HomeInsightsEmployment and RegulatoryCAN AN EMPLOYER LEGALLY MONITOR EMPLOYEES?

CAN AN EMPLOYER LEGALLY MONITOR EMPLOYEES?

  • 28 August 2025
  • Posted by: Laura Graham
  • Category: Employment and Regulatory
No Comments
Reddy Charlton Laura Graham


CAN AN EMPLOYER LEGALLY MONITOR EMPLOYEES?

In Ireland, there is no specific legislation that deals with employee monitoring.

The extent to which employees can be legally monitored needs to be assessed by taking account of the existing legal and regulatory framework.   That framework includes: –

  • General Data Protection Regulations and the Data Protection Acts
  • Article 8(1) of the European Convention of Human Rights – Individuals right to private and family life and correspondence
  • Constitutional right to privacy

 

  • Duty of trust and confidence implied into an employee’s contract of employment.

Provided an employer complies with data protection legislation, when engaging in any form or monitoring, they are unlikely to breach an employee’s right to privacy or erode trust and confidence.

WHAT ARE THE RISKS INVOLVED IF MONITORING IS DONE UNLAWFULLY?

Risks of unlawfully monitoring employees include potential regulatory fines of up to €20 million, or in the case of an undertaking, up to 4% of their total global turnover of the preceding financial year (whichever is higher); costs of litigation or regulatory proceedings, staff turnover, loss of management time, reputational damage and loss of customers or clients.

Monitoring employees inherently brings with it a degree of risk, but employers can mitigate those risks by taking 4 key steps.

HOW CAN EMPLOYERS MONITOR EMPLOYEES LAWFULLY?

 

  1. Step 1 – Identify a legal basis for monitoring, tell employees about it and stick to it

Monitoring employees is processing their personal data.

To lawfully collect and process personal data, employers need to identify and document a specific legal basis for monitoring.   Under GDPR there are six legal bases to choose from, which are set out in the table below.  More than one may apply.

How an employer identifies a legal basis will depend on the reason for monitoring the employee.  If no legal basis can be identified, it most likely means that the monitoring is unlawful.

Legal Basis Will it work as a legal basis for monitoring

 
Consent Not usually – there is an imbalance of power between an employer and its employees so consent cannot be given freely, which is required.  Also, employees can withdraw their consent at any time meaning it is an unstable basis for processing data, including monitoring employees.
Contract Not usually –this basis can be used only where the processing of personal data is necessary to perform the contract.  It is difficult to see how monitoring employees is “necessary” to perform the contract.   Where there are contractual KPIs for example, monitoring employee’s performance against those KPIs may be necessary to fulfil a contract.
Legal Obligation Sometimes – this basis can be used only where the processing of personal data is necessary to comply with a legal obligation.

Employers of truck drivers have a legal obligation to monitor driving time, speed and distance to comply with EU law for example. Fitting a tachograph and monitoring employees in this way would be to comply with a legal obligation.\
Vital Interests Not usually – this basis would be relied upon to protect someone’s life in an emergency situation and would be available in very limited circumstances e.g. in a high-risk operational environment where certain data may be monitored e.g. oxygen, heart rate for deep sea divers for example.
Public Task Sometimes – but rarely unless the organisation is a public authority.  This basis would be relied upon where it is necessary for an organisation to perform a task in the public interest or for official functions.  Organisations would need to demonstrate that monitoring employees is necessary to perform a task in the public interest e.g. a garda wearing a body-worn camera
Legitimate Interests Sometimes – but with work!  This basis is used where the processing is necessary for the legitimate interests of the employer, or those of a third party, unless the employee’s right overrides them.

It is the most flexible ground, but the employer will usually need to prepare a Data Protection Impact Statement setting out the legitimate interests, the risks involved in the monitoring and how those risks are mitigated.

This would be the most common basis used for monitoring employees.

Once you have identified a legal basis for monitoring employees, you are required to inform employees of the monitoring, the legal basis for the monitoring and why you are doing it.  This should be recorded in an Employee Privacy Policy.

Transparency is not only necessary to comply with data protection legislation, it will also foster trust and employee loyalty. You should only monitor employees in ways they would reasonably expect and not in ways that would cause unjustified adverse effects on them.

In a case before the WRC ADJ-00012025, a Dental Technician succeeded in her case for constructive dismissal under the Unfair Dismissal legislation, following the discovery of a hidden camera in a lever arch folder pointed at her desk.  Although the employer contended that it as for security purposes, the fact that the camera was pointed at her desk and not at the door and was covertly installed was considered.   The Adjudication offer found that “the concealed surveillance system [amounted] to a breach of the implied term of trust and confidence [… and] that there had been a repudiatory breach going to the root of the contract.”

Once an employer has identified the legal basis and purpose for monitoring employees, they should not stray into using it for other purposes.

In Doolin v the Data Protection Commissioner [2022] IECA 117, the use of personal data for a different purpose for which it was collected was considered.

In this case, the employer’s CCTV policy stated that CCTV footage was collected and processed for security reasons.   However, the employer went on to use the CCTV footage in disciplinary proceedings against an employee, Mr Doolin, for taking long unauthorised breaks.   The Court of Appeal held in favour of the employee confirming that the use of CCTV footage in the disciplinary process was unlawful.

