A Warsaw-based retail company installs keyloggers on employee laptops during a remote-work expansion. Six months later, the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO) opens an ex-officio investigation. The company had no written monitoring policy, no prior notification to employees, and no data protection impact assessment. The financial exposure runs into hundreds of thousands of zlotys – and that figure excludes civil claims from affected staff.

Polish law permits employers to monitor employees, but the legal framework is demanding. The Kodeks pracy (Labour Code, KP) sets out specific grounds for workplace monitoring – email surveillance, GPS tracking, and camera systems each require separate legal justification. The General Data Protection Regulation (GDPR) adds an obligation to conduct a data protection impact assessment (DPIA) for high-risk processing. Failure to comply exposes the employer to administrative fines of up to EUR 20 million or 4% of global annual turnover, whichever is higher, plus individual claims under Polish civil law.

This guide walks through the step-by-step compliance process: legal grounds, documentation requirements, employee notification rules, and the three most common implementation mistakes. It covers three business scenarios – a manufacturing company, an IT firm, and a foreign investor entering the Polish market – and closes with a practical checklist and FAQ. Employers who have already deployed monitoring tools without full compliance should treat this guide as an audit framework.

What legal framework governs employee monitoring in Poland?

Polish workplace monitoring sits at the intersection of three bodies of law. The Labour Code provides employment-specific rules. The GDPR governs personal data processing. The Kodeks cywilny (Civil Code) protects personal interests, including privacy. All three apply simultaneously, and a gap in any one of them creates exposure across the others.

The Labour Code distinguishes four monitoring categories: visual monitoring (CCTV), email monitoring, internet usage monitoring, and location tracking via GPS or similar technology. Each category requires a separate documented purpose. CCTV may be used only to protect safety, secure property, or control production – not to supervise general work performance. Email monitoring is permissible only when necessary to ensure the proper use of work tools. This distinction matters. Employers who deploy broad surveillance justified by a single generic purpose will not satisfy the Labour Code standard.

The National Labour Inspectorate (Państwowa Inspekcja Pracy, PIP) enforces Labour Code provisions on monitoring. The UODO enforces GDPR obligations. Both authorities have independent powers to investigate and sanction. A single monitoring system can therefore attract parallel proceedings – a scenario that multiplies both cost and reputational risk.

One further layer: Poland's whistleblower protection statute (the Act on the Protection of Whistleblowers, in force since September 2024) prohibits retaliatory monitoring of employees who report irregularities. Employers who use monitoring data to identify or penalise whistleblowers face criminal liability on top of administrative sanctions. For a broader view of cross-border employment compliance obligations in Poland, including posted-worker rules, the firm's published guidance is a useful starting point.

How should employers document and implement a compliant monitoring system?

Documentation is the foundation of a defensible monitoring programme. Polish law requires three core documents before any monitoring system goes live: an internal monitoring policy (or equivalent provision in the workplace regulations or collective agreement), individual employee notification, and – where the processing is high-risk – a completed DPIA. Missing any one of these three elements is, by itself, a GDPR infringement.

The internal policy must specify the type of monitoring used, its purpose, the scope of data collected, the retention period, and the persons authorised to access monitoring data. Retention periods deserve particular attention. Email logs retained for longer than three months without specific justification will generally be considered disproportionate. CCTV footage typically must be deleted within 30 days unless it is being used in ongoing disciplinary or legal proceedings.

Individual notification must be given to each employee before monitoring begins – not on the day of deployment, but with enough lead time for the employee to understand the change. The Labour Code requires notification at least two weeks before the system goes live for existing employees. New hires must be informed before they start work. The notification must cover the same substantive elements as the internal policy: type, purpose, scope, retention, and access rights.

We assisted a logistics operator in the Mazowieckie region (autumn 2025) in restructuring its GPS-based fleet monitoring system after PIP flagged inadequate employee notifications. The documentation gap had existed for over two years. We rebuilt the policy framework, issued retrospective notifications where legally permissible, and negotiated a compliance timeline with the inspectorate – avoiding a formal sanction that could have reached PLN 300,000.

A DPIA is mandatory when the monitoring involves systematic, large-scale processing of personal data or monitoring of a publicly accessible area. For most employers with more than 50 monitored employees, or any employer using AI-assisted monitoring tools, a DPIA will be required. The DPIA must be completed before the system is activated, not after. Conducting a DPIA retrospectively does not cure the original infringement – it only limits ongoing exposure.

What are the most common mistakes employers make with workplace monitoring?

Three mistakes account for the majority of UODO and PIP enforcement actions involving employee monitoring. Understanding them is faster than learning from a formal investigation.

The first mistake is deploying monitoring without a lawful basis under the GDPR. Employers frequently assume that employment consent is a valid legal basis for monitoring. It is not – at least not in isolation. The power imbalance between employer and employee means that consent given in an employment context is rarely considered freely given under the GDPR. The correct basis for most workplace monitoring is legitimate interest (balanced against employee rights) or legal obligation. Employers who rely solely on consent risk having their entire monitoring programme invalidated.

The second mistake is excessive data collection. Keyloggers that capture all keystrokes, screenshots taken every 30 seconds, and audio recording of calls beyond what is necessary for quality assurance all exceed what Polish and EU law permit. Proportionality is not a soft principle – it is a hard legal requirement. The UODO has issued fines specifically for disproportionate monitoring scope, separate from any failure to notify employees.

The third mistake is failing to update documentation when the monitoring system changes. A company that installs CCTV, documents it correctly, and then adds AI-based facial recognition to the same cameras has created a new processing activity. That new activity requires a fresh DPIA, updated policy, and re-notification of employees. Many employers treat the original documentation as a one-time exercise. It is not.

