A Warsaw-based technology company rolls out software that logs every keystroke and captures screenshots every five minutes. The rollout happens quietly – no policy update, no employee notice, no consultation with the works council. Six weeks later, the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO) opens an inquiry. The company faces fines, reputational damage, and the prospect of evidence gathered through unlawful monitoring being inadmissible in any subsequent disciplinary proceedings.

Under Polish employment law and the General Data Protection Regulation (GDPR), employers may monitor employees – but only within a defined legal framework. The Kodeks pracy (Labour Code) permits email monitoring, location tracking, and computer-activity surveillance, subject to prior written notification and a legitimate business purpose. Failure to follow the correct procedure exposes the employer to UODO enforcement, employee claims, and the loss of any disciplinary or litigation advantage the monitoring was meant to secure.

This alert sets out what the current rules require, which employers are most exposed, and the specific steps that must be taken before any monitoring system goes live.

What do the current rules actually require?

Polish employment law and the GDPR together create a two-layer compliance obligation. The Labour Code defines the permitted categories of monitoring and the procedural prerequisites. The GDPR then governs how the data collected must be processed, stored, and deleted. Both layers apply simultaneously – satisfying one without the other is not enough.

Permitted categories include email monitoring, location tracking of company vehicles, and monitoring of computer activity (including internet use and application logs). Each category requires a separate legal basis documented in internal policy. The employer must identify a legitimate purpose – typically protecting company property or ensuring the proper use of working time – and that purpose must be proportionate to the intrusion involved.

The procedural prerequisites are specific. Employers must:

  • Introduce a written monitoring policy or amend the existing work regulations (regulamin pracy)
  • Notify each employee individually in writing at least two weeks before monitoring begins
  • Inform job applicants of monitoring before they commence employment
  • Define and document a data-retention period – the Labour Code sets a maximum of three months for most monitoring data

Where a works council (rada pracowników) or trade union operates, consultation is required before the policy takes effect. Skipping this step is one of the most common procedural failures seen in UODO enforcement cases. The National Court Register (Krajowy Rejestr Sądowy, KRS) records whether a company has registered employee representative bodies – a detail auditors check early.

Who is affected – and what is the exposure?

Every employer in Poland that uses any form of digital monitoring is affected. The rules apply regardless of company size, sector, or whether employees work on-site or remotely. Remote and hybrid arrangements have significantly increased the practical scope of monitoring – and, with it, the compliance risk. An employer monitoring a home-office employee's screen activity faces exactly the same obligations as one monitoring activity in a Warsaw office.

We secured a withdrawal of a UODO preliminary finding against a manufacturing client in the Mazowieckie region (autumn 2025). The employer had introduced GPS tracking of delivery vehicles without updating its work regulations. The matter was resolved after a corrective policy was implemented within 30 days – but the process consumed significant management time and external legal costs.

The financial exposure is real. UODO may impose administrative fines of up to EUR 20 million or 4% of global annual turnover, whichever is higher. For smaller businesses, even a lower-band fine of EUR 10,000 to EUR 50,000 is material. Beyond fines, unlawfully obtained monitoring data cannot be used in disciplinary proceedings or employment litigation. An employer who dismisses an employee for misconduct discovered through illegal monitoring may find the dismissal challenged successfully – and the monitoring evidence excluded entirely. That outcome is irreversible once proceedings are underway.

Foreign-owned subsidiaries operating in Poland face an additional layer of complexity. Group-level IT policies drafted in Germany, France, or the Netherlands do not automatically satisfy Polish legal requirements. Our cross-border employment practice regularly assists multinationals in aligning group monitoring policies with Polish Labour Code obligations before UODO scrutiny arises.

Employers with whistleblower channels should also note the intersection with the Ustawa o ochronie sygnalistów (Whistleblower Protection Act). Monitoring data that inadvertently captures a protected disclosure creates a separate liability risk. For guidance on internal investigation procedures that account for this overlap, see our analysis of internal investigations methodology for Polish companies.

What must employers do now?

The compliance window matters. UODO has signalled increased scrutiny of remote-work monitoring arrangements throughout 2025 and into 2026. Employers who have not reviewed their monitoring frameworks since introducing hybrid work should treat this as an urgent gap – not a routine update.

We assisted a logistics company in Lower Silesia (spring 2025) in completing a full monitoring compliance review within three weeks. The project covered GPS tracking, email monitoring, and a new screen-capture tool introduced for remote staff. The corrected policy package was filed with the works council and distributed to all employees before the tool went live.

The immediate action checklist:

  • Audit every active monitoring tool – including software installed by IT without HR sign-off
  • Confirm that work regulations address each monitoring category in use
  • Verify that individual written notices were issued at least two weeks before monitoring began
  • Check data-retention settings against the three-month statutory maximum
  • Review works council or trade union consultation records for completeness

Employers who engage workers from abroad – including those holding an EU Blue Card or a standard work permit Poland – must ensure monitoring notices are provided in a language the employee understands. This is a practical requirement that employment lawyer Warsaw teams frequently overlook in onboarding documentation. For context on cross-border worker obligations more broadly, our note on posted workers from the Czech Republic to Poland addresses related notification duties.

The Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) imposes sector-specific monitoring requirements on financial institutions that go beyond the Labour Code baseline. If your organisation operates in a regulated sector, a standard employment-law review may not be sufficient.

Specific situation of your company requires an individual assessment before any monitoring tool is deployed or expanded. Acting after UODO opens an inquiry forfeits the ability to correct the record voluntarily – and voluntary correction is a significant mitigating factor in fine calculations.

If your organisation uses digital monitoring tools and has not reviewed its compliance framework in the past 12 months, contact info@kordeckipartners.com. We will audit your current monitoring setup, identify procedural gaps, and deliver a corrected policy package ready for works council consultation and employee distribution.

Frequently asked questions

Q: Can an employer monitor personal email accounts used on company devices?

A: No. Polish employment law permits monitoring of company email accounts only. Accessing personal email – even on a company device – constitutes an unlawful interference with private correspondence and may trigger criminal liability under the Polish Penal Code, separate from GDPR exposure. Employers should configure monitoring tools to exclude personal email domains and document that exclusion in the monitoring policy.

Q: How long can an employer retain monitoring data?

A: The Labour Code sets a maximum retention period of three months for most categories of monitoring data. This period runs from the date of collection. Data retained beyond three months without a specific legal basis – for example, active disciplinary or court proceedings – constitutes unlawful processing under the GDPR. Retention schedules should be built into the monitoring system configuration, not left to manual deletion.

Q: Does the two-week notice requirement apply to existing employees when a new monitoring tool is introduced?

A: Yes. The two-week advance notice obligation applies each time a new monitoring category or tool is introduced, regardless of whether the employee is new or long-standing. A general clause in the employment contract stating that monitoring "may" be used is not sufficient. The notice must be specific to the tool and the category of data being collected.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to employment compliance, GDPR implementation, and cross-border workforce management. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.