Compliance Published April 28, 2026 9 min read

GDPR Compliance Employee Monitoring: A Practical 25-Point Checklist for 2026

Yes, you can monitor employees under GDPR — but only if your program rests on a lawful basis, gives clear prior notice, collects the minimum data, and keeps it secure. Here is a working 25-point checklist your team can run before you turn anything on.

By gStride Team · Reviewed May 7, 2026
GDPR-Compliant Employee Monitoring: A Practical 25-Point Checklist for 2026: — GDPR, EU AI Act and DPDP guidance from gStride AI
GDPR-Compliant Employee Monitoring — GDPR, EU AI Act guidance from gStride AI.

The short answer

Is employee monitoring GDPR-compliant? It can be, when four conditions are met together. [needs-legal-review] The General Data Protection Regulation does not ban workplace monitoring, but it does require employers to satisfy four cumulative tests before deploying any system that observes, records, or scores worker behaviour.

  1. Lawful basis. The employer needs a valid Article 6 ground — usually legitimate interests (Article 6(1)(f)) or, less commonly, contractual necessity (Article 6(1)(b)). [needs-legal-review]
  2. Transparency. Workers must receive a clear, plain-language notice under Articles 12 to 14 before monitoring starts. [needs-legal-review]
  3. Data minimization. Article 5(1)(c) limits collection to what is necessary for the purpose. Continuous keystroke or screenshot capture rarely passes this test. [needs-legal-review]
  4. Security. Article 32 requires appropriate technical and organizational measures so the data does not leak or get repurposed. [needs-legal-review]

Article 88 specifically lets each EU member state adopt more protective rules in the employment context, and many — Germany, France, Italy, the Netherlands — have done exactly that. The European Data Protection Board (EDPB) and its predecessor, the Article 29 Working Party, have repeatedly stressed that consent is generally not a valid basis in the employment context because the worker cannot freely refuse without consequence. [needs-legal-review]

Educational reference, not legal advice. This checklist describes how the GDPR generally treats workplace monitoring. It is not a substitute for advice from a qualified data protection officer or employment lawyer in your jurisdiction. Before launching any program, get the policy reviewed locally. [needs-legal-review]

GDPR-compliant employee monitoring under EU law requires a lawful basis under GDPR Article 6, most commonly legitimate interest balanced against the employee's right to privacy under ECHR Article 8. The employer must complete a Data Protection Impact Assessment (DPIA) when monitoring is systematic, document the three-part proportionality test per EDPB Guidelines 4/2019, inform employees in writing, and respect rights to access, rectification, and erasure. The EU AI Act (Regulation 2024/1689), in force from August 2026, adds a transparency obligation for AI-driven monitoring. gStride's AI productivity intelligence platform is engineered for the proportionality limb — no keystrokes, no screen scraping — and pairs with the EU AI Act time-tracking compliance playbook for cross-regulation alignment. For broader jurisdictional context see the legality framework across jurisdictions. [needs-legal-review]

What is GDPR-compliant employee monitoring? The 6-requirement definition

GDPR-compliant employee monitoring is workplace surveillance configured so that every act of processing personal data — observing, recording, classifying, or scoring worker behaviour — satisfies six cumulative requirements drawn directly from the General Data Protection Regulation and the European Data Protection Board's working guidance. The compliance bar is not "we have a monitoring tool" or "we informed the staff." It is the conjunction of all six. Missing one is the difference between a defensible program and a fine. [needs-legal-review]

The six requirements are sequenced below in the order they appear in a typical DPA audit. Each binds to a specific GDPR article, has its own evidentiary artefact, and has been the subject of named regulator decisions through 2023 to 2026.

