2. Select a single lawful basis per purpose. Document which Article 6 ground you are relying on. Do not list three "just in case." [needs-legal-review]
  3. Run a DPIA under Article 35 covering data flows, risks to workers, and mitigations. Most national DPAs (CNIL, Garante, ICO, AEPD) treat systematic employee monitoring as DPIA-triggering by default. [needs-legal-review]
  4. Identify the controller and any processors. If your monitoring vendor sees worker data, an Article 28 data processing agreement is mandatory.
  5. Map cross-border transfers. If logs leave the EEA, you need an Article 46 transfer mechanism — Standard Contractual Clauses, an adequacy decision, or Binding Corporate Rules.
  6. Consult the works council where local law requires it (Germany Section 87 BetrVG, Austria ArbVG, Netherlands WOR). Skipping this step has been a common source of injunctions and fines. [needs-legal-review]

Group B — Configuring the tool (7–12)

  1. Turn off everything you do not need. Default-on screenshots, keystroke logging, webcam capture, and audio recording almost always fail the data minimization test in the EU.
  2. Restrict capture to work hours and work devices. No collection during breaks, lunches, or off-shift; no collection on personal devices unless contractually agreed and necessary.
  3. Mask sensitive applications by default. Banking, health portals, union sites, and personal email should be excluded from screenshot, URL, and content capture.
  4. Sample, do not stream. Event-triggered or interval-based capture (for example, one screenshot every 10 minutes) is far easier to defend than continuous video.
  5. Use pseudonymization or aggregation where possible. Article 32 lists pseudonymization as a recommended safeguard. Team-level metrics often suffice in place of individual scoring.
  6. Disable covert capture. EDPB Guidelines 3/2019 on processing of personal data through video devices, and the broader Article 29 Working Party Opinion 2/2017 on data processing at work, treat covert workplace monitoring as a narrow exception requiring specific evidence of suspected wrongdoing. [needs-legal-review]

Group C — Communicating to staff (13–17)

  1. Publish a written monitoring notice covering all the Article 13 elements: identity of controller, purpose, legal basis, recipients, retention, rights, complaint route. [needs-legal-review]
  2. Tell workers before monitoring starts, not after. Retroactive notice does not cure a transparency failure.
  3. Spell out AI features specifically. If the tool uses AI to score productivity, detect anomalies, or rank workers, the EU AI Act classifies this as high-risk and adds notification, oversight, and documentation duties on top of GDPR. Our piece on AI idle-time detection shows how context-based detection differs from naive keystroke logging. [needs-legal-review]
  4. Acknowledge the right to object under Article 21 when relying on legitimate interests, and explain how a worker can exercise it.
  5. Train managers and IT staff who can see monitoring data. Access without training is a recurring finding in DPA enforcement actions.

Group D — Handling the data (18–22)

  1. Apply role-based access control. Only those with a documented operational need should see raw monitoring data; aggregate views should be the default.
  2. Encrypt at rest and in transit. Article 32 lists encryption explicitly. Tie keys to your standard identity provider.
  3. Log all access to monitoring data. Auditability is part of the accountability principle (Article 5(2)).
  4. Honour data subject rights — access (Article 15), rectification (16), erasure (17), portability (20), and objection (21). Workers can request the screenshots taken of their session.
  5. Set a written retention schedule. Productivity and time-tracking data is rarely needed beyond a few weeks or months unless an independent legal obligation extends it. Document the period and the trigger for deletion. [needs-legal-review]

Group E — Reviewing and deleting (23–25)

  1. Schedule a DPIA review at least annually and after any material configuration change. Note the review date inside the DPIA itself.
  2. Run an automated deletion job that enforces the retention schedule. Manual housekeeping is the most common cause of "forgotten" monitoring archives.
  3. Repeat the worker notice cycle when policy or scope changes. New purpose, new tool, new lawful basis — new notice. [needs-legal-review]

If you are just starting, our step-by-step guide to writing an employee monitoring policy turns this checklist into draft policy language with eight required sections. Pair it with the jurisdiction-by-jurisdiction legality guide if your team spans multiple countries.

The 5 most common GDPR monitoring mistakes

EU data protection authorities have spent the past five years publishing decisions and guidance that, taken together, point to a small number of recurring failures.

