A Warsaw-based logistics company recently expanded its workforce to 120 employees and introduced email scanning and GPS vehicle tracking without updating its internal regulations. Within weeks, the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO) received a complaint. The investigation exposed missing legal bases, no employee notice period, and undocumented data retention limits. The company faced a formal corrective order and reputational damage – all avoidable with a structured compliance review.

Polish law permits employee monitoring, but only within a framework set by the Kodeks pracy (Labour Code) and the General Data Protection Regulation (GDPR). Employers must establish a documented legal basis, inform employees at least 14 days before monitoring begins, and limit data retention to the purpose of the monitoring. Failure to satisfy these conditions exposes the company to UODO enforcement, fines of up to EUR 20 million or 4% of global annual turnover, and personal liability claims from employees.

This alert explains what the current rules require, which employers are most exposed, and what immediate steps reduce risk. It covers email and internet monitoring, GPS tracking, CCTV, and biometric access systems – the four forms most commonly deployed in Polish workplaces today.

What does Polish law now require from employers who monitor staff?

The Labour Code and GDPR together create a layered obligation. The Labour Code sets the procedural floor: purpose limitation, proportionality, and mandatory pre-implementation notice. GDPR adds the data-protection architecture – legal basis documentation, data subject rights, and retention schedules. Neither framework alone is sufficient. Both must be satisfied simultaneously.

The 14-day notice rule is the most frequently missed requirement. Before any new monitoring system goes live, the employer must inform each affected employee in writing. The notice must identify the monitoring type, its purpose, and the retention period. Employees hired after implementation must receive the same notice before their first working day. The National Court Register (Krajowy Rejestr Sądowy, KRS) does not record monitoring policies, but the UODO can demand them during any inspection.

Employers must also update their internal work regulations (regulamin pracy) to reflect monitoring arrangements. Companies with fewer than 50 employees that are not required to maintain a formal work regulations document must instead issue a written notice to each employee and to the relevant trade union, if one exists. This distinction matters: a 45-person IT firm and a 200-person manufacturer face different procedural paths, but identical substantive obligations.

  • Define the specific purpose of each monitoring tool before deployment
  • Issue written notice to all affected employees at least 14 days in advance
  • Update the regulamin pracy or issue individual notices where no regulations exist
  • Set and document a data retention period proportionate to purpose
  • Appoint or confirm the role of the Data Protection Officer (DPO) if thresholds are met

We assisted a manufacturing client in Mazowieckie (autumn 2025) in restructuring its CCTV and access-card monitoring framework after a UODO pre-audit letter arrived. The engagement covered legal basis mapping, retention schedule drafting, and updated employee notices – completed within three weeks, before the formal inspection date.

Who is affected and what are the immediate action items?

Every employer in Poland that uses any form of employee monitoring is affected. There is no size threshold below which GDPR or Labour Code obligations disappear. A five-person startup using keylogger software and a 5,000-person retailer running warehouse CCTV face the same legal framework. The difference lies in enforcement probability and the scale of potential fines – not in the existence of the obligation.

Three categories of employer carry elevated risk right now. First, companies that introduced remote-work monitoring tools during 2020–2022 and have not reviewed their documentation since. Second, businesses that have grown past 50 employees and crossed into mandatory regulamin pracy territory without updating their internal rules. Third, employers who have recently onboarded relocated employees – including those arriving under a work permit Poland or EU Blue Card pathway – without extending monitoring notices to those individuals before their start date.

The UODO has signalled increased scrutiny of email and internet monitoring in particular. Covert monitoring – where employees have received no notice – is treated as a serious violation and can trigger fines in the upper range. Employers who operate a whistleblower channel must also ensure that monitoring systems do not inadvertently capture or expose whistleblower identities, since that intersection creates a compounded compliance risk under both GDPR and the Whistleblower Protection Act.

B2B contractors present a separate exposure point. If a company monitors individuals engaged under civil-law contracts in the same way it monitors employees, it must hold a valid legal basis for that processing too. The risk of B2B reclassification is rising in 2026, and monitoring practices that treat contractors as employees can be cited as evidence of an employment relationship – with tax and social-insurance consequences that dwarf any GDPR fine.

We helped an employment lawyer Warsaw engagement for a Silesian retail group (spring 2026) identify 34 contractors whose monitoring profiles were indistinguishable from those of employed staff. Corrective documentation reduced reclassification exposure by separating monitoring scope, access levels, and data retention periods across the two workforce categories.

What to prepare – immediate checklist:

  • Audit all active monitoring tools and confirm each has a documented legal basis
  • Verify that employee notices were issued at least 14 days before each tool went live
  • Check that the regulamin pracy reflects current monitoring arrangements
  • Review retention periods – most employers hold monitoring data far longer than permitted

Specific situations carry specific deadlines. If your company has not issued monitoring notices and is currently operating any surveillance tool, the 14-day notice period must run before you can claim compliance. That clock does not start until the notice is issued. Every day of delay extends the period of non-compliant processing – a period the UODO can treat as a continuing violation when calculating fines.

The lost-opportunity dimension is real. Companies that resolve monitoring compliance proactively retain the right to use monitoring data in disciplinary proceedings and litigation. Employers who cannot demonstrate lawful processing forfeit that evidence. An employee dismissed partly on the basis of email monitoring data, where no valid notice existed, faces a tribunal claim the employer cannot defend with that evidence – and may face a separate GDPR damages claim on top.

To receive an expert assessment of your company's monitoring framework, contact info@kordeckipartners.com.

Frequently asked questions

Q: Can an employer monitor employees' personal devices used for work?

A: Monitoring personal devices is permissible only in very limited circumstances and requires a specific legal basis beyond the general employment relationship. The employer must demonstrate a legitimate purpose that is proportionate to the intrusion, and the employee must receive clear notice of what data is collected and how it is used. In practice, most Polish employment lawyers recommend a bring-your-own-device policy that separates work applications from personal data rather than applying monitoring tools to the whole device.

Q: How long can employers retain CCTV footage under Polish law?

A: The Labour Code sets a default maximum retention period of three months for CCTV footage recorded in the workplace. If the footage constitutes evidence in disciplinary or legal proceedings, retention may continue until those proceedings are finally concluded. Employers frequently exceed the three-month limit without realising it – automated deletion schedules are the most reliable way to stay compliant.

Q: Is a Data Protection Officer mandatory for all employers who monitor staff?

A: A DPO is mandatory where the employer's core activities involve large-scale, systematic monitoring of individuals. The GDPR does not define "large-scale" by headcount alone – the nature, scope, and purpose of monitoring all factor in. An employer with 80 employees running continuous CCTV across a warehouse complex may meet the threshold; a 500-person office with basic access-card logging may not. A formal assessment documented in writing is the only safe approach.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to employment compliance, GDPR implementation, and workforce monitoring frameworks. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.