On paper, the rules look manageable. In practice, Polish employers who monitor staff – tracking emails, recording calls, or logging computer activity – face a layered compliance framework that sits at the intersection of labour law and data protection. Miss one element and you expose the business to enforcement action by the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO) and, separately, to claims by employees under the Kodeks pracy (Labour Code, KP).
Polish law permits workplace monitoring but imposes strict preconditions. Employers must establish a lawful basis under the General Data Protection Regulation (GDPR), embed monitoring rules in internal regulations, and notify employees individually before monitoring begins – with a minimum 14-day advance notice period for new hires. Failure to meet these requirements exposes the employer to UODO administrative fines of up to EUR 20 million or 4 percent of global annual turnover, whichever is higher, as well as civil claims by affected employees.
This alert covers three areas: what the current framework requires, which employers are most exposed, and the immediate steps your legal and HR teams should take before the next audit cycle.
What does the current monitoring framework require?
Polish monitoring law rests on two pillars. The Labour Code sets out the permitted types and procedural steps. The GDPR governs the data protection obligations that attach to every monitoring activity. Both apply simultaneously – satisfying one without the other is not enough.
Under the Labour Code, employers may introduce monitoring of email correspondence, computer activity, location, and premises access. Each type must be introduced separately. The employer must state the purpose, scope, and method of monitoring in the company's internal work regulations or, where no such regulations exist, in a separate written notice. That notice must be delivered to each employee at least 14 days before monitoring starts.
The GDPR layer adds three further requirements. First, the employer must identify a lawful basis – typically legitimate interest, but only where a balancing test confirms that the employer's interest outweighs the employee's privacy rights. Second, a data protection impact assessment (DPIA) is mandatory where monitoring is likely to result in high risk to individuals. Third, employees must receive a GDPR transparency notice that explains retention periods, data recipients, and their rights. The National Court Register (KRS) filing does not substitute for this notice.
- Permitted monitoring types: email, computer activity, location, CCTV, access control
- Mandatory 14-day advance notice before monitoring commences
- Internal work regulations must reflect each monitoring type individually
- DPIA required for high-risk processing activities
- Retention periods must be defined and documented
One detail catches employers off guard. The Labour Code restricts email monitoring to the employer's business email system. Monitoring an employee's private email – even on a company device – falls outside the permitted scope and triggers a separate legal analysis under criminal law.
Who is affected and what are the key thresholds?
Every Polish employer who processes employee data through any monitoring system is within scope. Size is not a threshold for the core obligations. However, three factors determine the intensity of your exposure.
First, headcount affects the GDPR's Data Protection Officer (DPO) requirement. Employers whose core activity involves large-scale, systematic monitoring of employees must appoint a DPO and register that appointment with UODO. "Large-scale" has no fixed numeric definition under the GDPR, but Polish supervisory guidance treats monitoring of 250 or more employees as a strong indicator. Below that figure, the assessment is fact-specific.
We secured a reversal of a UODO enforcement notice for a logistics client in the Mazowieckie region (autumn 2025). The employer had introduced GPS vehicle tracking without updating its work regulations. The fix required a documented balancing test, revised internal policies, and re-notification of 180 drivers – completed within six weeks.
Second, sector matters. Employers in financial services supervised by the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) face additional record-keeping obligations for communications monitoring. These obligations overlap with – but do not replace – the GDPR framework.
Third, cross-border operations raise complexity. A German parent company whose Polish subsidiary monitors employees must ensure that any data transferred to the parent satisfies the GDPR's Chapter V transfer rules. For employers relocating staff from the Netherlands or other EU states, the interaction between host-country monitoring rules and home-country expectations requires careful mapping. Our guide on global mobility and relocating employees to Poland from the Netherlands addresses the broader compliance picture for incoming assignees.
Foreign employers sponsoring workers under a work permit Poland regime or an EU Blue Card should note that monitoring obligations attach from day one of employment – not from the date the permit is granted. An employment lawyer Warsaw-based or otherwise advising on inbound mobility must flag this at the permit stage, not after onboarding.
What immediate actions should employers take?
The compliance gap most commonly identified in UODO audits is not the absence of monitoring policy – it is the mismatch between what the policy says and what the employer actually does. Three immediate actions address the highest-risk exposures.
First, audit your monitoring footprint within 30 days. List every active monitoring system: email scanning tools, endpoint detection software, CCTV, GPS trackers, badge access logs. For each, confirm whether the Labour Code basis is documented, whether the GDPR lawful basis is recorded, and whether employees received compliant notice. Any gap is a live enforcement risk.
Our team obtained a favourable UODO outcome for a technology company in Lower Silesia (spring 2026). The employer had deployed screen-capture software without a DPIA. We prepared the impact assessment, updated the data processing register, and issued corrected transparency notices to 340 employees within four weeks – ahead of the supervisory deadline.
Second, review your whistleblower infrastructure. The Ustawa o ochronie sygnalistów (Whistleblower Protection Act) requires employers with 50 or more employees to maintain a confidential reporting channel. Monitoring data must not be used to identify or retaliate against a whistleblower Poland-based or otherwise. Cross-contamination between monitoring systems and whistleblower reports is a specific UODO audit focus in 2026.
Third, update employment contracts and onboarding documentation for any employee arriving under a work permit or EU Blue Card. The monitoring notice must be provided before work begins. For posted workers, the obligations under the posting framework do not displace Polish monitoring rules – see our analysis of posted workers from Spain to Poland and A1 certificates for the broader posting compliance context.
- Audit all active monitoring systems within 30 days
- Verify DPIA status for high-risk processing activities
- Re-issue employee notices where content is outdated or incomplete
- Segregate monitoring data from whistleblower reporting channels
Employers planning structural changes – mergers, outsourcing, or tax-driven restructuring – should note that monitoring obligations transfer with the employment relationship. Our guide on tax structuring for investors entering Poland touches on the employment consequences of common entry structures.
The specific facts of your monitoring programme determine which obligations apply and in what sequence. Delay forfeits the ability to correct deficiencies before an audit opens – and UODO has signalled increased scrutiny of workplace monitoring in its 2026 enforcement priorities.
To receive an expert assessment of your monitoring compliance posture, contact info@kordeckipartners.com.
Frequently asked questions
Q: Can an employer monitor remote workers in the same way as on-site staff?
A: The same Labour Code and GDPR framework applies regardless of where the employee works. However, remote monitoring – particularly screen capture or keystroke logging – carries a higher likelihood of triggering the DPIA requirement, because the processing is more intrusive and the data collected is broader. Employers should conduct a fresh balancing test for each remote monitoring tool before deployment.
Q: How long can employers retain monitoring data?
A: The Labour Code sets a maximum retention period of three months for most monitoring data, unless the data constitutes evidence in disciplinary or legal proceedings – in which case retention may continue until those proceedings are finally resolved. Employers must document the retention period in their internal regulations and delete data automatically once the period expires. Indefinite retention is a common audit finding and attracts fines.
Q: Is it a misconception that GDPR consent from employees is a valid basis for monitoring?
A: Yes. UODO and European Data Protection Board guidance consistently holds that employee consent is not a freely given basis for monitoring, because of the power imbalance between employer and employee. Employers who rely on consent risk having their entire monitoring programme invalidated. Legitimate interest – supported by a documented balancing test – is the appropriate basis in most cases.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to employment compliance, workplace monitoring, and data protection. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.