What is workplace monitoring under GDPR?

Workplace monitoring and GDPR – definition

Workplace monitoring and GDPR refers to the set of legal and organisational rules that define when an employer may record employees and other individuals present on company premises, how long recordings may be stored, and how the scope of personal data processing should be limited. In practice, this mainly concerns workplace CCTV monitoring and, in the context of photos and video recordings, the lawful capture, review, protection and, in some cases, anonymisation of a person’s image.

In Poland, the national legal basis is Article 222 of the Labour Code, introduced by the Personal Data Protection Act of 10 May 2018. This provision allows video surveillance where it is necessary to ensure employee safety, protect property, monitor production, or keep confidential information secret where its disclosure could expose the employer to damage. At the same time, the GDPR applies, in particular Articles 5, 6, 13, 24, 25, 32 and 35 of Regulation (EU) 2016/679. The EDPB Guidelines 3/2019 on processing personal data through video devices, adopted on 29 January 2020, are also relevant.

An image captured by a camera is personal data if it allows a person to be identified directly or indirectly. For that reason, workplace CCTV monitoring cannot be introduced solely on the basis of a general employer decision. A specific legal basis is required, along with an assessment of necessity and proportionality, compliance with the transparency obligation, and limits on video retention. For photo and video materials that are published, shared further, or used in incident analysis, blurring faces and, in some cases, licence plates is often justified.

Legal basis for employee CCTV monitoring

In the employment context, employee consent is generally not the preferred legal basis for workplace monitoring. This is due to the imbalance of power in the employment relationship and the difficulty of treating consent as freely given. In practice, the legal basis is most often a legal obligation or the controller’s legitimate interests, although in Poland the Labour Code is of central importance for employee monitoring.

The key conditions for using workplace CCTV include:

• defining the purpose of the monitoring before the system goes live,
• demonstrating that the monitoring is necessary rather than merely convenient,
• describing the monitoring rules in a collective labour agreement, workplace regulations or an official notice, in accordance with Article 22², section 6 of the Labour Code,
• informing employees no later than 2 weeks before the monitoring starts,
• marking monitored rooms and areas in a visible and clear manner no later than 1 day before the monitoring starts,
• not using cameras in rooms where monitoring would infringe the employee’s dignity or other personal rights, unless an exception is expressly permitted by law and additional conditions have been met.

Under Article 222, section 2 of the Labour Code, monitoring does not generally cover sanitary facilities, changing rooms, canteens or smoking rooms. An exception is possible only if it is necessary to achieve the purpose and does not infringe the employee’s dignity or other personal rights, and if techniques preventing identification are used, such as appropriate camera framing or image anonymisation.

Informing employees and transparency of processing

The GDPR requires transparency. A person subject to workplace monitoring must know who is processing their data, for what purpose, on what legal basis, and for how long. A camera icon alone is not enough. Layered information is required: a short notice at the entrance to the monitored area and full details in the privacy notice.

In practice, the privacy notice should include at least:

• the controller’s details and the contact details of the data protection officer, if one has been appointed,
• the purposes of the monitoring,
• the legal basis,
• the video retention period,
• the categories of data recipients,
• information about the rights of data subjects,
• information on whether recordings may be disclosed to public authorities or courts.

Video retention period and GDPR compliance

The storage period for recordings cannot be arbitrary. The Labour Code establishes the principle that image recordings may be processed by the employer only for the purposes for which they were collected and stored for no longer than 3 months from the date of recording. If a recording constitutes evidence in proceedings conducted under the law, or if the employer becomes aware that it may constitute such evidence, that period is extended until the final conclusion of the proceedings.

This means the retention period should be configured as a technical system parameter. The following are important for GDPR compliance:

Anonymisation of photos and CCTV footage

In the context of workplace monitoring, anonymisation of video footage and photos does not replace the legal basis for the recording itself. However, it is an important data minimisation measure when the material is used further, for example when sharing footage with legal counsel, an insurer, an auditor, or when using it for training materials. In such cases, the identifiability of individuals who are not necessary for the purpose should be limited.

Technically, face blurring is usually based on object detection and tracking across frames. Modern systems use deep learning models trained on large image datasets to achieve high face detection sensitivity under different lighting conditions, scales and head angles. The AI model is not an end in itself. It is a component needed to automatically detect faces or licence plates, which are then blurred. The effectiveness of such a process is usually assessed using detection precision, recall and the number of missed objects in the material.

In practice, anonymisation tools may automatically blur faces and licence plates, but they do not always detect logos, tattoos, ID badges, documents or content visible on screens. Such elements may require manual redaction in an editor. This matters from the perspective of a DPIA and risk analysis, because the controller should know which categories of data are covered by automation and which are not.

Risk assessment and DPIA for workplace monitoring

Employee CCTV monitoring may require a data protection impact assessment if it is likely to result in a high risk to the rights or freedoms of natural persons. This follows from Article 35 GDPR. It is particularly relevant for systematic large-scale monitoring covering workplaces, entrance areas and passageways.

In a DPIA, it is worth assessing:

• the scope of the cameras’ field of view and the risk of excessive surveillance,
• whether the area can be limited by framing or privacy masks,
• the retention period and the procedure for deleting recordings,
• the procedures for exporting and anonymising footage,
• the risk of errors in face or licence plate detection if automatic blurring is used,
• technical safeguards compliant with Article 32 GDPR.

Legal references and practical differences in interpretation

The main sources for this topic are Regulation (EU) 2016/679, the Labour Code – Articles 222 and 223, the EDPB Guidelines 3/2019 on video devices, and national guidance issued by the Polish data protection authority. Where CCTV images are published or disclosed further, image rights under the Civil Code and the Copyright and Related Rights Act may also be relevant.

There are interpretative differences regarding licence plates. In Poland, case law has indicated that a licence plate does not always constitute personal data in itself. By contrast, the approach taken by data protection authorities and practice in many Western European countries is more cautious and treats a registration number as information enabling indirect identification. Therefore, when disclosing recordings outside the strict circle of authorised recipients, it is advisable to consider blurring licence plates.