Employee Monitoring in 2026: Just Because Technology Allows It Doesn’t Mean GDPR Does

ECOVIS PROVENTUSLAW EMPLOYMENT LAWYERS BREAK DOWN WHEN EMPLOYEE MONITORING IS LAWFUL — AND WHEN IT CREATES REGULATORY RISK.

Video monitoring has become routine across workplaces and service environments. Cameras are installed to protect assets, improve security, reduce disputes, and monitor service quality. Yet one legal question is frequently overlooked:

Is the level of monitoring actually necessary and proportionate for the purpose being pursued?

Recent enforcement developments continue to demonstrate that under GDPR, installing cameras simply because technology makes it easy is not enough.

“For security purposes” is not automatically a lawful basis

Many organisations rely on security as a default justification for monitoring. However, a general reference to safety or prevention rarely satisfies GDPR requirements on its own.

Authorities increasingly expect organisations to demonstrate:

• why monitoring is necessary;
• why less intrusive alternatives would not achieve the same result;
• why the scope of monitoring is proportionate;
• how the organisation balances its interests against individuals’ privacy rights.

The analysis becomes significantly stricter when monitoring occurs in sensitive environments or when individuals are captured in situations where privacy expectations are naturally higher.

A camera positioned at an entrance for access-control purposes creates a very different legal risk profile from a camera capturing workstations, customer interactions, consultation areas, or locations involving sensitive information.

Audio recording creates a substantially higher level of risk

Video monitoring itself already constitutes an intrusion into privacy. Audio recording frequently elevates that intrusion to a different level.
Unlike visual information, audio can capture:

• conversations;
• personal opinions;
• confidential business discussions;
• health information;
• other special-category personal data.

In practice, organisations often justify audio recording by referring to dispute prevention or evidentiary needs. Those arguments may not be sufficient.

Regulators increasingly view audio recording as requiring a particularly strong justification because its impact on privacy is significantly broader than that of ordinary video monitoring.

For higher-risk scenarios, organisations should carefully assess whether a Data Protection Impact Assessment (DPIA) is required.

Retention periods and access rights are not technical details

Many organisations focus on whether monitoring itself is lawful while paying insufficient attention to what happens afterwards.

GDPR obligations do not end once data has been collected.

Common issues include:

• retention periods that are vaguely defined;
• recordings stored significantly longer than necessary;
• excessive internal access rights;
• insufficient audit trails;
• lack of technical controls over viewing or exporting recordings.

These are not administrative details; they align directly with the GDPR principles of storage limitation, integrity, confidentiality, and accountability.

Practical questions organisations should ask

Before implementing or reviewing monitoring systems, organisations should consider:

• Is there a clear purpose for every monitored area?
• Can the objective be achieved without audio recording?
• Has a legitimate interest assessment been completed?
• Is a DPIA required?
• Are camera angles limited to what is strictly necessary?
• Are retention periods technically enforced?
• Is access restricted on a need-to-know basis?

Documentation increasingly determines compliance

In practice, the decisive question is often not whether monitoring exists, but whether the organisation can justify it.

Regulators increasingly expect documented evidence explaining why a specific monitoring measure was selected and why alternatives were considered insufficient.
Under GDPR, accountability is often the difference between a security measure and a regulatory risk.