Monitoring your employees

The key question is: are you allowed to use cameras, search mailboxes, or use monitoring software, and under what conditions?

1. Legal framework

A combination of privacy and labor law rules applies to the monitoring of employees:

• GDPR / UAVG; the core framework for processing personal data.
• Article 8 of the European Convention on Human Rights and Article 10 of the Constitution: right to privacy and personal life.
• Article 7:611 of the Dutch Civil Code: good employment practices.
• Guidelines from the Dutch Autoriteit Persoonsgegevens AP) (new stricter policy 2025–2026) on employee monitoring.

According to the AP, covert surveillance is only permitted on the basis of serious suspicion of unlawful conduct, on a temporary and proportionate basis, and only if there is no less intrusive way of obtaining evidence.  

2. General principles (case law and AP policy)

For employers, the following applies to every control measure:

• Proportionality and subsidiarity: the control must not go beyond what is strictly necessary to achieve a legitimate objective. 
• Transparency: Employees must be informed in advance about what, how, and why monitoring takes place (e.g., in personnel regulations). 
• Works council approval: Structural monitoring (such as continuous cameras or track-and-trace) requires employee participation via the works council. 
• DPIA requirement: A data protection impact assessment (DPIA) is always required for large-scale or covert inspections. 
• The rights of data subjects must be respected: right of access, objection, restriction, erasure where possible.

3. Practical guidelines per control measure based on case law and guidelines

a. Camera surveillance

• (Visible) camera surveillance is permitted in cases of legitimate interest, such as:
  • protection of employees;
  • safety (blind spots, aggression & violence);
  • protection of property;
  • the prevention of incidents.
• Hidden cameras are only permitted – temporarily – in the event of a concrete and serious suspicion (such as serious fraud or theft) if it has been made known in advance that hidden cameras may be used, with the consent of the Works Council.
• Cameras may not be used for performance evaluation or routine assessment.
• The AP retains camera footage for a maximum of four weeks, unless there is an incident, in which case it is retained until the matter is resolved.

b. Mailbox check

• Access to business mailboxes is only permitted in cases of legitimate interest, such as: suspected irregularities or fraud, protection of trade secrets or business continuity, system or network security.
• The monitoring must be necessary and there must be no less intrusive alternative. The invasion of privacy must be proportionate to the purpose. The assessment will take into account, among other things:
  • scope of the audit;
  • nature of the content (business vs. private);
  • one-time vs. structural control.
• Employers must inform employees in advance that monitoring is possible, why monitoring may take place, how the monitoring is carried out, and what data is viewed. This must be stated, for example, in an email policy, staff handbook, or protocol.
• Employers are not allowed to read private emails. Even within the business mailbox, this remains protected under the right to confidential communication. The AP also explicitly emphasizes this.
• Secret or hidden surveillance seriously infringes on privacy, but is sometimes permitted when:
  • there is a serious suspicion of misconduct;
  • other means do not work
  • control remains strictly limited.

Unjustified covert monitoring can lead to serious culpability on the part of the employer and compensation payments.

• The employer may access the mailbox of an employee who is on sick leave if this is necessary for the progress of work, there are no less intrusive options available, and only business emails are accessed.

c. Monitoring software / digital monitoring

• Tools that register mouse movements, screen activity, or presence via Wi-Fi/VPN are considered "highly intrusive" by the AP and may only be used if there is a valid basis for doing so, if it is necessary, if it is proportionate, if employees have been informed in advance, if the right to confidential communication is taken into account, and if the works council agrees to structural monitoring.

d. (Covert) inspections

• Covert surveillance may only be used in cases of concrete and serious suspicions, such as fraud, theft, serious misconduct, or systematic breaches of company security.
• The employer must be able to demonstrate that open monitoring is not possible, that direct communication/questioning yields no results, and that other alternatives (metadata, limited access, IT logs) are insufficient. 
• The infringement must be very narrowly defined: focused solely on the specific suspicion, as short as possible in duration, as limited as possible in scope, and no structural surveillance.
• Secret inspection is therefore the last resort.

5. Conclusion

Monitoring employees is permitted in the Netherlands, but all monitoring measures are subject to strict supervision under privacy legislation, ECHR rights, and GDPR rules. Recent case law shows that camera and webcam monitoring in particular are subject to very critical scrutiny, and that violations can lead to the annulment of dismissals or substantial damages. 
When in doubt, always seek legal advice first and keep policies and protocols up to date with transparent information to employees and works council approval where necessary.