A Warsaw-based technology company installs keylogging software on employee laptops and begins recording all outbound emails. No policy exists. No notice is given. Within three months, a data protection complaint lands at the Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO). The resulting investigation triggers fines, reputational damage, and a wave of employment claims – all entirely avoidable.

Polish employers may monitor employees, but only within boundaries set by the Kodeks pracy (Labour Code) and the General Data Protection Regulation (GDPR). Monitoring must pursue a legitimate purpose, be proportionate to that purpose, and be communicated to employees before it begins. Employers who skip any of these steps face administrative fines of up to EUR 20 million or 4% of global annual turnover, whichever is higher, as well as personal liability claims under Polish employment law.

This page sets out the regulatory framework, the instruments employers may use, the most common compliance failures, cross-border considerations for foreign investors, and a practical self-assessment checklist. Each section is designed to help HR directors, in-house counsel, and business owners make informed decisions before deploying any monitoring tool.

What does Polish law permit employers to monitor?

Polish labour law draws a clear line between monitoring that serves a legitimate operational need and surveillance that intrudes on employee dignity. The Labour Code identifies four recognised monitoring categories: email monitoring, other forms of electronic monitoring (including GPS and computer activity), visual monitoring (CCTV), and monitoring of company vehicles. Each category carries its own conditions. Employers who stray outside these categories – or mix them without separate legal bases – expose themselves to enforcement action by both UODO and the National Labour Inspectorate (Państwowa Inspekcja Pracy, PIP).

The legal basis for processing monitoring data is typically the employer's legitimate interest or legal obligation. However, legitimate interest is not self-executing. The employer must conduct a balancing test, weighing the operational purpose against the employee's right to privacy. That test must be documented. Without documentation, UODO inspectors treat the processing as unlawful from day one.

Email monitoring is the most contested area. It is permitted to ensure work quality and protect company assets, but it may not cover the content of private messages. The practical boundary is difficult to maintain when employees use corporate accounts for personal correspondence – a situation that requires a clear acceptable-use policy to resolve. The National Court Register (KRS) and court records show a rising number of disputes where employers relied on email evidence obtained without a valid monitoring policy, only to have that evidence excluded.

  • CCTV in open workspaces: permitted with prior notice and a retention limit not exceeding three months
  • GPS in company vehicles: permitted for fleet management purposes; tracking outside working hours requires a separate legal basis
  • Computer activity logs: permitted to protect IT security; keystroke-level logging of personal accounts is not
  • Biometric access control: permitted only where strictly necessary; consent is not a valid basis under GDPR for employment contexts

One concrete figure matters here: UODO's administrative fines for unlawful monitoring have reached PLN 1 million in individual cases. That figure does not include litigation costs or the cost of remediation programmes.

How must employers notify employees before monitoring begins?

Notification is not optional – it is a hard legal prerequisite under both the Labour Code and GDPR. The Labour Code requires employers to inform employees of the purpose, scope, and method of monitoring at least two weeks before it starts. New hires must receive the same information before commencing work. The Polish Financial Supervision Authority (KNF) imposes equivalent obligations on regulated financial entities, making the two-week window a minimum across all sectors.

The GDPR information notice must specify the legal basis, the retention period, the data subjects' rights, and whether data will be shared with third parties. Many employers combine the Labour Code notice with the GDPR transparency notice into a single document. This is efficient, but the combined document must satisfy both sets of requirements. A notice that mentions "email monitoring" without specifying retention periods fails the GDPR test, even if it passes the Labour Code threshold.

We secured a reversal of a UODO enforcement finding for a manufacturing client in the Mazowieckie region (autumn 2025). The employer had issued a monitoring policy but failed to specify the retention period for CCTV footage. UODO had classified this as a material omission. Our team demonstrated that the retention period was embedded in a linked IT policy, restoring the employer's compliance status without a fine.