  • No written monitoring policy before deployment
  • Relying on employment consent as the sole GDPR legal basis
  • Retention periods that are not specified or are disproportionately long
  • Failure to re-document when monitoring tools are upgraded or expanded
  • No DPIA for high-risk processing (AI tools, large-scale email surveillance)

For employers already facing a PIP or UODO inquiry, early legal engagement is essential. The window to present a remediation plan and influence the outcome is narrow. Our disputes and regulatory practice in Poland handles both UODO administrative proceedings and employment tribunal claims arising from monitoring disputes.

How does monitoring compliance differ across three business scenarios?

The legal obligations are the same for all employers, but the practical implementation varies significantly by sector, workforce size, and the nature of the monitoring deployed. Three scenarios illustrate where the differences arise.

Manufacturing company. A factory in Silesia with 400 production workers uses CCTV across the shop floor, GPS trackers on delivery vehicles, and access-control systems at entry points. The CCTV is justified on safety and property-protection grounds – a strong basis under the Labour Code. GPS tracking of company vehicles is generally permissible, but tracking extends to drivers' rest periods if the device is not switched off. The employer must either disable tracking during breaks or document a specific legal justification for continuous tracking. Access-control data (entry/exit logs) constitutes personal data and requires a retention policy. A DPIA is advisable given the scale.

IT company. A software firm in Warsaw with 80 remote employees uses endpoint monitoring software that logs application usage, active/idle time, and periodic screenshots. This is the highest-risk scenario from a GDPR perspective. Screenshot capture and keystroke logging are almost certainly high-risk processing, requiring a mandatory DPIA. The legitimate interest basis must be carefully documented, with a balancing test showing that the employer's interest in protecting intellectual property outweighs the employees' privacy rights. Remote employees – including those holding a work permit Poland or EU Blue Card status – have the same monitoring rights as Polish nationals. An employment lawyer Warsaw-based firms use for monitoring compliance will typically recommend a layered approach: aggregate productivity metrics rather than individual surveillance.

Foreign investor. A German company setting up a Polish subsidiary wants to replicate its German monitoring framework. German works council agreements do not carry over to Poland. The Polish framework requires fresh documentation, Polish-language employee notifications, and registration of the monitoring system with the Data Protection Officer (DPO) if one has been appointed. The parent company's GDPR compliance documentation from Germany does not substitute for Polish-law obligations. We assisted a Wielkopolska-based subsidiary of a German manufacturer (spring 2026) in adapting its group-level monitoring policy to Polish legal requirements – a process that took six weeks and required renegotiating three employment contracts.

Frequently asked questions

Q: Can an employer monitor a whistleblower's communications to identify the source of a report?

A: No. The Act on the Protection of Whistleblowers (in force since September 2024) explicitly prohibits retaliatory actions, and using monitoring data to identify a whistleblower Poland-based employees report to falls squarely within that prohibition. Employers who do so face criminal sanctions under the whistleblower statute, as well as potential GDPR infringement for processing personal data without a lawful basis. The prohibition applies even if the employer's general monitoring programme is otherwise lawful.

Q: How long does it take to implement a compliant monitoring framework from scratch?

A: For a company with 50 to 200 employees and a single monitoring system (for example, CCTV only), a compliant framework can typically be implemented within four to six weeks. This covers drafting the policy, completing a DPIA if required, issuing employee notifications, and updating employment contracts or workplace regulations. Larger organisations, or those using multiple monitoring tools, should budget eight to twelve weeks. The two-week pre-deployment notification requirement for existing employees is the binding minimum – the documentation must be finalised before that clock starts.

Q: Does GDPR require a Data Protection Officer for companies that monitor employees?

A: Not automatically. A DPO is mandatory under the GDPR for public authorities, organisations engaged in large-scale systematic monitoring of individuals, and organisations processing special-category data on a large scale. For a private employer monitoring its own workforce, the DPO obligation depends on whether the monitoring qualifies as "large-scale systematic monitoring." An employer with 500 monitored employees using AI-assisted tools will almost certainly meet that threshold. A small employer with basic CCTV coverage will not. Appointing a DPO voluntarily is permissible and can strengthen the employer's compliance posture – but voluntary appointment creates binding obligations once made.

What should employers prepare before launching or auditing a monitoring system?

Compliance with Polish monitoring law is not a one-time project. It requires a structured process before deployment and periodic review thereafter. The checklist below applies both to new implementations and to retrospective audits of existing systems.

  • Identify every monitoring tool in use and classify it by type (CCTV, GPS, email, endpoint software, access control)
  • Confirm the legal basis for each monitoring type under both the Labour Code and the GDPR
  • Complete a DPIA for any high-risk processing before the system goes live or continues to operate
  • Draft or update the internal monitoring policy, including purpose, scope, retention periods, and access controls
  • Issue written notifications to all employees at least two weeks before deployment (existing employees) or before the start date (new hires)

Beyond the checklist, employers should schedule an annual review of monitoring documentation. Technology changes quickly. An AI-powered attendance system introduced mid-year may create new GDPR obligations that the original documentation does not cover. The review should also capture any changes in workforce composition – including employees on work permits or EU Blue Card status – to confirm that notification obligations have been met for all individuals.

Specific situations require tailored analysis. A company that monitors employees across multiple jurisdictions, or that transfers monitoring data outside the European Economic Area, faces additional obligations under Chapter V of the GDPR. The consequences of non-compliance are not merely administrative. Affected employees may bring civil claims for breach of personal interests under the Civil Code, and those claims are not capped.

To receive an expert assessment of your company's monitoring compliance posture, contact info@kordeckipartners.com. We will identify documentation gaps, advise on the correct legal basis for each monitoring tool, and prepare the required documentation within a defined timeline.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to employment law and data protection compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.