MistakeWhy it failsWhat good looks like
Relying on consent as the lawful basisPower imbalance makes consent rarely "freely given" (Recital 43; EDPB Guidelines 05/2020). [needs-legal-review]Use legitimate interests with a documented balancing test, or contractual necessity for narrow operational data.
Default-on screenshots and keystroke loggingBreaches data minimization (Article 5(1)(c)) and proportionality. The Italian Garante and French CNIL have fined this pattern. [needs-legal-review]Configurable, sampled, work-hours-only capture with sensitive apps masked.
Skipping the DPIAArticle 35 makes a DPIA mandatory for systematic monitoring; absence is a standalone violation. [needs-legal-review]Documented DPIA reviewed yearly, signed by the DPO, attached to the tool's deployment record.
Burying monitoring in the handbookArticle 12 requires "concise, transparent, intelligible" information.Standalone monitoring notice, plain language, sent before deployment and at every renewal.
No retention or deletion jobArticle 5(1)(e) limits storage to what is necessary; indefinite logs are unlawful.Documented schedule plus an automated deletion job that runs on the documented cadence.

Cross-border considerations: EU + UK + Switzerland

EU-wide programs in 2026 also need to handle the UK and Switzerland, which sit outside the EU but maintain closely-aligned regimes.

  • European Union. Single GDPR text plus member state derogations under Article 88. The lead supervisory authority is determined by the location of the main establishment.
  • United Kingdom. The UK GDPR and Data Protection Act 2018 mirror the EU framework. The ICO published its updated Monitoring workers guidance in October 2023 and treats DPIAs and proportionality essentially the same way the EDPB does. [needs-legal-review]
  • Switzerland. The revised Federal Act on Data Protection (revFADP) took effect in September 2023 and tracks GDPR closely. Swiss labour law adds a separate prohibition under Article 26 of Ordinance 3 to the Labour Act on monitoring systems primarily used to surveil worker behaviour. [needs-legal-review]

For data flows between these regions, the EU-UK and EU-Swiss adequacy decisions currently allow transfers without additional safeguards, but treat these as periodically reviewed rather than permanent. [needs-legal-review] When configuring tools that span borders — including screenshots and activity capture and productivity monitoring — default to the strictest applicable rule and relax only where local law clearly allows.

Related reading on gStride

Frequently asked questions

Is employee monitoring GDPR-compliant?

It can be — when the employer has a lawful basis under Article 6 (usually legitimate interests), provides transparent prior notice under Articles 12 to 14, collects only the minimum data needed under Article 5, and applies appropriate security under Article 32. Continuous, covert, or disproportionate monitoring generally fails this test. [needs-legal-review]

Do I need employee consent under GDPR to monitor work activity?

Generally no. Recital 43 and EDPB guidance flag that employees cannot freely refuse consent without consequences, so legitimate interests under Article 6(1)(f) or contractual necessity under 6(1)(b) tend to be the more defensible bases. Consent may still fit narrow optional features. [needs-legal-review]

Is a DPIA required for employee monitoring?

Most national DPAs treat systematic monitoring as triggering Article 35. The French CNIL, Italian Garante, and Irish DPC have issued fines tied to missing or inadequate DPIAs. The DPIA should document purpose, lawful basis, data flows, retention, risks, and safeguards. [needs-legal-review]

Can I take screenshots of employee screens under GDPR?

Screenshot capture is not banned, but several EU regulators have ruled continuous capture disproportionate. The safer pattern is event-triggered or sampled capture, limited to work hours and work devices, with sensitive apps excluded. Employees must be told in plain language. [needs-legal-review]

How long can I keep employee monitoring data under GDPR?

Article 5(1)(e) requires storage no longer than necessary. For productivity and time tracking, regulators typically expect weeks or a few months rather than years, unless a separate legal obligation extends it. Document the period in the notice. [needs-legal-review]

Does GDPR apply if my company is outside the EU but employs EU workers?

Yes. Article 3 makes GDPR apply extraterritorially when an organization processes personal data of individuals in the EU. A US or Asian employer with EU-based remote workers is subject to GDPR and usually needs an Article 27 representative. [needs-legal-review]

Do works councils have to approve monitoring tools?

In Germany, Austria, the Netherlands, and France, co-determination law gives works councils a meaningful say. In Germany, Section 87 BetrVG requires Betriebsrat agreement before introducing monitoring equipment. Skipping that step has been a common cause of fines and injunctions. [needs-legal-review]

How does the EU AI Act change employee monitoring obligations?

The EU AI Act classifies workplace AI systems used to evaluate, allocate tasks to, or monitor employees as high-risk, requiring conformity assessment, transparency, human oversight, and notification to workers. It layers on top of GDPR. [needs-legal-review]

Configure monitoring that fits a GDPR program, not against it

gStride lets you turn capture features on or off per worker and per project, sample screenshots instead of streaming, and mask sensitive applications by default — so the tool follows the policy, not the other way around.

See productivity monitoring Read security posture

This article is a general educational reference, not legal advice. GDPR interpretations evolve through new EDPB guidance, national DPA decisions, and court rulings. Verify each point with qualified counsel and your DPO before acting. [needs-legal-review]