Whether employee monitoring is legal under the GDPR?

Do we have the right to privacy and can we enjoy it as a right especially regarding our personal data when we are at our workplace? This is the fundamental question that we will be discussing here, from the perspective of the General Data Protection Regulation also known as #gdpr . 

Coming to the next important question as to what will come under the ambit of personal data?    

A personal data will include all the sensitive categories of data that are related to an identifiable natural person. The following are some examples of personal data- 

  • Physical or mental health condition; 
  • Sex life and sexual orientation; 
  • Racial or ethnic origin; 
  • Political opinions, religious beliefs; 
  • Trade union membership; 
  • Biometric data. 

When it comes to monitoring employees, businesses and organizations are not new to this concept, rather the concept of surveillance is decades old. In order to understand and analyze this question, it is important to first understand the employee-employer relation. Since, it is an undisputed fact that there will always remain an imbalance of power between the two, which is why the concept of consent cannot be a relevant ground on claiming that such monitoring was genuine or not arbitrary. 

How is monitoring done on employees? 

Monitoring of employees can be done easily through CCTVs, software-cum-spyware. But what exactly will constitute ‘monitoring’? It can be monitoring an employee’s internet history, emails, financial transactions, call logs, his private chats with employees and/or with other people.  

Monitoring of employees: Post-GDPR 

After May 25th, 2018, all the organizations and businesses had no choice but to comply with the GDPR requirements. If we talk about monitoring the employees through their consent, it will not be considered valid as discussed earlier that there will always remain an imbalance of power between an employee and an employer, hence claiming it valid will not be appropriate because of reasons such as- An employee working under the control and supervision of their employer will always be under a constant fear of losing their job.  

But it is quite surprising that the GDPR doesn’t expressly state anything regarding the monitoring of employees by an organization as ‘Illegal’. Instead, the GDPR mandates that collection, processing, and transfer of personal data should be done in consonance and in harmony with the 7 principles of the GDPR. 

The principles of the GDPR are as follows- 

  1. Transparency, fairness and lawfulness 
  2. Purpose limitation 
  3. Data minimization 
  4. Accuracy 
  5. Storage limitation 
  6. Security, integrity & confidentiality 
  7. Accountability 

The GDPR further mandates as per Article 35 that any type of data processing activity which involves ‘high risk’ to the data subjects (employees in this case), the controller (employer in this case), prior to such processing, will have to conduct a Data Protection Impact Assessment (DPIA).  

After the implementation of the GDPR, now organizations and businesses cannot rely on implied consent in order to justify arbitrary and excessive monitoring. GDPR invalidates such consent where there is an unequal or imbalance of power in a relationship. 

Organizations and businesses will have to rely on- 

  1. Legal requirement- Where the processing of data is mandated in order to comply with some regulations. 
  2. Legitimate interests- This means that private-sector businesses and organizations have legitimate or genuine interest with respect to their employees’ data provided that such processing doesn’t cause harm to the employees and respects their privacy rights. That is why GDPR mandates organizations to conduct a DPIA in order to assess potential risks. 


Hence, it is clear that monitoring of the employees in itself is not illegal provided that the businesses comply with the GDPR requirements. Organizations and businesses in the private sector need to keep this in mind and must ensure that if they are monitoring and processing the personal data of their employees, then it must be in accordance with the core principles of the GDPR as discussed above, failing to do so can lead to fines up to €20 million or 4% of their annual global turnover, whichever is higher (for severe violations). Whereas, for less severe violations, fines can go up to €10 million or 2% of their annual global turnover, whichever is higher.

Major Privacy Updates of the Week

Former UK PM Liz Truss' mobile phone compromised by suspected Russian agents

Liz Truss personal phone was hacked by alleged operatives of Russian President Vladimir Putin, when she was the foreign minister of the United Kingdom. The hackers had access to sensitive data, including private communications between Truss and his political ally, former Treasury Chief Kwasi Kwarteng, and conversation with foreign officials about the Ukraine conflict. The messages that were intercepted by the spy raised the possibility of blackmail. 

Read more 

Thomson Reuters database exposed 3TB of sensitive data

The international media corporation Thomson Reuters left an exposed database with sensitive company and consumer information, including passwords for third-party servers in a plaintext format. At least three of Thomson Reuters’ databases are freely searchable by anyone. The 3TB public-facing ElasticSearch database, one of the open instances, houses a mixed bag of sensitive, updated data from across the company’s platforms. Security professionals issued a warning that threat actors could use the data to carry out operations ranging from ransomware to social engineering. 

Read more

Employees in China can access European users' data confirms new TikTok privacy policy

The short-form video sharing platform TikTok amended its privacy policy for users in the European Economic Area (“EEA”), the United Kingdom, and Switzerland and verified that its staff, including Chinese employees, can access user data. Employees of TikTok in Brazil, Canada, Israel, the US, and Singapore, where user data is now housed, could also have access to European user data. According to the policy, “certain” company personnel may remotely access user data in order to carry out what the policy describes as “important” functions. 

Read more

Dropbox suffers breach as hacker stole source code and personal information

Dropbox announced that it had experienced a data breach in which threat actors stole code from 130 repositories after hacking into a GitHub account using employee login information obtained through phishing. Employees were instructed by the convincing emails to access a fake CircleCI login page and enter their credentials to access the malicious website. The data around the stolen code also contained “a few thousand” names and email addresses of Dropbox workers, former and present clients, sales prospects, and vendors. 

Read more

Polish, Slovakian Parliamentary IT systems disrupted by cyberattacks

A distributed denial-of-service attack with links to Russia briefly took down the website for the Polish Senate, while the speaker of the parliament in Slovakia delayed voting after stating that internal IT systems were down. A hacker gang going by the name Cyber Army of Russia called for an assault on the Polish website via its Telegram channel. Later, news reports about the assault were posted. A day after the senate unanimously decided to label Russia a “terrorist regime” in response to Moscow’s invasion of Ukraine, the Polish Senate website was attacked. 

Read more

Curated by: Prajwala D Dinesh, Ritwik Tiwari, Ayush Sahay


Keep up to pace with this high-impact weekly privacy newsletter that
features significant data privacy updates, trends, and tools that can
help to make your life secure & easier every day!

*By clicking on subscribe, I agree to receive communications from Tsaaro