Works councils (rady pracowników) and trade unions also have consultation rights. Where a trade union is present, monitoring rules must be agreed in a collective agreement or workplace regulations. Where no union exists, the employer must adopt internal workplace regulations and register them. Skipping consultation does not merely create a procedural defect – it gives individual employees grounds to challenge the lawfulness of any data collected.

What are the most common GDPR pitfalls in employee monitoring?

Most enforcement cases share the same cluster of failures. Identifying them early saves employers significant cost. The first pitfall is purpose creep: monitoring deployed for IT security is then used in disciplinary proceedings for unrelated conduct. GDPR prohibits using personal data for purposes incompatible with the original purpose. Employers who discover misconduct through security logs face a dilemma – the evidence may be inadmissible if the monitoring purpose was not broadly enough defined from the start.

The second pitfall is retention beyond necessity. CCTV footage retained for six months when the stated purpose requires only three months is a GDPR violation regardless of intent. Automated deletion schedules are the practical solution, but they require IT configuration that many mid-size employers defer indefinitely.

Our team obtained interim protection for a German investor's subsidiary in Lower Silesia (spring 2026) after a departing employee alleged that email monitoring data had been retained for over 12 months and used in a post-termination reference dispute. The employer had no deletion log. We secured a suspension of the data subject access request deadline while the employer reconstructed its retention records – a process that took 30 days and cost less than the potential fine.

The third pitfall is monitoring remote workers differently from office staff. The principle of equal treatment under Polish employment law requires consistent application of monitoring policies. An employer who installs monitoring software on home-office laptops without updating its monitoring policy – and without re-notifying employees – creates a fresh legal exposure with each remote-working arrangement. For employers hiring under employment law compliance frameworks, this consistency obligation extends across multi-jurisdictional workforces.

  • Purpose creep: disciplinary use of data collected for security
  • Excessive retention: footage or logs kept beyond the stated period
  • Inconsistent remote monitoring: home-office devices treated differently
  • Missing data protection impact assessment (DPIA) for high-risk monitoring
  • No processor agreement with third-party monitoring software vendors

How do cross-border structures affect employer obligations?

Foreign investors operating in Poland through subsidiaries, branches, or posted-worker arrangements face a layered compliance challenge. The GDPR applies as directly effective EU law, but the Polish Labour Code adds national-level obligations that do not exist in every EU member state. A German or Dutch parent company may have a group-wide monitoring policy that is fully compliant at home but fails to meet the Labour Code's two-week notice requirement or the works council consultation obligation applicable in Poland.

Posted workers present a specific complication. Employers posting workers to Poland under the Posted Workers Directive must comply with Polish monitoring rules for the duration of the posting, even if the employment contract is governed by another law. This means the monitoring policy must be translated into Polish and served on the worker before the posting begins. For the mechanics of A1 certificates and cross-border employment documentation, see our guidance on posted workers from Cyprus to Poland.

Data transfers also require attention. If monitoring data – including CCTV footage or email logs – is stored on servers outside the European Economic Area, the employer needs a valid transfer mechanism: standard contractual clauses, binding corporate rules, or an adequacy decision. Many multinationals assume that intra-group cloud storage is automatically covered by their group-level privacy framework. It is not, unless that framework has been formally approved and linked to the Polish processing activity.

ESG reporting obligations are adding a new dimension. Employers subject to the Corporate Sustainability Reporting Directive (CSRD) must disclose information about employee data governance. A monitoring programme that lacks documented legal bases and retention schedules will appear as a gap in the ESG data audit. For the broader compliance context, see our ESG compliance practice. The EU Blue Card regime for highly skilled migrants also intersects here: employers sponsoring EU Blue Card holders are subject to enhanced scrutiny of their HR compliance systems, including data protection.

What should employers prepare before deploying a monitoring system?

Preparation is more than paperwork. A monitoring system deployed without the right foundation will generate legal exposure from the first day of operation. The practical sequence begins with a purpose audit: the employer must define, in writing, exactly what the monitoring is designed to achieve and why less intrusive alternatives were rejected. This document is the foundation for the DPIA, the GDPR transparency notice, and any works council consultation.