The Court of Appeal held that the use of the data for the purpose of discipline was incompatible with the specified purpose of security.  There was no evidence that the taking of breaks was a security issue.

The Court indicated that in some cases, the taking of unauthorised breaks could constitute a security issue if, for example, the Employee was a security guard.  An assessment would need to be conducted on a case-by-case basis.  The Court also noted that in conducting the compatibility assessment, the reasonable expectations of the employee should be considered.

In this case, the Employee could not have reasonably expected that the footage would be used to monitor his performance and as such, the use of the CCTV footage in the disciplinary process was unlawful.

  1. Step 2 – If relying on the employer’s legitimate interests to process the data, consider preparing a Data Protection Impact Assessment

Monitoring employees for the legitimate interests of the employer is one of the most flexible grounds to process data.  However, with that flexibility comes responsibility.

Employers must balance their legitimate interests and the need to monitor their employees against the interests, rights and freedom of the employees, considering the particular circumstances.

An example of a legitimate interest to monitor employee activity is provided in Recital 49 of GDPR.  It says that processing personal data to the extent strictly necessary and proportionate for the purpose of ensuring network and information security would constitute an overriding legitimate interest.

While it may be reasonable to monitor email and messages sent or received by the network to protect confidential information, data security for example, it would be difficult to justify: –

  • looking at browser history if blocking certain sites would achieve the aim.
  • monitoring content of emails and message is monitoring network activity would achieve the purpose.

While documenting the employer’s overriding legitimate interest can easily achieved by a short document, in some cases, an employer will need to prepare a more detailed Data Protection Impact Statement (DPIA).  Employers only need to do a DPIA where there is a high risk to the rights of the individuals or where there is systematic monitoring, tracking or observing an individual’s location or behaviour.  The UK Information Commissioners Office has a DPIA template available at:-

https://gdpr.eu/wp-content/uploads/2019/03/dpia-template-v1.pdf.

  1. Step 3 – Think about whether the employee has a reasonable expectation of privacy?

If you are monitoring employees working remotely, their expectation of privacy is likely to be higher at home than in the workplace.  There is also a higher risk of collecting family and private life information, so this needs to be factored into risk planning.

As well as data protection rights, employees have a right to privacy as a fundamental human right under Article 8(1) of the European Convention of Human Rights – Individuals right to private and family life and correspondence.  The steps to mitigate the risk of breaching this right are similar to the steps you would take to protect against risk of breaching data protection rights.

  1. Step 4 – Act fairly and reasonably.

Continuous monitoring of an employee “to keep an eye on them” is highly intrusive and is unlikely to be justified except in rare circumstances. 

For example, continuous monitoring by audio or video is highly intrusive and would need to be targeted at a particular risk and confined to areas where the expectations of privacy are low. 

WHAT ABOUT COVERT MONITORING – IS IT EVER ALLOWED?

 

Generally, it is unlawful to collect personal data or monitor employees without them knowing.  To do so breaches the principle of transparency.

It is only allowed in very exceptional circumstances where the data will be used to detect, prevent or investigate crime or to catch and prosecute offenders.    Covert monitoring should be focussed and last only for a short amount of time.  If no evidence is found within a reasonable amount of time, the employer will find it difficult to justify continuing covert surveillance.   Employer written policies should outline the circumstances in which covert monitoring might take place.

In the case of Ribalda and Others v Spain, the Grand Chamber of the European Court of Human Rights gave guidance on circumstances in which covert surveillance may be allowed.

In this case, the applicants were employees of a Spanish Supermarket chain.  Three of the applicants were cashiers and two of the applicants were sales assistants working behind the counter.  The Supermarket started to notice inconsistencies in the stock level versus the sales figures resulting in a loss to the supermarket.  An internal investigation was initiated whereby CCTV cameras were installed, some visible and others hidden.    The hidden cameras were directed towards the checkout counters.  The employees had been informed of the installation of the visible CCTV cameras and told that they were installed because of the suspicions about thefts.  There was also a sign indicating that CCTV was being used in the supermarket.

The hidden cameras revealed theft of goods by a number of employees at the tills and those employees were dismissed.    The applicants in the case argued that the decision to dismiss them was based on recordings obtained in breach of their right to privacy under Article 8 of the Convention of Human Rights.    The Court held that the installation of covert CCTV had been justified by reason of the suspicions of theft.  The monitoring was done over a 10-day period and was limited to the checkout counters in a public supermarket where the employees’ expectations of privacy were low.  The employees had been informed of the monitoring and there was no less intrusive way to identify the thieves.

Prior to implementing covert monitoring: –

  • Consider if there are reasonable grounds to suspect that criminal activity or extremely serious malpractice is taking place;
  • Consider if there is a less intrusive way to tackle the issue;
  • Conduct a DPIA;
  • Only conduct it with the express authorisation of senior management;
  • Limit the covert monitoring to specific areas for a limited time;
  • Do not use covert monitoring in areas (e.g. changing rooms) where employees have a reasonable expectation of privacy;
  • Only involve a limited number of people in the covert monitoring and use it only for its intended purpose.

 If you have any queries on this please do not hesitate to contact Laura Graham at lgraham@reddycharlton.ie



Laura Graham
Author: Laura Graham
Contact: lgraham@reddycharlton.ie