Workplace surveillance

Monitoring at work: here are your rights

More companies are adopting technologies to measure employee effectiveness, networking, website use and social media. Find out what your rights are here.

The market for surveillance software is overflowing with smart applications that allow employers to monitor employees on the job. For example, your employer can monitor your efficiency, routines, SoMe networking and meeting activity - or measure your mood, voice and satisfaction with management or other colleagues.

In this FAQ, you can find answers to common questions about your rights as an employee concerning surveillance at work.

What are the rules on whether your employer can monitor you at work?

There is only limited regulation of which tools may be used in Danish workplaces, as long as the tools comply with GDPR legislation. Often, workplace monitoring is hidden behind terms such as "management technology" or "control measures".

The Danish rules are briefly described in the "Circular on agreement on control measures" which is an agreement concluded between the social partners in the public sector in 2010.

The Circular states, among other things, that the control measures must be objectively justified on operational grounds and have a reasonable purpose. They must not be offensive to employees and must not "cause employees loss or significant inconvenience".

On home workplaces, it states that privacy-invasive controls must not be put in place.

The private sector is governed by a similar agreement between DA (the Confederation of Danish Employers) and LO (Danish Confederation of Trade Unions). DI, The Confederation of Danish Industry, stresses that only the necessary information may be processed, and only for as long as is necessary. In addition, employers must comply with the duty to inform employees so that they know what information is being processed about them.

Ultimately, there are various options for contacting the Data Protection Authority:

  • If you are concerned about how a public authority or company is using your data, you can choose to complain to the Data Protection Authority. Find out how at the Danish Data Protection Authority's website.
  • You can also send an e-mail to the Danish Data Protection Authority if you have a concern or question that does not relate to a specific case on dt@datatilsynet.dk.

Read the circular on the control measure agreement at retsinformation.dk (In Danish)

Read DA-LO agreement on control measures (In Danish)

What must the employer inform about if you as an employee are being monitored at work?

If your employer monitors you at work, your employer must inform you of:

  • What control measures are in place at the workplace. This could be, for example, TV surveillance or logging of internet use.
  • What the purpose is, what the basis for processing is and the scope of the control measures.
  • What categories of personal data are collected, including whether they are personal, contact or location data.
  • How long the data are kept and what criteria are used to determine this period.
  • Information on how to delete your data as an employee.
  • The categories of recipients to whom the data may be disclosed, such as the police.
  • What rights you have as an employee under GDPR rules.
  • Information on how to complain to the Data Protection Authority.
  • In addition, there is a requirement for signage for TV monitoring.

What data may the employer collect about you as an employee?

The personal data your employer may collect about you depends on the data in question and the purpose for which the data is to be used.

In general, information about you can be divided into two categories: general and sensitive personal data.

Employer's processing of general personal data

As a general rule, your employer has the right to process all personal data that you have provided in the course of your employment and that your employer has obtained in the course of your employment. This may include your age, date of birth, marital status, sick leave, salary, private telephone number, address and tax information.

The employer needs this information to draw up an employment contract, pay salary, etc.

Employer's processing of sensitive personal data

Personal data is:

  • Trade union membership
  • Information on health conditions
  • Sexual orientation
  • Ethnic background
  • Political, religious or philosophical beliefs.

CPR number and criminal record are a category of their own and therefore not considered general or personal data, but must be protected as well as sensitive information.

An employer will usually only be able to record sensitive information about you as an employee if you have consented to it. This could be the case, for example, if you have provided health information in connection with a reimbursement of sickness benefit.

If information about you is anonymised, i.e. you can no longer be identified from the information, it will not be personal data.

How should the employer inform about what data is being collected about you as an employee?

Your employer has a duty to inform you when they process your personal data. This means that your employer must tell you what personal data the company is processing about you, why and for what purpose, and what the legal basis for the processing is.

The obligation to provide information also applies when your employer makes use of control measures, such as:

  • Logging internet usage and website visits
  • Access to employees' emails
  • TV monitoring
  • GPS tracking of vehicles.

As a general rule, you must be informed of control measures at least 6 weeks before they are implemented. However, there may be exceptions, for example if the purpose of the control measure cannot be achieved because of the notification, or there are operational reasons why you cannot be notified in advance.

In this case, you must be informed of the control measure as soon as possible and you must be told why you could not be informed of the control measure in advance.

As a new employee, your employer is obliged to inform you about control measures. This may be stated in your employment contract or in a welcome email. Verbal information or a reference to the intranet about the control measures used by the company is not enough.

As an employee, can you see what data your employer collects about you?

Under the Data Protection Act, you have the right to see the personal data that a current, former and/or potential employer processes about you electronically.

This makes it easier for you to check that your personal data is accurate and processed lawfully.

Write to the HR department of your company to request access to the personal data they process about you. We recommend that you contact IDA for advice before approaching the company.

Where can you get help if you suspect your employer is collecting data about you?

The rules on surveillance and data protection are complex and you may have many unanswered questions. You may find that your employer won't hand over data, or you may be unsure whether you have consented to monitoring measures.

That's why we in the IDA Legal Department are ready to advise and help you. You can call us or write to us via Mit IDA.

Contact IDA legal advice

Can your employer record the websites you visit on your work computer during working hours?

In order for the employer to log/record and check employees' visits to websites and subsequently review the record in case of suspected misuse of the Internet, the following conditions must be met:

  • As an employee, you must be informed in advance that registration/logging will take place and that registration of website visits may be reviewed as part of a check on suspected use in breach of workplace guidelines.
  • Control measures must be objectively justified on operational grounds and have a reasonable objective. It may be necessary for the company to control the logging of website visits by employees in order to pursue a legitimate interest, which may be, for example, for security or technical reasons, operational reasons and to check compliance with company guidelines.
  • It must not be offensive to you as an employee.

It will therefore always be a specific legal assessment as to whether the employer meets the requirements of fairness and proportionality when processing personal data of employees. It is IDA's legal specialists who make the assessment and, if necessary, contact the Data Protection Authority if we deem it necessary.

Can your employer collect data from your employer-paid computer, tablet and phone when you use it in your free time?

Under the Data Protection Act, your employer is allowed to log your searches, downloads and general internet use on your work computer, tablet or phone, if you agree in advance:

  • You must be informed that the registration/logging is taking place,
  • It must have an operational, objective and reasonable purpose, such as security or to prevent abuse.

This also applies when you use the employer's IT tools outside normal working hours and/or when you use the employer's IT tools for private use.

The reason is that the company must be able to log all threats that may occur, even outside the employee's working hours or when the employee uses the employer's IT tool for private use. Cyber security must never be undermined.

Your employer should always inform you how your digital behaviour is monitored or logged and what exactly is logged in relation to your internet use.

You should therefore be able to get an answer from your employer on how long your data is kept in accordance with Article 13 of the Data Protection Regulation.

IDA generally advises that you do not use your employer's IT tools for private use, even though this is an option you often have according to your Employee Handbook.