A Kraków-based technology company installs keylogging software on employee laptops to track productivity. Six months later, the Polish Personal Data Protection Authority (UODO) opens an investigation. The company has no written monitoring policy, no works council consultation record, and no privacy notice given to employees before monitoring began. The exposure is real – and largely avoidable.

Under Polish labour law and the General Data Protection Regulation (GDPR), employers may monitor employees only within defined legal limits. The Kodeks pracy (Labour Code) requires written internal regulations, advance employee notification at least two weeks before monitoring begins, and a documented lawful basis under GDPR. Violations expose employers to administrative fines of up to EUR 20 million or 4% of global annual turnover, whichever is higher, plus civil claims from affected employees.

This analysis covers the doctrinal framework, the interaction between Polish labour law and GDPR, cross-border complexity for multinational employers, strategic compliance steps, and the regulatory outlook. Each section opens with a direct answer so that in-house teams and HR directors can extract what they need immediately.

What legal framework governs employee monitoring in Poland?

Polish employers operate under a two-layer system. The Labour Code sets out specific monitoring permissions and procedural requirements. GDPR – directly applicable across Poland – adds a data protection layer that cannot be displaced by domestic law. Both frameworks apply simultaneously, and neither displaces the other.

The Labour Code permits employers to use four named monitoring types: email monitoring, other electronic communication monitoring, visual monitoring (CCTV), and location tracking of company vehicles. Each type carries its own procedural trigger. For any form of monitoring to be lawful, the employer must first establish a legitimate purpose – typically protecting property, controlling production output, or ensuring workplace safety – and must document that purpose in writing.

The National Labour Inspectorate (Państwowa Inspekcja Pracy, PIP) enforces Labour Code obligations. The Personal Data Protection Authority (Urząd Ochrony Danych Osobowych, UODO) enforces GDPR. Both bodies may act independently on the same facts. A PIP inspection finding a procedural breach does not prevent UODO from opening a separate GDPR investigation. Employers dealing with both simultaneously face parallel timelines and different evidentiary standards.

The Supreme Court of Poland (Sąd Najwyższy) has confirmed that monitoring data collected in breach of the Labour Code cannot be used as evidence in employment disputes. That rule has direct commercial consequences. An employer who discovers misconduct through unlawfully installed monitoring software may be unable to rely on that evidence in dismissal proceedings – forfeiting the factual basis for termination.

The lawful basis question under GDPR deserves careful attention. Most employers invoke legitimate interests. That choice requires a balancing test: the employer's interest in monitoring must outweigh the employee's reasonable expectation of privacy. The less intrusive the monitoring method, the easier that balance is to justify. Keystroke logging is harder to justify than door-access logs. Courts and regulators apply proportionality strictly.

What are the procedural obligations before monitoring can start?

Procedure is where most Polish employers fall short. The Labour Code sets a clear sequence: establish monitoring in internal regulations or a collective agreement, notify the works council or trade union if one exists, then give individual employees written notice at least 14 days before monitoring begins. Missing any step makes the monitoring unlawful from day one.

Internal regulations must specify the type of monitoring, its purpose, the scope of data collected, and the retention period. Vague language – "monitoring for security purposes" – does not satisfy the requirement. The regulation must identify whether email subject lines are captured, whether full message content is logged, or whether only connection metadata is recorded. Scope precision matters both legally and practically: it constrains what the employer can actually do with the data.

We secured a favourable outcome for a manufacturing client in the Mazowieckie region (autumn 2025) by challenging a dismissal based on email monitoring evidence. The employer's internal regulations described only "electronic communication monitoring" without specifying content capture. The court accepted our argument that content-level email review exceeded the documented scope – making the evidence inadmissible and the dismissal procedurally defective.

Works council or trade union consultation is a precondition, not a formality. Where a works council exists, the employer must present the proposed monitoring policy and await a response within a reasonable period before implementation. The consultation record should be retained. In the absence of employee representation bodies, the employer must notify employees directly – still in advance, still in writing, still at least 14 days before monitoring starts.

Retention periods deserve specific attention. The Labour Code caps monitoring data retention at three months as a default, extendable where the data is needed for ongoing proceedings. Retaining monitoring footage or logs beyond the applicable period is itself a GDPR violation, independent of the original monitoring lawfulness. Data minimisation and storage limitation are non-negotiable GDPR principles that apply throughout the monitoring lifecycle.

To discuss how your company's monitoring procedures align with current requirements, contact info@kordeckipartners.com.

How does GDPR interact with workplace monitoring obligations?

