A Warsaw-based technology company rolls out email and screen-monitoring software for its 120 remote employees. Three weeks later, the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO) receives a complaint. The company had collected browsing data, keystrokes, and location pings – without a legal basis, without a privacy notice, and without informing the works council. The fine that followed exceeded PLN 800,000.

Under Polish employment law and the EU General Data Protection Regulation (GDPR), employers may monitor employees – but only within a defined legal framework. The Kodeks pracy (Labour Code) permits specific forms of workplace monitoring, including email surveillance and GPS tracking, provided the employer satisfies three cumulative conditions: a legitimate purpose tied to work organisation, prior notification of employees, and – where a works council or trade union exists – prior consultation. Failure to meet any one condition renders the monitoring unlawful and exposes the employer to administrative fines of up to EUR 20 million or four percent of global annual turnover.

This guide walks through the step-by-step compliance procedure, flags the most common mistakes, and maps the obligations across three business scenarios – a manufacturing employer, a software house, and a foreign investor establishing Polish operations. Each section includes at least one concrete figure to help you benchmark your own situation.

What legal framework governs employee monitoring in Poland?

Polish workplace monitoring sits at the intersection of two legal regimes. The Labour Code sets out the permissible categories of monitoring and the procedural conditions for lawful use. GDPR then overlays data-protection obligations on top of those conditions. Neither regime operates in isolation. An employer who satisfies the Labour Code procedure but ignores GDPR's transparency requirements is still non-compliant – and vice versa.

The Labour Code recognises several monitoring categories. Email monitoring is permitted where necessary to ensure the proper use of work tools or to protect the employer's legitimate interests. Visual monitoring (CCTV) is allowed in areas of the workplace, with specific exclusions for welfare rooms, canteens, and trade-union offices. GPS tracking of company vehicles is permissible where the employer can demonstrate an operational justification. Internet-activity monitoring follows similar conditions. Each category requires a separate documented basis.

On the GDPR side, the lawful basis for most workplace monitoring is Article 6(1)(f) – the legitimate interests ground. The employer must conduct a balancing test: its interests must outweigh the employee's reasonable expectation of privacy. That test must be documented. The National Court Register (Krajowy Rejestr Sądowy, KRS) does not require this document, but the UODO can demand it at any time during an inspection. Employers who cannot produce it face an immediate compliance gap.

Three Polish institutions are central to this framework. The Personal Data Protection Office (UODO) supervises GDPR compliance and issues fines. The State Labour Inspectorate (Państwowa Inspekcja Pracy, PIP) enforces the Labour Code monitoring provisions. The Social Insurance Institution (Zakład Ubezpieczeń Społecznych, ZUS) becomes relevant where monitoring data is used in disciplinary proceedings that affect benefit entitlements. Employers dealing with a cross-border workforce should also note that the employment law compliance guide for UK companies in Poland covers how monitoring obligations interact with posted-worker rules.

What is the step-by-step procedure for lawful monitoring?

Lawful monitoring requires a sequence of actions before the first byte of data is collected. Skipping any step does not merely create a procedural irregularity – it renders the entire monitoring programme unlawful from day one, forfeiting any defence in an enforcement proceeding. The timeline from decision to go-live typically runs 14 to 30 days, depending on whether a works council or trade union must be consulted.

The procedure breaks down as follows:

  • Step 1 – Purpose definition: Document the specific operational reason for each monitoring category. Vague purposes such as "security" are insufficient. The reason must link directly to the employer's legitimate interest.
  • Step 2 – Balancing test: Prepare a written legitimate-interests assessment. Record why the employer's interest outweighs employee privacy expectations, and why less-intrusive alternatives were considered and rejected.
  • Step 3 – Internal consultation: Where a works council or trade union exists, consult them at least 14 days before implementation. Their opinion must be documented, even if it is negative.
  • Step 4 – Policy and notice: Issue a written monitoring policy and individual employee notices at least two weeks before monitoring begins. The notice must specify the categories of data collected, retention periods, and employee rights.
  • Step 5 – Internal records: Update the Record of Processing Activities (RoPA) maintained under GDPR. The RoPA entry for monitoring must include the legal basis, purpose, data categories, and retention period.

Retention is a frequent compliance gap. The Labour Code caps general monitoring data retention at three months from collection, unless the data is evidence in disciplinary or legal proceedings – in which case retention may extend until those proceedings conclude. Many employers configure monitoring systems to retain data indefinitely, which creates a separate GDPR violation independent of the monitoring itself.

We secured withdrawal of a PIP enforcement notice for a logistics employer in the Mazowieckie region (spring 2025) after demonstrating that the company had completed all five procedural steps but had used a non-compliant notice template. The fix required reissuing notices and a 30-day remediation period – no fine was imposed.

What are the most common employer mistakes?

Most enforcement actions by the UODO and PIP do not stem from employers who knowingly circumvent the rules. They stem from employers who follow incomplete procedures, rely on outdated templates, or assume that a single policy document covers all monitoring categories. Understanding where the gaps typically arise is the most practical compliance tool available.

The first and most frequent mistake is monitoring personal email accounts or private messaging applications on company devices. The Labour Code permits email monitoring only of employer-provided email accounts. Accessing an employee's personal Gmail or WhatsApp – even on a company laptop – constitutes an interference with correspondence that goes beyond what the Labour Code authorises. Personal liability of the responsible manager can arise alongside the corporate fine.

The second common error involves CCTV coverage. Employers routinely install cameras in areas that the Labour Code expressly prohibits: changing rooms, toilets, prayer rooms, and – importantly – any space designated as a rest area. A camera covering a canteen corner where employees eat lunch is non-compliant, even if the primary purpose is to monitor an adjacent production line. The prohibition is spatial, not intentional.

