Employee Monitoring Software – Definition, Legal Framework & Practical Tips

Employee monitoring software enables companies to digitally record working hours, computer activity, or the location of employees. In Germany, its use is strictly regulated: §26 BDSG, the GDPR, and §87 BetrVG set tight legal boundaries — covert surveillance is generally prohibited, and the works council must be involved without exception.

What Is Employee Monitoring Software?

Employee monitoring software refers to digital tools that allow employers to systematically record and evaluate the behaviour, activity, or performance of their workforce. The term covers a wide range of functions — from simple time tracking to comprehensive screen monitoring or GPS tracking.

An important distinction: not every form of performance control automatically constitutes a monitoring measure in the legal sense. What matters is whether the tool in question is capable of systematically recording and evaluating the behaviour or performance of individual employees. It is precisely this criterion that triggers the works council's mandatory right of co-determination under §87 para. 1 no. 6 of the Works Constitution Act (BetrVG).

Types of Monitoring at a Glance

Not all forms of employee monitoring are treated equally under the law:

• Time tracking (clocking systems, software): Generally permissible, and since the 2019 ECJ ruling even legally required — provided it is used transparently and proportionately.
• Activity tracking (mouse movements, keystrokes, active screen time): Heavily restricted. The Federal Labour Court (BAG) ruled in 2017 that keyloggers are unlawful without concrete suspicion of wrongdoing.
• Screen monitoring / screenshots: Only permissible with a clear legal basis and a corresponding works agreement.
• Email monitoring: Almost never permissible when private use is allowed. When email is restricted to business use only, it may be permitted under strict conditions and with full transparency towards employees.
• Video surveillance: Subject to strict requirements, particularly in non-public areas. Open video surveillance may be permissible; covert surveillance generally is not.
• GPS tracking: Permissible in company vehicles during work-related journeys — continuous tracking during private time is not permitted.

The Legal Framework in Germany

Deploying employee monitoring software in Germany touches multiple areas of law simultaneously. Acting without sufficient legal knowledge risks significant fines, invalid dismissals, and conflicts with the works council.

§26 BDSG: The Central Data Protection Provision

The most important statutory basis is §26 of the Federal Data Protection Act (BDSG). It governs the conditions under which employers may process personal data relating to their employees.

Data may be processed only when this is necessary for establishing, carrying out, or terminating the employment relationship. The principle of proportionality must always be observed: any interference must be suitable, necessary, and reasonable. Excessive monitoring — such as continuous activity tracking — is generally disproportionate and therefore unlawful.

Where there is a concrete suspicion of criminal conduct within the employment relationship, §26 BDSG permits extended data collection under strict conditions. However, this exception must be interpreted narrowly.

GDPR: What Additional Requirements Apply?

Alongside §26 BDSG, the European General Data Protection Regulation (GDPR) applies, in particular:

• Art. 5 GDPR defines the principles governing data processing: purpose limitation, data minimisation, accuracy, and storage limitation.
• Art. 6 GDPR governs lawfulness: every act of data processing requires a legal basis.
• Art. 13 GDPR obliges employers to inform employees transparently about the nature, scope, and purpose of data collection.

When monitoring software is used extensively, a Data Protection Impact Assessment (DPIA) must also be carried out in accordance with Art. 35 GDPR. A DPIA is a mandatory review conducted before deploying technologies that process sensitive data — it documents the risks involved and the protective measures put in place.

§87 BetrVG: The Works Council's Right of Co-Determination

Where a works council exists, §87 para. 1 no. 6 BetrVG applies: this provision gives the works council a mandatory right of co-determination over the introduction and use of technical systems capable of monitoring the behaviour or performance of employees.

This means: no such software may be introduced without agreement with the works council. If no agreement can be reached, an arbitration board (Einigungsstelle) may be called upon.

What Is Permitted — What Is Prohibited?

The following overview provides initial guidance. It does not replace legal advice in individual cases.

Generally permissible (subject to conditions):

• Transparent time recording and attendance monitoring
• Access logs on IT systems (for security purposes)
• Monitoring where there is concrete, documented suspicion of criminal conduct
• GPS tracking during business journeys (not private journeys)
• Open video surveillance in certain areas (e.g. entrance areas, checkouts)

Generally not permissible:

• Covert surveillance of any kind (BAG 2 AZR 681/16)
• Keyloggers without concrete suspicion (BAG 2 AZR 133/18)
• Continuous screen monitoring without sufficient legal basis
• Email monitoring where private use is permitted
• Webcam surveillance in the home office
• GPS tracking outside of working hours

Special Considerations for Remote Work

The shift to remote work has brought the topic of employee monitoring back into sharp focus. Many organisations are asking: what am I permitted to monitor when employees are working from home?

What May Be Monitored?

In the home office, the same legal rules apply as in the office — with one crucial limitation: employees' homes enjoy special constitutional protection under Art. 13 of the Basic Law (GG), which guarantees the inviolability of the home.

Permissible in the home office:

• Time recording (start and end times of working hours)
• Checking availability during agreed core hours
• Usage logs on company IT systems

Not permissible — even in the home office:

• Continuous webcam surveillance during working hours
• Screen monitoring without an explicit legal basis and works agreement
• Activity tracking (mouse movements, keystrokes) for performance monitoring purposes

Works Agreements Must Address Remote Work Specifically

Existing works agreements on IT use or time recording often fail to cover the home office adequately. HR professionals should check whether their works agreement contains explicit provisions for remote work situations.

A culture of persistent surveillance also has a negative impact on employer branding: employees who feel permanently monitored show significantly lower job satisfaction and higher turnover rates.

Step by Step: Lawful Implementation

Introducing employee monitoring software is not simply an IT project — it requires legal diligence, internal communication, and the involvement of all relevant stakeholders.

