Employee Monitoring and the GDPR

Monitoring at work encompasses a broad range of activities employers engage in to oversee the performance and conduct of their employees during work hours, and regardless of the work location. The use of diverse technologies for monitoring, including camera surveillance, email monitoring systems, keystroke logging, tracking of internet activity, GPS tracking, biometric systems, and productivity tracking software, reflects the evolving nature of workplace oversight. While technology advances, adherence to data protection laws to ensure lawful and fair monitoring remains paramount. 


The GDPR allows the monitoring of employees, as long as it complies with specific data protection requirements. A recent ruling by the Italian Data Protection Authority (“Garante”) showcases an instance of employee monitoring that breached data protection and privacy rules.  

The Italian DPA decision on Employees Monitoring through Facial Recognition

The Garante has sanctioned five companies with fines ranging from 2,000 to 70,000 euros for the unauthorized use of biometric data through facial recognition to monitor employee attendance. This practice was deemed a violation of employee privacy rights, as the GDPR does not allow the use of biometric data, which constitutes special category of personal data, for such purposes without a legal exception under Article 9 of the GDPR. The sanctions were issued against companies operating at the same waste disposal site after the Garante received complaints from numerous employees. 


The Garante’s investigation revealed the companies failure to comply with both national and EU laws regarding employee rights and data protection. Notably, it was discovered that three of the companies had shared a biometric detection system for over a year without implementing necessary technical and security measures. This same system, found to be illegal, was also used across nine additional offices by one of the penalized companies. Moreover, the companies failed to provide employees with comprehensive information about the data collection, which violates the transparency principle, or conduct the mandatory data protection impact assessment.

Employees Monitoring Activities considered lawful by the Italian DPA

The Garante underlined that the companies should have considered less intrusive methods of tracking employee attendance, such as a badge. As part of the investigation, the DPA has also mandated the deletion of all illegally collected data, emphasizing the need for adherence to privacy laws and the protection of employee rights against invasive monitoring technologies. 


If your organization has questions about the privacy implications of employee monitoring, contact us at info@dpoconsultancy.nl for assistance.