  1. A documented lawful basis under Article 6 — usually legitimate interests under 6(1)(f), almost never consent. The processing has to rest on one of the six grounds in Article 6(1). For workplace monitoring the only realistic candidates are legitimate interests (6(1)(f)) backed by a written balancing test, or contractual necessity (6(1)(b)) for narrow operational data. EDPB Opinion 2/2017 and Guidelines 05/2020 confirm consent is rarely "freely given" in an employment relationship because of the inherent power imbalance. The evidentiary artefact is the written balancing test that names purpose, necessity, and proportionality. [needs-legal-review]
  2. A Data Protection Impact Assessment under Article 35, completed before deployment. National DPAs — France's CNIL, Italy's Garante, Ireland's DPC, the Netherlands AP, Germany's federal and state DPAs — treat systematic workplace monitoring as DPIA-triggering by default. The DPIA must document the processing operation, purpose, lawful basis, data flows, retention period, risks to employee rights and freedoms, and the safeguards that mitigate those risks. Missing or skeletal DPIAs have been a standalone violation in multiple six-figure fines since 2022. The evidentiary artefact is the signed DPIA reviewed at least annually. [needs-legal-review]
  3. Transparent prior notice under Articles 12, 13, and 14 — before monitoring starts, not after. Article 12 requires that information be "concise, transparent, intelligible and easily accessible." Article 13 lists the specific elements the notice must include: identity of controller, purpose, legal basis, recipients, retention period, rights, complaint route. Retroactive notice does not cure a transparency failure, and burying monitoring in a 40-page handbook is not enough. The evidentiary artefact is the standalone written monitoring notice issued to each affected worker before deployment.
  4. Data minimization and purpose limitation under Article 5. Article 5(1)(b) requires that personal data be collected for "specified, explicit and legitimate purposes" and not further processed in incompatible ways. Article 5(1)(c) requires that collection be "adequate, relevant and limited to what is necessary." Continuous, default-on screenshot capture or keystroke logging rarely passes this test; sampled or event-triggered capture, work-hours-only, with sensitive applications excluded, generally does. The evidentiary artefact is the configuration record showing which capture features are enabled and the documented necessity for each. [needs-legal-review]
  5. Article 32 security plus an Article 28 processor agreement with the vendor. The personal data has to be held securely — encryption at rest and in transit, role-based access, audit logging — and where a vendor processes worker data on behalf of the employer (which is almost always the case for SaaS monitoring tools), the employer needs a signed Article 28 data processing agreement that names sub-processors, transfer mechanisms, residency region, and audit rights. The evidentiary artefacts are the signed DPA, the published sub-processor list, and the security-controls evidence (SOC 2, ISO 27001, or equivalent).
  6. Operational respect for Article 15 to 22 rights, plus the Article 88 employment-context layer. Workers must be able to exercise access (Article 15), rectification (16), erasure (17), portability (20), and objection (21) rights against monitoring data — including requesting the screenshots taken of their session. Article 88 then lets each EU member state add stricter rules in the employment context, and Germany's BDSG section 26, France's Labour Code, Italy's Statuto dei Lavoratori article 4, the Netherlands UAVG, and Austria's DSG all add layers — most importantly, the requirement to consult or co-decide with works councils before deploying monitoring technology. The evidentiary artefacts are the documented rights-fulfilment workflow and the works-council consultation record. [needs-legal-review]

The 25-point checklist later in this article operationalises these six requirements into concrete configuration and policy steps. The procurement-side filter for vendors that can carry the buyer through these six requirements is in our GDPR-compliant employee monitoring tools 7-point filter piece — that is the companion read when the question shifts from "what is the standard?" to "which vendor can clear it?"

The four GDPR principles that govern monitoring

Almost every monitoring fine the EU has issued recently traces back to one of four GDPR principles being missed or stretched. Naming them up front makes the checklist easier to read.

1. Lawful basis (Article 6)

Under Article 6, processing is lawful only if one of six grounds applies. In monitoring, the realistic candidates are legitimate interests (6(1)(f)), contractual necessity (6(1)(b)), and legal obligation (6(1)(c)). Consent (6(1)(a)) is theoretically available but weak in practice: Recital 43 and EDPB Guidelines 05/2020 flag that imbalanced relationships make freely given consent hard to demonstrate. [needs-legal-review]

2. Purpose limitation and data minimization (Article 5)

Article 5(1)(b) requires that personal data be collected for "specified, explicit and legitimate purposes" and not further processed in incompatible ways. Article 5(1)(c) requires that collection be "adequate, relevant and limited to what is necessary." If your monitoring tool captures more than the stated purpose needs, the surplus is unlawful. [needs-legal-review]

