An increasing number of organizations use video surveillance, access control systems, and tools monitoring online activity. While such measures may enhance security, their implementation must comply with GDPR and applicable labor law regulations.
The principle of proportionality is crucial – monitoring must not be excessive or infringe upon the dignity and privacy of employees. The data controller should clearly define the purpose of processing, the scope of collected data, and the retention period. It is also necessary to fulfill the information obligation toward individuals subject to monitoring.
The DPO should assess whether the planned measures are adequate and whether less intrusive alternatives exist. In practice, this involves conducting a risk analysis, consulting with HR and IT departments, and regularly reviewing implemented solutions in light of legal requirements and current case law.
