A Warsaw-based technology company rolls out email-scanning software to detect data leaks. Three weeks later, it receives a notice from the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO) following a staff complaint. The monitoring was real. The legal basis was missing. That gap – between deploying a tool and documenting the lawful ground for it – is where most employer liability begins.

Polish employers who monitor employees must satisfy obligations under two overlapping frameworks: the Kodeks pracy (Labour Code, KC) and the General Data Protection Regulation (GDPR). The Labour Code requires advance written notice to employees and, where a works council exists, prior agreement with employee representatives. GDPR adds a lawful-basis requirement, data-minimisation limits, and a retention cap – typically no longer than three months for most monitoring records.

This alert covers what the current rules require, which employers are immediately affected, and the concrete steps that must be taken before monitoring continues or is introduced. The stakes are direct: UODO can impose fines up to EUR 20m or 4% of global annual turnover, whichever is higher. Personal liability of managers is a separate risk under Polish labour law.

What do the current rules require from employers?

Polish labour law and GDPR together create a four-layer compliance structure. Each layer has its own deadline and documentation requirement. Missing any one of them does not merely create a procedural gap – it can render the entire monitoring programme unlawful and expose the employer to enforcement action by UODO or claims by individual employees before the Sąd Pracy (Labour Court).

The first layer is legal basis under GDPR. Most workplace monitoring relies on legitimate interest or legal obligation. Consent is rarely valid in an employment context – the power imbalance means consent is seldom freely given. Employers must document their chosen basis in a Record of Processing Activities (RoPA) before monitoring begins. A RoPA entry added after a complaint is filed carries little weight with UODO inspectors.

The second layer is Labour Code notice. Employers must inform employees of the purpose, scope, and method of monitoring at least two weeks before it starts. New hires must be informed on or before their first day. The notice must be in writing – an email to a generic inbox is insufficient. This two-week window is a hard statutory minimum, not a target.

  • Define the specific purpose of each monitoring tool (email, GPS, screen capture, access logs).
  • Agree the scope with the works council or trade union, if one exists.
  • Issue individual written notices at least 14 days before activation.
  • Set a retention period – three months is the Labour Code default for most categories.
  • Update the RoPA and privacy notices before going live.

The third layer is data minimisation. Monitoring must be proportionate to the stated purpose. Continuous screen recording for an accounts-payable clerk is unlikely to survive a proportionality challenge. Targeted access-log review for a system administrator with elevated privileges is more defensible. The distinction matters: UODO has issued fines where monitoring was technically disclosed but disproportionate in scope.

The fourth layer is employee communication. Beyond the statutory notice, employers should update their internal privacy policy and, where applicable, their works regulations (regulamin pracy). Foreign employers operating Polish subsidiaries – a common scenario for companies entering the market after reviewing employment law compliance for UK companies in Poland – often underestimate how specific Polish documentation requirements are compared with their home-country frameworks.

Who is affected, and what are the enforcement thresholds?

Every employer processing employee data in Poland falls within scope. There is no headcount exemption. A sole-trader with two employees monitoring their company phones must comply with GDPR and the Labour Code equally. However, enforcement risk concentrates around three employer profiles: those introducing new monitoring tools, those expanding existing monitoring to new categories of data, and those who have never documented their monitoring at all.

UODO's enforcement record shows that the largest fines – reaching several million PLN – have targeted organisations that failed to respond to employee complaints within the statutory 30-day period under GDPR, or that retained monitoring data well beyond the three-month Labour Code limit. Retention breaches are particularly common because they are easy to detect: a simple system audit reveals data held for 18 months when the policy states three.

Foreign investors relocating staff to Poland face a compounded risk. An employee arriving under an EU Blue Card or work permit Poland procedure carries data rights from day one of employment. Employers who have reviewed global mobility considerations for relocating employees from the Netherlands will recognise that onboarding documentation must include monitoring notices alongside work permit paperwork. Treating these as separate workstreams creates a gap – the employee starts work, monitoring begins, but the notice arrives two weeks late.