3. Transparency (Articles 12, 13, 14)

Workers must be told, before monitoring begins, exactly what is collected, why, on what legal basis, who sees it, how long it is kept, and what their rights are. The information has to be "concise, transparent, intelligible and easily accessible" (Article 12). Burying it in a 40-page handbook is not enough. [needs-legal-review]

4. Accountability and the role of Article 88

Article 88 lets member states write more specific rules for employee data, and Germany's BDSG section 26, France's Labour Code, Italy's Statuto dei Lavoratori article 4, and the Dutch UAVG all add layers on top of GDPR. Article 24 holds the controller responsible for demonstrating compliance — documentation matters as much as practice. [needs-legal-review]

Key GDPR enforcement figures for employee-monitoring deployers — verify with qualified counsel
  • EUR 20 million or 4% of total worldwide annual turnover — maximum administrative fine under Article 83(5) for the most serious GDPR violations, including failure of lawful basis or transparency obligations, whichever is higher (GDPR Regulation (EU) 2016/679, OJ L 119/1, 4 May 2016; verify applicable ceiling with counsel).
  • EUR 10 million or 2% of total worldwide annual turnover — maximum fine under Article 83(4) for infringements of processing obligations, DPIA requirements, and Article 28 processor agreements, whichever is higher (GDPR Regulation (EU) 2016/679; verify with counsel).
  • EU AI Act Article 26 transparency obligation from 2 August 2026 — deployers of high-risk AI in the workplace must additionally notify workers under the AI Act, on top of the GDPR Article 13/14 notice baseline; the two obligations overlap but are not identical (EU AI Act 2024/1689, OJ L 2024/1689, 12 July 2024; verify with counsel). See the EU AI Act time-tracking compliance guide for the cross-regulation checklist.

The 25-point GDPR compliance checklist

Run through these in order. The grouping mirrors how a Data Protection Impact Assessment under our security and compliance posture tends to flow: scope and purpose first, then tool configuration, then communication, then operations, then review.

Group A — Before you deploy (1–6)

  1. Define the specific purpose in writing. "Productivity," "time tracking," and "security" are three different purposes with three different proportionality analyses. Pick one or two and name them.
  2. Select a single lawful basis per purpose. Document which Article 6 ground you are relying on. Do not list three "just in case." [needs-legal-review]
  3. Run a DPIA under Article 35 covering data flows, risks to workers, and mitigations. Most national DPAs (CNIL, Garante, ICO, AEPD) treat systematic employee monitoring as DPIA-triggering by default. [needs-legal-review]
  4. Identify the controller and any processors. If your monitoring vendor sees worker data, an Article 28 data processing agreement is mandatory.
  5. Map cross-border transfers. If logs leave the EEA, you need an Article 46 transfer mechanism — Standard Contractual Clauses, an adequacy decision, or Binding Corporate Rules.
  6. Consult the works council where local law requires it (Germany Section 87 BetrVG, Austria ArbVG, Netherlands WOR). Skipping this step has been a common source of injunctions and fines. [needs-legal-review]

Group B — Configuring the tool (7–12)

  1. Turn off everything you do not need. Default-on screenshots, keystroke logging, webcam capture, and audio recording almost always fail the data minimization test in the EU.
  2. Restrict capture to work hours and work devices. No collection during breaks, lunches, or off-shift; no collection on personal devices unless contractually agreed and necessary.
  3. Mask sensitive applications by default. Banking, health portals, union sites, and personal email should be excluded from screenshot, URL, and content capture.
  4. Sample, do not stream. Event-triggered or interval-based capture (for example, one screenshot every 10 minutes) is far easier to defend than continuous video.
  5. Use pseudonymization or aggregation where possible. Article 32 lists pseudonymization as a recommended safeguard. Team-level metrics often suffice in place of individual scoring.
  6. Disable covert capture. EDPB Guidelines 3/2019 on processing of personal data through video devices, and the broader Article 29 Working Party Opinion 2/2017 on data processing at work, treat covert workplace monitoring as a narrow exception requiring specific evidence of suspected wrongdoing. [needs-legal-review]

