A Warsaw-based technology company with 340 employees introduced email scanning and screen-capture software across its workforce in early 2025. The rollout was swift. The legal groundwork was not. Within three months, a former employee filed a complaint with the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO) alleging unlawful processing of personal data. The company faced a potential administrative fine, an employment tribunal claim, and reputational exposure – all simultaneously.

Under Polish employment law and the Rozporządzenie o Ochronie Danych Osobowych (General Data Protection Regulation, GDPR), employers may monitor employees only where a legitimate legal basis exists, prior notice has been given, and the monitoring is proportionate to its stated purpose. Failure to meet these conditions exposes the employer to UODO fines of up to EUR 20 million or 4% of global annual turnover. The monitoring rules also intersect with the Labour Code and, for certain sectors, with whistleblower protection obligations.

This case study traces how the matter was resolved – from the initial UODO complaint through to a negotiated outcome – and identifies the lessons that apply to any Polish employer operating monitoring systems. The analysis covers background facts, the legal strategy adopted, the procedural steps taken, and the transferable principles that protect employers in similar situations.

What went wrong in the background?

The company had implemented three monitoring tools: email content scanning, periodic screen capture, and GPS tracking of company vehicles. Each tool served a plausible business purpose. Email scanning was framed as a cybersecurity measure. Screen capture was presented as a productivity tool. GPS tracking addressed fleet management. None of these purposes is unlawful on its face under Polish employment legislation.

The problem lay in execution. The National Labour Inspectorate (Państwowa Inspekcja Pracy, PIP) standard requires employers to introduce monitoring through a dedicated internal act – either a collective agreement or a workplace regulations document – at least 2 weeks before deployment. The company had circulated a one-page memo. That memo did not specify the scope of monitoring, the data retention period, or the employees' rights of access. It also arrived four days before the software went live.

A second gap concerned the legal basis. The employer had relied on legitimate interest under GDPR. That basis is permissible, but it requires a documented balancing test weighing the employer's interest against the employee's reasonable expectation of privacy. No such test had been recorded. The Data Protection Officer (DPO) appointed by the company had not been consulted before deployment – a procedural failure that UODO treats as an aggravating factor. The former employee's complaint identified all three deficiencies with precision, suggesting prior legal advice on their side.

How did the legal strategy address the UODO complaint?

Our team was engaged six weeks after the complaint was filed. The immediate priority was to stop the clock on further data accumulation. Monitoring continued during the investigation, which meant new personal data was being collected under the same defective legal basis every day. We advised the client to suspend screen-capture and email-content scanning within 48 hours, retaining only GPS tracking – which had the clearest legitimate-interest footing and the least intrusive profile.

We secured a reversal of the initial regulatory exposure for a technology-sector client in the Mazowieckie region (spring 2025), reducing the matter from a potential maximum-band fine to a corrective instruction with a 90-day remediation window. The key instrument was a voluntary remediation plan submitted to UODO before the authority issued its formal findings. Polish data protection practice rewards early, documented self-correction. UODO's enforcement guidelines treat proactive remediation as a mitigating factor capable of reducing fines by a significant margin.

The strategy rested on three pillars. First, acknowledge the procedural failures openly and specifically – not in general terms. Second, demonstrate that the monitoring served genuine, proportionate purposes by producing the balancing test retrospectively (though this carried risk, discussed below). Third, show that systemic change had already begun: new workplace regulations, DPO sign-off, and a revised employee notice had all been drafted before the submission date. UODO examiners respond well to evidence that the employer has moved from reactive to structural compliance.

What did the process look like in practice?

The procedural timeline ran across four distinct phases. Phase one – triage and suspension – lasted 10 days. Phase two – remediation plan drafting and internal audit – took a further 3 weeks. Phase three – UODO submission and response – extended across 8 weeks, during which UODO requested two rounds of supplementary information. Phase four – outcome and implementation – concluded at the 90-day mark set by the corrective instruction.

The internal audit in phase two revealed a further complication. The company employed 14 workers on posted-worker arrangements and held work permit Poland documentation for several non-EU nationals. Monitoring data for these individuals was subject to additional sensitivity considerations. Cross-border data flows and the intersection of employment status with GDPR processing grounds required careful mapping. For context on posted-worker documentation obligations, see our analysis of posted workers from Czech Republic to Poland and A1 certificates.

One unexpected issue arose around whistleblower Poland obligations. The company had 340 employees – above the 50-person threshold that triggers mandatory internal reporting channels under the Whistleblower Protection Act (Ustawa o ochronie sygnalistów). The monitoring system had been capturing communications through the same channels designated for whistleblower reports. That overlap required immediate structural separation to avoid chilling protected disclosures. An employment lawyer Warsaw-side review confirmed that the monitoring scope needed a defined carve-out for protected-channel communications, documented in the workplace regulations.

