GDPR Employee Monitoring: 6 Limits and the BAG Line
TL;DR
- Section 26 BDSG (German Federal Data Protection Act) sets the lawful basis for processing employee data — proportionality is mandatory
- Continuous screen recording is prohibited (BAG, Federal Labor Court ruling 1 ABR 16/22); only incident-based, documented monitoring is permissible
- Covert keyloggers are inadmissible (BAG 2 AZR 681/16) — evidence collected this way is unusable in court
- EU AI Act Art. 5(1)(f): Emotion detection at the workplace is banned outright
- Works council co-determination under Section 87(1) No. 6 BetrVG (Works Constitution Act) is mandatory for any technical monitoring system
1. Section 26 BDSG Requirements
Processing of employee data is permitted only for purposes connected to the employment relationship. Proportionality is mandatory: less intrusive measures must be considered first. For investigations triggered by suspicion, Section 26(1) sentence 2 BDSG provides a narrower lawful basis with documented evidence.
2. Screen Recording
Continuous recording of employee screens is prohibited (BAG ruling 1 ABR 16/22). Incident-based recording — limited in time, documented, with prior notice or covert only on concrete suspicion — is permissible. Always involve the works council and document the proportionality test.
3. Keystroke Loggers
Covert keyloggers are inadmissible (BAG 2 AZR 681/16). Evidence obtained this way cannot be used in court. Even non-covert keyloggers fail the proportionality test in nearly all SME contexts.
4. Email Content Scanning
If private email use is permitted, content scanning requires a clear privacy notice and is limited. Untargeted content scanning without specific suspicion is inadmissible. Best practice: ban private use explicitly and limit scanning to spam, malware, and DLP triggers.
5. AI Performance Tracking
Under EU AI Act Art. 5(1)(f), emotion detection at the workplace is prohibited. Performance tracking that profiles employees requires explicit consent plus works council agreement. Algorithmic management without transparency is inadmissible.
6. Works Council Co-Determination (Section 87(1) No. 6 BetrVG)
Any technical system capable of monitoring employee behavior or performance triggers mandatory works council co-determination. Without works council approval, the system cannot be deployed. This applies to time-tracking software, video, screen recording, geolocation, and AI tools.
Summary
Employee monitoring under GDPR is legally tight. The safe baseline: monitor only on concrete suspicion, time-limited, documented, proportionate, with works council agreement. The CJEU ruling C-396/22 (2024) confirmed that covert workplace recording is inadmissible and the resulting evidence unusable. Build a monitoring policy that documents lawful basis, retention, and access controls before deploying any tool.
Frequently Asked Questions
When may I conduct monitoring?
CJEU C-396/22 (2024)
Sources
- Regulation (EU) 2016/679 — GDPR (consolidated) (As of: 2026-05-02)
- German Federal Data Protection Act (BDSG) (as of: ongoing)
- Regulation (EU) 2024/1689 — EU AI Act (Art. 5(1)(f)) (As of: 2026-05-02)