Group C — Communicating to staff (13–17)

  1. Publish a written monitoring notice covering all the Article 13 elements: identity of controller, purpose, legal basis, recipients, retention, rights, complaint route. [needs-legal-review]
  2. Tell workers before monitoring starts, not after. Retroactive notice does not cure a transparency failure.
  3. Spell out AI features specifically. If the tool uses AI to score productivity, detect anomalies, or rank workers, the EU AI Act classifies this as high-risk and adds notification, oversight, and documentation duties on top of GDPR. Our piece on AI idle-time detection shows how context-based detection differs from naive keystroke logging. [needs-legal-review]
  4. Acknowledge the right to object under Article 21 when relying on legitimate interests, and explain how a worker can exercise it.
  5. Train managers and IT staff who can see monitoring data. Access without training is a recurring finding in DPA enforcement actions.

Group D — Handling the data (18–22)

  1. Apply role-based access control. Only those with a documented operational need should see raw monitoring data; aggregate views should be the default.
  2. Encrypt at rest and in transit. Article 32 lists encryption explicitly. Tie keys to your standard identity provider.
  3. Log all access to monitoring data. Auditability is part of the accountability principle (Article 5(2)).
  4. Honour data subject rights — access (Article 15), rectification (16), erasure (17), portability (20), and objection (21). Workers can request the screenshots taken of their session.
  5. Set a written retention schedule. Productivity and time-tracking data is rarely needed beyond a few weeks or months unless an independent legal obligation extends it. Document the period and the trigger for deletion. [needs-legal-review]

Group E — Reviewing and deleting (23–25)

  1. Schedule a DPIA review at least annually and after any material configuration change. Note the review date inside the DPIA itself.
  2. Run an automated deletion job that enforces the retention schedule. Manual housekeeping is the most common cause of "forgotten" monitoring archives.
  3. Repeat the worker notice cycle when policy or scope changes. New purpose, new tool, new lawful basis — new notice. [needs-legal-review]

If you are just starting, our step-by-step guide to writing an employee monitoring policy turns this checklist into draft policy language with eight required sections. Pair it with the jurisdiction-by-jurisdiction legality guide if your team spans multiple countries.

The 5 most common GDPR monitoring mistakes

EU data protection authorities have spent the past five years publishing decisions and guidance that, taken together, point to a small number of recurring failures.

MistakeWhy it failsWhat good looks like
Relying on consent as the lawful basisPower imbalance makes consent rarely "freely given" (Recital 43; EDPB Guidelines 05/2020). [needs-legal-review]Use legitimate interests with a documented balancing test, or contractual necessity for narrow operational data.
Default-on screenshots and keystroke loggingBreaches data minimization (Article 5(1)(c)) and proportionality. The Italian Garante and French CNIL have fined this pattern. [needs-legal-review]Configurable, sampled, work-hours-only capture with sensitive apps masked.
Skipping the DPIAArticle 35 makes a DPIA mandatory for systematic monitoring; absence is a standalone violation. [needs-legal-review]Documented DPIA reviewed yearly, signed by the DPO, attached to the tool's deployment record.
Burying monitoring in the handbookArticle 12 requires "concise, transparent, intelligible" information.Standalone monitoring notice, plain language, sent before deployment and at every renewal.
No retention or deletion jobArticle 5(1)(e) limits storage to what is necessary; indefinite logs are unlawful.Documented schedule plus an automated deletion job that runs on the documented cadence.

Cross-border considerations: EU + UK + Switzerland

EU-wide programs in 2026 also need to handle the UK and Switzerland, which sit outside the EU but maintain closely-aligned regimes.