What are the transferable lessons for Polish employers?

Four lessons emerge from this matter that apply regardless of company size or sector. First, the 2-week notice requirement is a hard threshold, not a guideline. Introducing monitoring before that window closes – even by a single day – removes the employer's procedural defence entirely. The workplace regulations document must be specific: it must name each monitoring tool, state its purpose, define the retention period (typically no more than 3 months for screen captures), and identify who has access to the data.

Second, the legitimate-interest balancing test must be documented before deployment, not reconstructed after a complaint. Retrospective documentation carries credibility risk. UODO examiners are experienced at identifying documents whose metadata does not match their claimed creation date. An employer producing a balancing test dated after the complaint filing will face heightened scrutiny. The DPO must sign off on the test and record that sign-off in the processing register.

  • Prepare workplace monitoring regulations at least 2 weeks before deployment
  • Document the legitimate-interest balancing test before any system goes live
  • Consult the DPO and record their sign-off in writing
  • Map monitoring scope against whistleblower-channel carve-outs where required
  • Review posted-worker and EU Blue Card holder data separately for cross-border transfer obligations

Third, the intersection with whistleblower obligations is underappreciated. Any employer above the 50-employee threshold must audit whether monitoring systems touch protected reporting channels. The remedy is structural separation, not a policy statement. For employers with internationally mobile workforces – including those holding EU Blue Card status or posted-worker arrangements – the data-processing map must account for the country of origin's data protection requirements as well. Our earlier note on posted workers from the United Kingdom to Poland and A1 certificates addresses the documentation baseline for that category.

Fourth, proactive engagement with UODO pays dividends. An employer that suspends non-compliant processing, submits a credible remediation plan, and demonstrates structural change before the authority's formal findings are issued is treated materially differently from one that waits. The difference in outcome can be the distinction between a corrective instruction and a fine in the EUR 50,000 to EUR 500,000 range. For employers operating across multiple jurisdictions, the interaction between Polish GDPR enforcement and foreign tax or employment frameworks – including those covered in our note on the double tax treaty between Poland and key provisions – adds further complexity to the compliance picture.

The Warsaw technology company completed its remediation within the 90-day window. UODO issued a corrective instruction with no financial penalty. The employment tribunal claim was settled on confidential terms. The DPO is now embedded in the procurement process for any new HR technology – a structural change that forecloses this category of risk going forward.

Every employer operating monitoring systems in Poland faces the same exposure. The legal basis, the notice, the balancing test, and the whistleblower carve-out are not optional layers. They are the minimum. Getting them wrong triggers personal liability for data controllers and, in serious cases, precludes the employer from using the monitored data as evidence in any subsequent disciplinary or litigation context – an irreversible consequence that undermines the entire purpose of the monitoring programme.

Your company's specific monitoring arrangements may carry risks that are not visible without a structured audit. Delay in identifying those risks forfeits the proactive-remediation advantage that proved decisive in this matter.

To discuss how GDPR monitoring obligations apply to your workforce arrangements, contact info@kordeckipartners.com. Our team will review your current monitoring documentation, identify gaps against the UODO compliance standard, and produce a prioritised remediation plan.

Frequently asked questions

Q: How long can an employer retain monitoring data under Polish law?

A: Polish employment legislation does not set a single universal retention limit, but data protection practice and UODO guidance treat 3 months as the standard maximum for most forms of employee monitoring data. Longer retention is permissible only where the employer can demonstrate a specific, documented purpose – for example, ongoing disciplinary proceedings. The retention period must be stated in the workplace monitoring regulations before deployment. Storing data beyond the stated period without fresh justification constitutes a separate GDPR breach.

Q: Is it a misconception that consent can serve as the legal basis for employee monitoring?

A: Yes. Relying on employee consent is a common and serious error. Under GDPR, consent must be freely given. The employment relationship creates an inherent power imbalance that makes genuinely free consent from an employee almost impossible to establish. UODO and the European Data Protection Board both treat employer-employee consent as presumptively invalid. Employers should rely instead on legitimate interest (with a documented balancing test) or, where applicable, on a legal obligation basis.

Q: What does a compliant workplace monitoring regulations document need to contain?

A: The document must identify each monitoring tool by name and function, state the specific purpose of each tool, define the data retention period, identify the categories of employees covered, and set out the employees' rights – including the right to access their own monitoring data. It must be introduced through a collective agreement or workplace regulations update, communicated to all affected employees, and made available at least 2 weeks before monitoring begins. For companies with non-EU nationals holding work permit Poland documentation or EU Blue Card status, a separate section addressing cross-border data transfer obligations is advisable.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to employment compliance, GDPR implementation, and workforce mobility. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.