A data protection impact assessment is mandatory where monitoring is likely to result in high risk to employee rights – which UODO guidance treats as the default for systematic monitoring of computer activity, biometrics, or continuous CCTV coverage. The DPIA must be completed before processing begins. Completing it after an incident is too late; it cannot retrospectively legitimise data already collected.

The whistleblower protection framework, introduced by the Polish Whistleblower Protection Act in 2024, intersects with monitoring in one specific way. Employers with 50 or more employees must maintain internal reporting channels. Those channels must be designed so that the identity of the reporting person is protected. Any monitoring system that could inadvertently reveal a whistleblower's identity must be assessed against this obligation. Failure to protect a whistleblower's identity carries a criminal penalty of up to PLN 1,080,000.

Work permit holders and EU Blue Card employees have the same data protection rights as Polish nationals. Employers who use monitoring to track attendance for work permit compliance purposes – a common practice in industries relying on third-country nationals – must include this purpose explicitly in their transparency notice. An employment lawyer Warsaw-based teams rely on will typically flag this as a first-day compliance requirement for any new workforce integration programme.

Self-assessment checklist for employer compliance

Before activating any monitoring tool, employers should verify the following minimum requirements. Missing any single item may constitute a standalone GDPR violation, independent of whether the monitoring itself causes harm. Polish data protection enforcement focuses on procedural compliance: UODO has issued fines for missing documentation even where no data breach occurred.

  • Written monitoring policy specifying purpose, scope, method, and retention period
  • Employee notification issued at least 14 days before monitoring begins
  • Works council or trade union consultation completed and documented
  • DPIA completed for high-risk monitoring activities
  • Data processing agreement signed with all third-party monitoring vendors

The checklist above covers the baseline. Employers in regulated sectors – banking, insurance, healthcare – face additional sector-specific requirements imposed by the Polish Financial Supervision Authority (KNF) or the Chief Pharmaceutical Inspector. Regulated employers should treat the baseline checklist as a starting point, not an endpoint. A compliance gap in a regulated sector can trigger both UODO enforcement and sectoral supervisory action simultaneously, doubling the remediation burden.

A practical self-assessment question: does your organisation have a written record of the balancing test conducted before each monitoring category was deployed? If the answer is no, the legal basis for that monitoring is vulnerable. The balancing test is not a formality – it is the document that would be reviewed first in any UODO inspection or employment tribunal proceeding.

Specific situations call for specific analysis. If your company is implementing remote monitoring for a workforce that includes work permit holders, EU Blue Card employees, or posted workers, the compliance requirements multiply quickly. To receive an expert assessment of your monitoring framework, contact info@kordeckipartners.com.

Frequently asked questions

Q: Can an employer monitor a personal mobile phone used for work?

A: Monitoring a personally owned device is subject to the highest scrutiny under both the Labour Code and GDPR. The employer must have a documented legal basis, and that basis cannot be the employment relationship alone. In practice, employers are advised to issue company devices rather than monitor personal ones. Where a bring-your-own-device policy exists, monitoring must be limited strictly to the corporate application layer and must be disclosed in writing before the device is enrolled.

Q: How long may CCTV footage from a workplace be retained?

A: The Labour Code sets a maximum retention period of three months for CCTV footage, unless the footage is evidence in ongoing proceedings – in which case it may be retained until those proceedings conclude. Employers must implement automated deletion at the three-month mark or document each decision to extend retention. Retention beyond three months without a documented reason is a standalone violation, regardless of whether the footage was ever accessed.

Q: Does the two-week notice requirement apply to monitoring software updates?

A: This is a common misconception. The two-week notice requirement applies to the introduction of a new monitoring category or a material change to an existing one. A software update that does not change the scope or method of monitoring does not trigger a fresh notice obligation. However, if an update extends monitoring to new data types – for example, adding screen capture to a tool previously limited to application usage logs – that change is material and requires fresh notification and, where applicable, a new DPIA.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to employment compliance, employee monitoring, and data protection. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.