  • European Union. Single GDPR text plus member state derogations under Article 88. The lead supervisory authority is determined by the location of the main establishment.
  • United Kingdom. The UK GDPR and Data Protection Act 2018 mirror the EU framework. The ICO published its updated Monitoring workers guidance in October 2023 and treats DPIAs and proportionality essentially the same way the EDPB does. [needs-legal-review]
  • Switzerland. The revised Federal Act on Data Protection (revFADP) took effect in September 2023 and tracks GDPR closely. Swiss labour law adds a separate prohibition under Article 26 of Ordinance 3 to the Labour Act on monitoring systems primarily used to surveil worker behaviour. [needs-legal-review]

For data flows between these regions, the EU-UK and EU-Swiss adequacy decisions currently allow transfers without additional safeguards, but treat these as periodically reviewed rather than permanent. [needs-legal-review] When configuring tools that span borders — including screenshots and activity capture and productivity monitoring — default to the strictest applicable rule and relax only where local law clearly allows.

GDPR-compliance employee monitoring requirements

If you are landing here from a search like "gdpr compliance employee monitoring", the requirement set is narrow but unforgiving. The General Data Protection Regulation does not have one "monitoring" clause; obligations are spread across four articles that have to be satisfied together before any productivity tool, screenshot capture, or activity log can lawfully run on an EU worker's machine. [needs-legal-review]

Article 6 — lawful basis. Every act of processing needs one of six grounds in Article 6(1). For workplace monitoring, the realistic options are legitimate interests under 6(1)(f) — backed by a written balancing test that compares your business need against the worker's reasonable expectation of privacy — or contractual necessity under 6(1)(b) for narrow operational data. Consent is theoretically an option under 6(1)(a) but the European Data Protection Board (EDPB) has made clear in Guidelines 05/2020 that consent in an employment relationship is rarely "freely given" because of the inherent power imbalance. [needs-legal-review]

Article 35 — Data Protection Impact Assessment. Article 35 mandates a DPIA whenever processing is "likely to result in a high risk to the rights and freedoms of natural persons." National DPAs — France's CNIL, Italy's Garante, Ireland's DPC, the Netherlands AP — treat systematic employee monitoring as DPIA-triggering by default. The DPIA must document purpose, lawful basis, data flows, categories of data, retention period, risk to workers, and the safeguards applied. Missing or skeletal DPIAs are a standalone violation that has driven multiple six-figure fines since 2022. [needs-legal-review]

Article 88 — employment context derogations. Article 88 lets each EU member state write more protective rules for employee data. Germany's BDSG section 26, France's Labour Code, Italy's Statuto dei Lavoratori article 4, the Netherlands UAVG, and Austria's DSG all add layers — most importantly, the requirement to consult or co-decide with works councils before deploying monitoring technology. A pan-EU rollout that ignores the local Article 88 layer fails compliance even when the GDPR baseline is met. See our security and compliance posture for how gStride aligns with these requirements out of the box. [needs-legal-review]

Employee monitoring tools compliant with GDPR (the 7-point filter)

If you are searching "employee monitoring tools compliant with GDPR requirements", you are doing procurement, not theory. Below is the 7-point filter our compliance reviewers run on any vendor DPA before greenlighting a deployment for an EU workforce. A tool that fails any one of these is not compliant for an EU rollout regardless of how the marketing site reads.