GDPR does not create a standalone permission for employee monitoring. It requires a lawful basis, a documented purpose, proportionate data collection, and transparent processing – all of which must coexist with whatever the Labour Code requires. The interaction creates obligations that are more demanding than either framework would impose alone.

Legitimate interests (Article 6(1)(f) of GDPR) is the most commonly invoked basis for employee monitoring. It requires a three-part test: the interest must be legitimate, the processing must be necessary for that interest, and the employee's fundamental rights must not override it. Polish data protection practice – shaped by UODO decisions and European Data Protection Board (EDPB) guidance – treats employee monitoring as a high-risk category requiring careful necessity analysis.

Our team obtained interim measures protecting a German investor's subsidiary in Lower Silesia (spring 2026) during a UODO investigation triggered by GPS tracking of delivery drivers. The employer had not conducted a Data Protection Impact Assessment (DPIA) before deploying the tracking system. UODO treated the absence of a DPIA as an aggravating factor in its enforcement calculation. The interim measures gave the client time to remediate before final findings.

DPIAs are mandatory where monitoring is likely to result in a high risk to individuals' rights and freedoms. Continuous location tracking, systematic email content monitoring, and video surveillance of workspaces all typically cross that threshold. A DPIA must be completed before deployment – not retrospectively. Employers who skip this step and later face enforcement cannot cure the omission by conducting a post-hoc assessment.

Privacy notices must be provided before monitoring begins. The notice must identify the controller, describe the processing purpose, specify the legal basis, state the retention period, and inform employees of their rights – including the right to lodge a complaint with UODO. Providing a notice buried in an employment contract appendix, without drawing attention to it, is unlikely to satisfy the transparency requirement. Dedicated, clear, standalone notices are the safer approach.

For a tailored strategy on GDPR-compliant monitoring frameworks, reach out to info@kordeckipartners.com.

What cross-border complexity applies to multinational employers?

Multinational employers face layered complexity. A company with a Polish subsidiary and a German parent, or with employees working remotely across EU member states, cannot simply apply one country's monitoring policy across the group. GDPR applies uniformly across the EU, but national labour laws diverge significantly on monitoring permissions, and those divergences create real compliance gaps.

Polish law is more permissive than some EU counterparts on email monitoring – it explicitly permits it under defined conditions. French law, by contrast, imposes stricter limits on employer access to employee email content. A group-wide monitoring policy drafted to French standards may be more restrictive than Polish law requires. One drafted to Polish standards may be unlawful in France. The employment practice cross-border dimension illustrates how national differences compound compliance obligations for multinational groups.

Remote work has intensified this complexity. Employees working from home in Poland while employed by a Polish entity present a cleaner scenario. Employees working remotely in Poland under a contract governed by another EU member state's law raise questions about which national labour law's monitoring rules apply. The Rome I Regulation generally protects employees by applying the law of the country where they habitually work – meaning Polish Labour Code monitoring rules likely apply to anyone physically working in Poland, regardless of contract choice-of-law clause.

Whistleblower protection adds another layer. The Polish Whistleblower Protection Act (implemented in 2024) prohibits retaliation against employees who report breaches through internal or external channels. Monitoring designed to identify whistleblowers – or monitoring data used to retaliate against them – carries specific criminal and civil exposure. Employers should review whether their monitoring programmes could inadvertently capture whistleblower communications. For broader context on cross-border worker arrangements, the compliance baseline extends beyond monitoring alone.

Work permit and EU Blue Card holders present an additional consideration. Foreign nationals, including those holding an EU Blue Card or a work permit Poland-issued residence and work document, are subject to the same monitoring rules as Polish nationals. However, employers in sectors relying heavily on non-EU workers – logistics, construction, hospitality – should ensure that monitoring policies are communicated in languages employees actually understand. An employment lawyer Warsaw-based can advise on language-specific notification requirements.

What strategic steps should employers take to achieve compliance?

Compliance is not a one-time exercise. Monitoring technology evolves, business needs change, and regulatory guidance develops. A monitoring framework built in 2022 may not reflect current UODO practice or the EDPB's updated guidance on employee data. Employers should treat monitoring compliance as a recurring governance item, not a project with a fixed end date.

The compliance sequence has five stages. First, audit existing monitoring: catalogue every system that captures employee data, from CCTV to access logs to productivity software. Second, map each system against the Labour Code's named monitoring types and identify gaps. Third, update internal regulations to reflect actual monitoring scope with the specificity the law requires. Fourth, conduct or refresh DPIAs for high-risk systems. Fifth, re-notify all employees before any new or modified monitoring begins – the 14-day minimum is a floor, not a target.