Step 1: Define and document the purposeSet out in writing the specific purpose the software is intended to serve (e.g. time tracking, IT security). Assess whether this purpose is proportionate. Carry out a Data Protection Impact Assessment (DPIA) in accordance with Art. 35 GDPR if required.

Step 2: Involve the works councilInform the works council early and fully (§87 BetrVG). The software may not be used without their agreement. Allow sufficient time for negotiations.

Step 3: Conclude a works agreementThe works agreement must cover at a minimum:

• The purpose and scope of monitoring
• Access rights (who may view the data?)
• Data retention and deletion periods
• Procedures in cases of suspected misuse
• Specific provisions for remote work

Step 4: Inform employees transparentlyUnder Art. 13 GDPR, employees must be comprehensively informed before data collection begins — about the nature, scope, purpose, and their rights. A simple email is generally insufficient; documented proof of notification is advisable.

Step 5: Implement technical and organisational measures (TOMs)Ensure that only authorised personnel have access to the data collected. Typical TOMs include encryption, access restrictions, and logging of data access.

Step 6: Involve the data protection officerCoordinate your plans with the company's data protection officer — particularly where data processing is extensive.

Frequently Asked Questions About Employee Monitoring Software

Is employee monitoring legal in Germany?

In principle, yes — but only under strict conditions. §26 BDSG, Arts. 5 and 6 GDPR, and §87 para. 1 no. 6 BetrVG form the legal framework. The principle of proportionality must be respected. Covert surveillance is generally unlawful, as confirmed by the Federal Labour Court in its ruling of 27 July 2017 (ref. 2 AZR 681/16). Where a works council exists, its agreement is mandatory.

What may an employer monitor in the home office?

Time recording and checking availability during agreed working hours are permissible. Continuous screen monitoring, webcam surveillance without consent, and activity tracking for performance monitoring purposes are not. Employees' private homes enjoy special protection under Art. 13 GG. An up-to-date works agreement should explicitly address home office specifics.

Do I need a works agreement to use employee monitoring software?

If a works council exists: yes — §87 para. 1 no. 6 BetrVG makes this mandatory. Without a works council, you will need either the informed consent of employees or a collective arrangement (e.g. individual agreements). The works agreement must regulate the purpose, scope, access rights, and deletion periods. If no agreement can be reached, the arbitration board may be engaged.

May an employer use keyloggers?

Generally no. The Federal Labour Court ruled on 27 July 2017 (ref. 2 AZR 681/16) that deploying a keylogger without concrete suspicion of a criminal offence is disproportionate and violates employees' right to informational self-determination. Even with a works agreement, using keyloggers is rarely legally defensible — the requirements are extremely narrow.

What are the consequences of unlawful monitoring?

The consequences are significant: under the GDPR, fines of up to 4% of global annual turnover may be imposed. Data obtained unlawfully is subject to an exclusionary rule — dismissals based on such data may be void. In addition, affected employees may claim damages under Art. 82 GDPR, and the works council may seek an injunction.

Do I have to tell employees they are being monitored?

Yes, always. Art. 13 GDPR obliges employers to transparently inform employees about the nature, scope, purpose, and legal basis for data collection — before monitoring begins. Covert surveillance is fundamentally unlawful in Germany.

How do I implement employee monitoring software in a legally compliant way?

Implementation follows six steps: define the purpose and conduct a DPIA, involve the works council (§87 BetrVG), conclude a works agreement, inform employees transparently (Art. 13 GDPR), implement technical and organisational measures (TOMs), and involve the data protection officer.

Conclusion

Employee monitoring software operates within a narrow legal corridor in Germany. §26 BDSG, the GDPR, and §87 BetrVG protect employees' right to informational self-determination — and rightly so. HR professionals wishing to deploy monitoring tools cannot avoid transparency, proportionality, and works council involvement.

The key insight is this: monitoring is no substitute for trust. Organisations that invest in lasting employee retention and a strong employer brand should not underestimate the cultural impact of surveillance measures. Transparent, respectful collaboration — beginning with fair and objective personnel selection — is far more effective in the long run than comprehensive tracking.

Those looking to embed fair selection from the very start of the hiring process will find that the digital platform Aivy offers scientifically validated assessment tools that reduce unconscious bias and base decisions on objective data rather than subjective impressions: Learn more about fair personnel selection with Aivy.

Sources

• §26 BDSG — Processing of personal data for employment purposes. Federal Ministry of Justice, 2018 (last amended 2022). https://www.gesetze-im-internet.de/bdsg_2018/__26.html
• GDPR Art. 5 — Principles relating to processing of personal data. European Union, 2018. https://gdpr-info.eu/art-5-gdpr/
• GDPR Art. 6 — Lawfulness of processing. European Union, 2018. https://gdpr-info.eu/art-6-gdpr/
• §87 para. 1 no. 6 BetrVG — Works council co-determination regarding technical monitoring systems. Federal Ministry of Justice. https://www.gesetze-im-internet.de/betrvg/__87.html
• BAG ruling 2 AZR 681/16 — Covert video surveillance. Federal Labour Court, 27 July 2017. https://www.bundesarbeitsgericht.de/entscheidung/2-azr-681-16/
• BAG ruling 2 AZR 133/18 — Use of keyloggers. Federal Labour Court, 23 August 2018. https://www.bundesarbeitsgericht.de/entscheidung/2-azr-133-18/
• Data protection in the employment context. Federal Commissioner for Data Protection and Freedom of Information (BfDI), 2023. https://www.bfdi.bund.de/DE/Buerger/Inhalte/Arbeit/Arbeit_node.html
• Digital work — Remote work and monitoring. Bitkom e.V., 2023. https://www.bitkom.org