Netherlands: Employee monitoring and surveillance

Netherlands flag
Phase
Work Council Act/ General Data protection regulation/ GDPR implementation act
Native name
Wet op de ondernemingsraden (WOR)/ Algemeen verordening gegevensbescherming (AVG)/ Uitvoeringswet AVG (UAVG)
Type
Employee monitoring and surveillance
Added to database
18 October 2023

Article

Wet op de Ondernemingsraden (WOR) , Article 27(1)(k)(l)

Description

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

An employer is only allowed to monitor employees if it meets the requirements of the GDPR, as well as the law implementing the GDPR. Whenever an employer monitors their employees, the employees’ privacy must be protected at all times. If there are alternatives to employee monitoring, or less invasive methods for the employees’ privacy, those must take precedence. In general, the employee must give their explicit informed consent for the employer to be allowed to monitor their data, however, there are exceptions to this rule. There are also instances where employee monitoring is never admissible, for example in sensitive spaces, such as toilets and religious spaces.

The GDPR requirements for employee monitoring are as follows:

  • Legitimate interest: the company must have a legitimate interest in monitoring its staff. This interest must outweigh the rights and interests of its employees. Such as their right to privacy. The company must be able to substantiate this. It must comply with the principles of proportionality and subsidiarity.
  • Need: monitoring staff must be a necessity. This means that the company cannot achieve its goal in another way that is less drastic for its employees’ privacy.
  • Inform staff: the company must inform its employees about:
  • what is allowed and what is not;
  • that control is possible;
  • why and when to check;
  • how to check;
  • which data is involved.

Employees can be informed with internal guidelines, such as rules of conduct or a protocol.

  • Right to confidential communications: employees' right to confidential communication must be considered. For example, when checking e-mail or telephone.
  • Works council approval: if the organisation has a works council, then the company must request the prior approval of the Works Council for a scheme for the inspection of personnel. If the Works Council does not agree, you are not allowed to inspect.
  • Data protection impact assessment: if a company wants to use large-scale processing and/or systematic monitoring of personal data to monitor the activities of employees, such as checking email and internet usage, GPS tracking in employees’ cars or trucks, or camera surveillance in order to combat theft and fraud, it needs to carry out a data protection impact assessment (“DPIA”) first. A DPIA looks at the privacy risks of the monitoring system, so that measures can be taken to reduce risks. If the company has a data protection officer, then they can be asked for advice on carrying out the DPIA.
  • Prior consultation: if the DPIA shows that the intended inspection poses a high risk, and the company is unable to find measures to limit this risk, then the Dutch Data Protection Authority (AP) must be consulted before the company starts checking personnel. This is called a prior consultation. If the company has a data protection officer, they can advise on whether prior consultation is necessary.
  • Covert control: if the company intends to secretly monitor employees, it must also meet the additional conditions for covert monitoring. Secret monitoring of employees is only allowed in special circumstances, such as in case of a suspected crime. In case of covert surveillance, the employer is only allowed to use the data for the initial purpose of the surveillance.

Commentary

Generally, monitoring is allowed provided companies take privacy into account. They must also comply with the General Data Protection Regulation and the law implementing the GDPR. Specifically, the employer must have a legitimate interest in monitoring their staff and they must be able to argue why it is legitimate. Furthermore, monitoring must be absolutely necessary. Employers must also inform personnel, specifically on what is and what is not allowed, that control is possible, the reason and when the employer will check, how the monitoring takes place and what data will be monitored. The right to confidential communication must also be taken into account. When companies have a works council, according to article 27 (1) (k) (l) the company must ask the works council for permission in relation to the processing and protection of personnel and arrangements aimed at or suitable for observing or checking the presence, behaviour or performance of the staff. When the work council does not approve, the employer is not allowed to check. A data protection impact assessment must also be carried out and when this shows a high-risk, prior consultancy should be done with the Dutch Data protection authority. This applies to all forms of employee monitoring.