We secured the withdrawal of a UODO enforcement recommendation for a logistics employer in the Mazowieckie region (autumn 2025). The employer had introduced GPS tracking of company vehicles without completing the works-council consultation step. Remediation required retroactive documentation, updated works regulations, and individual re-notices to 47 drivers – all within a 21-day window set by UODO.

Whistleblower protection adds a further dimension. Under the Ustawa o ochronie sygnalistów (Whistleblower Protection Act), employees who report GDPR violations internally or to UODO are protected from retaliation. An employer who disciplines a worker for raising a monitoring complaint risks a separate whistleblower claim. Employment lawyers in Warsaw are already seeing these claims filed in combination with unfair dismissal proceedings.

Companies undergoing financial stress face an additional exposure. Insolvency proceedings do not suspend GDPR obligations. Monitoring data held by a company entering restructuring remains subject to data-subject rights. Administrators and receivers who are unfamiliar with this point – a scenario explored in detail in the context of insolvency proceedings timelines – can inadvertently breach retention obligations during asset transfers.

Our team obtained a suspension of a UODO audit for a retail chain in Silesia (spring 2026) by demonstrating that the employer had completed a full RoPA update and re-issued monitoring notices within 10 days of receiving the audit notification. Speed of remediation is a recognised mitigating factor in UODO penalty calculations.

What immediate actions must employers take?

The compliance window is short. UODO has signalled increased audit activity in 2026, with a focus on remote-work monitoring tools introduced post-pandemic that were never formally documented. Employers who act now can remediate before an audit begins. Employers who wait forfeit that option – and forfeiting it is irreversible once an inspection is opened.

Three actions carry the highest priority. First, audit every active monitoring tool against the RoPA. If a tool is not listed, it must either be listed immediately or switched off. Second, check retention periods in the system settings, not just the policy document. A policy that says three months means nothing if the system retains data for 24. Third, verify that individual written notices were issued and can be evidenced. A signed acknowledgement in the personnel file is the minimum standard.

The specific situation of your company determines which remediation path is fastest. Employers with a works council must allow time for consultation before re-issuing notices – that process alone takes a minimum of two weeks. Employers without employee representation can move faster, but must still issue individual notices at least 14 days before any new or amended monitoring becomes active. Neither timeline is negotiable under Polish labour legislation.

To receive an expert assessment of your monitoring compliance position, contact info@kordeckipartners.com. If your company is introducing new monitoring tools or has received a UODO inquiry, we will review your RoPA, works regulations, and notice documentation and identify gaps within five working days.

Frequently asked questions

Q: Can an employer monitor personal devices used for work?

A: Monitoring a personally owned device is subject to a significantly higher proportionality threshold than monitoring company equipment. The employer must demonstrate a specific, documented business need and must limit monitoring strictly to work-related applications or data. Personal communications on the same device fall outside the permissible scope entirely. Legal advice before deploying any bring-your-own-device monitoring tool is strongly recommended.

Q: Is it a common misconception that employee consent is sufficient as a legal basis for monitoring?

A: Yes. Many employers assume that a signed consent form resolves the GDPR question. In an employment relationship, consent is rarely considered freely given because of the inherent power imbalance. UODO and the European Data Protection Board have both confirmed this position. Legitimate interest or a specific legal obligation is the correct basis for most workplace monitoring scenarios.

Q: How long does it take to complete a full monitoring compliance review?

A: For a mid-sized employer with standard monitoring tools – email, access logs, and GPS – a structured review typically takes two to three weeks. This includes auditing the RoPA, updating works regulations, completing works-council consultation where required, and issuing individual notices. Employers with more complex monitoring infrastructure or multiple Polish entities should allow four to six weeks. Acting before a UODO audit is opened is always faster and less costly than responding to one.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to employment compliance, GDPR, and workforce management. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.