  1. Data residency clause in the DPA. The Article 28 data processing agreement must specify the physical region where personal data is stored and processed. EU/EEA hosting is the safest default; non-EU storage requires a documented Article 46 transfer mechanism (Standard Contractual Clauses, adequacy, or Binding Corporate Rules). "We use AWS" is not a residency clause. [needs-legal-review]
  2. Published sub-processor list. A compliant vendor publishes the full list of sub-processors (analytics, storage, support tooling) and notifies you before adding new ones. Hidden sub-processors break the controller's ability to keep transparency notices accurate.
  3. Lawful-basis documentation. The vendor should be able to map each capture feature (screenshots, URL logging, app classification, idle detection) to a defensible Article 6 ground and provide a balancing-test template you can adopt. If the vendor cannot articulate the lawful basis for its own capture, the buyer cannot defend it either. [needs-legal-review]
  4. Default retention under 30 days. Article 5(1)(e) requires storage no longer than necessary. A compliant default is short — typically 30 days for raw productivity data — with documented extension only where a separate legal obligation (payroll, dispute) applies. Tools that default to "indefinite" or "1 year+" force the buyer to fight the default in every deployment.
  5. Employee-inspectable classifications. Workers must be able to see how the tool has classified their activity (productive, neutral, distracting) and contest mistakes. This is both an Article 21 (right to object) requirement and, where AI scoring is involved, an EU AI Act human-oversight obligation.
  6. Opt-in screenshot defaults. Continuous, default-on screenshot capture has been ruled disproportionate by the Italian Garante and the French CNIL. A compliant tool ships with screenshots off by default, supports sampled or event-triggered capture only, and masks sensitive applications (banking, health, union sites, personal email) at the OS layer. [needs-legal-review]
  7. Transparent dispute path. A documented, named channel for workers to exercise Article 15-22 rights — access, rectification, erasure, objection — with a service-level commitment on response time. This is what separates productivity intelligence from surveillance: the data subject has a real, exercisable route to push back. The category-canonical architecture that makes this dispute path mechanically possible — capture, signal, recommendation, and action surfaces, each independently inspectable by the employee being measured — is laid out in our AI productivity intelligence platform pillar guide.

Apply the filter to any tool on your shortlist before a procurement signature. A vendor that scores 7/7 is defensible in a DPA audit; 5/7 means the buyer takes on the gap as residual risk; below that, do not deploy in the EU.

Free: Employee Monitoring Policy Template (2026)

An 8-section .docx/.pdf shell aligned to GDPR Article 13, EU AI Act, UK ICO 2023, and DPDP — drop it into your handbook, edit placeholders, run it past counsel. Free, no card.

Download .docx Download .pdf

Related reading on gStride

Free: 5-Signal Productivity Self-Audit Worksheet

30-min audit on your team. Focus depth + commit cadence + meeting load + flow-state + blocker recovery. PDF + Google Sheets calc. For Ops Heads, Founders, Eng Managers.

Frequently asked questions

What is GDPR-compliant employee monitoring (the 6-requirement definition)?

GDPR-compliant employee monitoring is workplace surveillance configured so that six cumulative requirements are satisfied together: (1) a documented lawful basis under Article 6 — usually legitimate interests under 6(1)(f) backed by a written balancing test, not consent; (2) a Data Protection Impact Assessment under Article 35 completed before deployment; (3) transparent prior notice under Articles 12, 13, and 14 issued before monitoring starts; (4) data minimization and purpose limitation under Article 5; (5) Article 32 security plus an Article 28 processor agreement with EU residency, named sub-processors, and audit rights; and (6) operational respect for Article 15 to 22 rights plus the Article 88 employment-context derogations including works-council consultation where local law requires it. Missing any single requirement is a standalone violation. [needs-legal-review]

Is employee monitoring GDPR-compliant?

It can be — when the employer has a lawful basis under Article 6 (usually legitimate interests), provides transparent prior notice under Articles 12 to 14, collects only the minimum data needed under Article 5, and applies appropriate security under Article 32. Continuous, covert, or disproportionate monitoring generally fails this test. [needs-legal-review]

Is gStride GDPR compliant for employee monitoring?

gStride is built to align with the 7-point GDPR procurement filter: an Article 28 DPA with explicit data residency clause, a published sub-processor list with prior-notification, lawful-basis documentation per capture feature, default retention under 30 days, employee-inspectable activity classifications, screenshot capture off by default (sampled/event-triggered only), and a documented Article 15 to 22 dispute path. Customers remain controllers and run their own DPIA, but the platform is configured so the buyer can satisfy the GDPR baseline without re-engineering. [needs-legal-review]

What are the GDPR requirements for monitoring employees?

Four articles must be satisfied together. Article 6 requires a documented lawful basis — usually legitimate interests under 6(1)(f) backed by a written balancing test (consent is rarely valid in employment per EDPB Guidelines 05/2020). Article 35 requires a DPIA because national DPAs treat systematic monitoring as high-risk; document purpose, lawful basis, data flows, retention, risks, safeguards. Article 88 lets member states add stricter rules — Germany BDSG s.26, France's Labour Code, Italy's Statuto dei Lavoratori art. 4, the Dutch UAVG impose works-council consultation. Articles 5, 12 to 14, and 32 add data minimization, transparency notice, and security on top. [needs-legal-review]

Do I need employee consent under GDPR to monitor work activity?