Employee monitoring in the Netherlands and Europe is subject to strict legal standards regarding informed consent and privacy. According to a ruling by the subdistrict court judge of the Central Netherlands District Court, Utrecht (ECLI:NL:RBMNE:2021:6071), an employee's consent to monitoring must be well-informed. A mere warning message that an employee must accept before logging in is insufficient to constitute informed consent. In this specific case, the court held that the employee did not provide informed consent because the extent and manner of monitoring were unclear, despite the warning message displayed upon login.

The European Court of Human Rights (ECHR) further clarified the principles surrounding workplace monitoring in the Bărbulescu v Romania case (ECLI:CE:ECHR:2017:0905JUD006149608). In this case, an employer sought to terminate an employee, Mr. Bărbulescu, who had his work-related account monitored. The ECHR ruled that the monitoring in this case was not legally valid.

The ECHR provided six crucial factors that an employer must consider when monitoring an employee:

  • (i) The employee must be informed in advance about the nature of potential monitoring by the employer.
  • (ii) The extent of monitoring and its impact on the employee's privacy.
  • (iii) The employer should have legitimate grounds justifying the need for monitoring.
  • (iv) Employers should explore less intrusive methods and measures when implementing monitoring.
  • (v) The consequences of monitoring on the employee.
  • (vi) Providing adequate safeguards, especially in cases involving highly intrusive monitoring methods (paragraphs 121 and 122).

This ruling and the stringent factors outlined emphasise that monitoring employees cannot be undertaken lightly and must adhere to clear legal standards.

The following are the extra criteria for covert control:

  • Reasonable Suspicion: if an employer has a reasonable suspicion that one or more employees are engaging in criminal or prohibited activities, such as theft or fraud, the employer may consider secret monitoring.
  • No Alternative: if the employer made efforts to stop theft or fraud but has not succeeded, the employer may have no choice but to conduct secret monitoring.
  • Occasional Monitoring: covert monitoring should be occasional, meaning it is limited to a predetermined period, and continuous secret monitoring is not allowed.
  • Notification: regardless of the monitoring's outcome, the employer must inform the involved employee(s) after the secret monitoring has taken place.
  • DPIA (Data Protection Impact Assessment): for the first-time secret monitoring, perform a DPIA. If the organisation has a Data Protection Officer (DPO), the employer should seek their advice.
  • Subsequent Occasional Monitoring: for subsequent secret monitoring instances with the same methodology, the employer does not need to repeat the DPIA.
  • Periodic DPIA Review: even if the data processing remains unchanged, the employer should consider reviewing the DPIA periodically, for instance every three years.
  • Private Investigation Agency: if the employer hires a private investigation agency for secret monitoring, the employer should perform a DPIA.
  • Prior Consultation: if the DPIA indicates a high risk and the employer cannot mitigate it, the employer should consult with the Dutch Data Protection Authority before commencing secret monitoring, known as prior consultation. The employer's Data Protection Officer can advise on the need for this consultation.

Figures about monitoring employees

In 2023, a study was done on employee monitoring in the Netherlands on 910 employees (including managers and senior managers) and 126 owners and executive managers within the small and medium-sized enterprise (SME) sector. 43% of surveyed employees report that their companies use tools for employee monitoring.

Besides employees, many supervisors and managers are also under surveillance. Among respondents working for companies using monitoring software, 56% both monitor employees and are themselves monitored by their superiors or the HR department. A smaller group (27%) only supervise employees without being monitored, while 17% report being solely subject to monitoring. 73% of employees say that the HR department has explained their rights to them. However, more than a quarter of employees still respond that they either have not received information (22%) or do not know (5%).

Additional metadata

Cost covered by
Employer
Involved actors other than national government
Works council
Involvement (others)
None
Thresholds
Affected employees: 50
Company size: No, applicable in all circumstances
Additional information: Works councils are only required if more than 50 employees

Citation

Eurofound (2023), Netherlands: Employee monitoring and surveillance, Restructuring legislation database, Dublin, https://apps.eurofound.europa.eu/legislationdb/employee-monitoring-and-surveillance/netherlands