  • Audit all monitoring systems and document their data capture scope
  • Review internal regulations for purpose and scope precision
  • Complete DPIAs before deploying or modifying monitoring technology
  • Issue updated privacy notices at least 14 days before changes take effect
  • Retain consultation records with works councils or trade unions

Proportionality review should be built into the process. For each monitoring system, the employer should ask: is a less intrusive method available that achieves the same purpose? If yes, the less intrusive option should be preferred. Keystroke logging is rarely proportionate where access logs or output metrics would suffice. The proportionality question is not merely ethical – it is the core of the legitimate interests balancing test and the DPIA necessity assessment.

Disputes involving monitoring evidence require early legal involvement. Once an employee challenges a dismissal or files a UODO complaint, the employer's ability to correct procedural defects is limited. Courts and regulators assess lawfulness at the time of collection, not at the time of proceedings. The disputes practice in Poland regularly handles cases where early compliance investment would have prevented costly litigation. Personal liability exposure for board members and HR directors who authorise unlawful monitoring is an increasingly live issue in Polish enforcement practice.

Specific monitoring situations require specific analysis. Bring-your-own-device (BYOD) policies create blurred boundaries between personal and work data. Remote desktop monitoring of home computers raises proportionality questions that office-based monitoring does not. AI-driven productivity analytics – increasingly marketed to Polish employers – may constitute automated decision-making under GDPR, triggering additional obligations. Each scenario needs its own legal assessment.

What does the regulatory outlook mean for Polish employers?

The regulatory direction is clear: enforcement is increasing, fines are rising, and employee data protection is a priority area for UODO. The Authority has published sector-specific guidance on employee monitoring and has indicated that systematic monitoring without proper legal foundations will be treated as a serious violation. Employers who have not reviewed their monitoring frameworks since GDPR's 2018 entry into force are operating on outdated assumptions.

EDPB guidelines on employee monitoring – developed through coordinated enforcement rounds across EU supervisory authorities – are expected to be finalised in 2026. Polish employers should anticipate that UODO will align its enforcement practice with those guidelines once published. Areas likely to receive specific attention include AI-based monitoring tools, biometric data processing (fingerprint and facial recognition access systems), and remote work monitoring in hybrid arrangements.

The whistleblower Poland framework creates a new enforcement dynamic. Employees who believe they have been subjected to unlawful monitoring now have a protected channel to report that concern to UODO or PIP without fear of retaliation. That channel is likely to increase the volume of complaints reaching regulators. Employers with weak monitoring frameworks are more exposed than they may realise – not because regulators are more aggressive, but because employees are more informed and better protected when they act.

Technology procurement decisions are increasingly governance decisions. When an employer purchases a new HR analytics platform or installs AI-driven workforce management software, the data protection analysis must happen before procurement, not after deployment. Data processor agreements with vendors must reflect current GDPR standards. Vendor contracts that do not address sub-processing, international transfers, or data deletion obligations create compliance gaps that employers – as data controllers – cannot delegate away.

The trajectory is toward greater accountability, not less. Employers who invest now in documented, proportionate, transparent monitoring frameworks will be better positioned when the next round of regulatory guidance arrives. Those who defer will face remediation under enforcement pressure – a more expensive and reputationally damaging path than proactive compliance.

Frequently asked questions

Q: Can a Polish employer monitor personal email accounts used on company devices?

A: No. The Labour Code permits monitoring of work-related electronic communications only. Personal email accounts, even accessed on company equipment, are outside the permitted scope of employer monitoring under Polish labour law. Accessing personal email content without employee consent would also constitute a criminal offence under Polish criminal law. Employers should configure monitoring systems to exclude personal account traffic and document that exclusion in their internal regulations.

Q: How long can an employer retain CCTV footage of the workplace?

A: The default retention period under the Labour Code is three months from the date of recording. That period may be extended where the footage is needed for ongoing legal, disciplinary, or administrative proceedings – but only for the duration of those proceedings. Retaining footage beyond the applicable period is a separate GDPR violation, regardless of whether the original recording was lawful. Employers should configure automatic deletion at the three-month mark and document any extensions with reference to specific active proceedings.

Q: Does a small employer with fewer than 10 employees need to follow the same monitoring rules?

A: Yes. The Labour Code monitoring obligations apply regardless of employer size. There is no small-employer exemption. The GDPR DPIA obligation applies where processing is likely to result in high risk, which is assessed on the nature of the processing, not the size of the organisation. A small employer conducting continuous location tracking of delivery drivers faces the same DPIA obligation as a large logistics company. The absence of a works council does not eliminate procedural requirements – it simply means the employer must notify employees directly rather than through employee representatives.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to employment compliance, employee monitoring frameworks, and GDPR implementation. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.