Generally no. Recital 43 and EDPB guidance flag that employees cannot freely refuse consent without consequences, so legitimate interests under Article 6(1)(f) or contractual necessity under 6(1)(b) tend to be the more defensible bases. Consent may still fit narrow optional features. [needs-legal-review]

Is a DPIA required for employee monitoring?

Most national DPAs treat systematic monitoring as triggering Article 35. The French CNIL, Italian Garante, and Irish DPC have issued fines tied to missing or inadequate DPIAs. The DPIA should document purpose, lawful basis, data flows, retention, risks, and safeguards. [needs-legal-review]

Can I take screenshots of employee screens under GDPR?

Screenshot capture is not banned, but several EU regulators have ruled continuous capture disproportionate. The safer pattern is event-triggered or sampled capture, limited to work hours and work devices, with sensitive apps excluded. Employees must be told in plain language. [needs-legal-review]

How long can I keep employee monitoring data under GDPR?

Article 5(1)(e) requires storage no longer than necessary. For productivity and time tracking, regulators typically expect weeks or a few months rather than years, unless a separate legal obligation extends it. Document the period in the notice. [needs-legal-review]

Does GDPR apply if my company is outside the EU but employs EU workers?

Yes. Article 3 makes GDPR apply extraterritorially when an organization processes personal data of individuals in the EU. A US or Asian employer with EU-based remote workers is subject to GDPR and usually needs an Article 27 representative. [needs-legal-review]

Do works councils have to approve monitoring tools?

In Germany, Austria, the Netherlands, and France, co-determination law gives works councils a meaningful say. In Germany, Section 87 BetrVG requires Betriebsrat agreement before introducing monitoring equipment. Skipping that step has been a common cause of fines and injunctions. [needs-legal-review]

How does the EU AI Act change employee monitoring obligations?

The EU AI Act classifies workplace AI systems used to evaluate, allocate tasks to, or monitor employees as high-risk, requiring conformity assessment, transparency, human oversight, and notification to workers. It layers on top of GDPR. [needs-legal-review]

Is employee monitoring legal under GDPR in 2026?

Yes, when the employer establishes a lawful basis under Article 6 — typically legitimate interest under 6(1)(f) — and documents a DPIA per Article 35 where monitoring is systematic or large-scale. Employees must receive written notice covering purpose, data categories, retention, and Article 15-22 rights. The 2026 EU AI Act (Regulation 2024/1689) adds a transparency obligation for AI-driven monitoring including productivity scoring and idle-time detection. [needs-legal-review]

What is the difference between legitimate interest and consent as a GDPR basis for employee monitoring?

Consent is rarely valid in employment because EDPB Opinion 2/2017 holds the power imbalance prevents free refusal. Legitimate interest under Article 6(1)(f) is the predominant lawful basis and requires a documented three-part balancing test: purpose specificity, necessity, and proportionality. A productivity-intelligence approach (calendar density, application focus, ticket flow, no keystroke logging) is designed for the proportionality limb. [needs-legal-review]

What must an employee monitoring DPIA document under GDPR?

Article 35 requires a systematic description of processing, purpose, necessity-and-proportionality assessment, risk-to-rights assessment, and mitigating measures. EDPB Guidelines 4/2019 confirm systematic profiling, automated decision-making with legal effect, or large-scale behavioural processing all trigger the DPIA obligation. AI-driven productivity scoring almost always meets the threshold. [needs-legal-review]

Configure monitoring that fits a GDPR program, not against it

gStride lets you turn capture features on or off per worker and per project, sample screenshots instead of streaming, and mask sensitive applications by default — so the tool follows the policy, not the other way around.

See productivity monitoring Read security posture

This article is a general educational reference, not legal advice. GDPR interpretations evolve through new EDPB guidance, national DPA decisions, and court rulings. Verify each point with qualified counsel and your DPO before acting. [needs-legal-review]