Third, employers underestimate the whistleblower dimension. Poland's ustawa o ochronie sygnalistów (Whistleblower Protection Act), in force since September 2024, requires employers with 50 or more employees to maintain an internal reporting channel. If monitoring data reveals a potential violation and the employer fails to route that information through a compliant channel, the employer may face liability under both the Whistleblower Protection Act and GDPR simultaneously. For context on how sanctions-related reporting intersects with this obligation, see the EU sanctions framework guide for Polish businesses.

Fourth, remote-work monitoring introduces additional complexity. Screen-capture tools and keystroke loggers that operate on employees' private devices – even partially – require explicit consent under GDPR. Legitimate interests cannot override the privacy of a personal device. Employers who deploy such tools as a condition of remote work face a consent-validity challenge: consent given as a condition of employment is presumptively not freely given under GDPR.

How do obligations differ across three business scenarios?

Monitoring obligations are not uniform. The size of the employer, the nature of the work, and the presence of cross-border elements each shift the compliance picture. Three scenarios illustrate the range of obligations an employment lawyer in Warsaw regularly encounters.

Scenario 1 – Manufacturing employer (200 employees, Silesia): A production plant uses CCTV on the factory floor and GPS trackers on delivery vehicles. The plant has a works council. Obligations include formal consultation at least 14 days before any new monitoring is introduced, posting of camera notices in Polish at every monitored location, and a separate GPS-monitoring clause in the employment contract or a standalone written notice. The data retention cap of three months applies to CCTV footage not linked to an incident. The employer must also maintain a Data Protection Officer (DPO), as large-scale systematic monitoring of employees triggers the mandatory DPO requirement under GDPR.

Scenario 2 – Software house (35 employees, remote-first): The company uses a project-management platform that logs time spent on tasks. Because the workforce is below 50, the Whistleblower Protection Act's internal-channel obligation does not yet apply. However, GDPR obligations apply in full. The legitimate-interests balancing test must address the heightened privacy expectations of home-based workers. Productivity-monitoring software that captures screenshots every five minutes is likely disproportionate for knowledge workers, and the UODO has indicated this in non-binding guidance. A less-intrusive alternative – task-based output measurement – should be documented as considered and rejected before deploying screenshot tools.

Scenario 3 – Foreign investor establishing Polish operations (EU Blue Card holders and work permit Poland holders): A German parent company expanding into Poland wants to apply its group-wide monitoring policy. Group policies from non-EU jurisdictions rarely satisfy Polish Labour Code requirements without adaptation. The Polish subsidiary must issue its own monitoring notices in Polish, conduct its own consultation where a works council is formed, and maintain a separate RoPA entry. Employees holding an EU Blue Card or a work permit in Poland have the same GDPR rights as Polish nationals. The employment law compliance guide for Spain companies in Poland provides a comparable analysis for Southern European investors entering the Polish market.

We obtained a favourable UODO advisory opinion for a Małopolska-based IT employer (autumn 2025) that had implemented a group monitoring policy without local adaptation. The remediation involved a targeted rewrite of the policy, reissued employee notices, and registration of a local DPO – completed within 21 days.

What to prepare – compliance checklist

Before activating any monitoring system, confirm that the following items are in place. This checklist applies to employers of all sizes, with the DPO item conditional on the mandatory-DPO threshold being met.

  • Written purpose statement for each monitoring category, linked to a specific operational need
  • Documented legitimate-interests balancing test, signed and dated before go-live
  • Consultation record (works council or trade union), or a written note confirming no such body exists
  • Individual employee notices issued at least 14 days before monitoring begins, in Polish
  • RoPA updated with monitoring entries, including retention period of no more than three months for non-incident data

Each item should be retained for at least five years. The UODO's standard inspection request covers the previous three years of processing records, and incomplete documentation from prior periods can reopen past compliance gaps.

Employers who have already deployed monitoring systems without completing this checklist face a specific risk. Retroactive compliance – issuing notices after monitoring has begun – does not cure the original unlawful processing. It limits future exposure but does not eliminate liability for the period before the notice was issued. Acting within 30 days of identifying a gap is materially better than acting at 90 days, because the UODO's penalty guidelines treat prompt remediation as a significant mitigating factor.

Specific monitoring situations require tailored legal review. Your company's data-processing history, workforce composition, and existing agreements each affect the remediation path. To receive an expert assessment of your monitoring programme, contact info@kordeckipartners.com.

Frequently asked questions

Q: Can an employer monitor an employee's personal mobile phone if the employee uses it for work calls?

A: No. The Labour Code monitoring provisions apply only to employer-provided tools and communication systems. Accessing call logs or messages on a personal device – even one used for work – requires explicit, freely given consent under GDPR. Consent tied to employment conditions is presumptively coerced and therefore invalid. The employer should instead consider issuing a company device if call monitoring is operationally necessary.

Q: How long does it take to implement a compliant monitoring programme from scratch?

A: The minimum timeline is 14 days from the date employee notices are issued, provided the works-council consultation (where required) runs concurrently. In practice, drafting the purpose statements, balancing test, and notices typically adds five to ten working days before the notice period begins. A realistic total is three to five weeks. Employers with a DPO in place can often compress this to 18 to 21 days, because the DPO can review documentation in parallel with consultation.

Q: Is it true that GDPR consent from employees is always invalid?

A: This is a common misconception. Consent is not automatically invalid – it is presumptively invalid where it is a condition of employment or where refusal carries a credible employment consequence. For genuinely optional processing – for example, an employee voluntarily enrolling in a wellness app that the employer provides but does not require – freely given consent is possible. The key question is whether the employee can realistically say no without adverse consequence. Where doubt exists, legitimate interests or a contractual basis is more defensible than consent.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to employment law compliance, workplace monitoring, and data-protection matters. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.