Employee Monitoring Laws in Germany
Germany has some of the strictest employee monitoring rules in Europe. Monitoring is lawful, but only under GDPR, the Federal Data Protection Act, and works council co-determination, and only when it passes a strict proportionality test.
Employee monitoring in Germany is governed by three layers of law: the EU General Data Protection Regulation, the Federal Data Protection Act known as the BDSG, and the co-determination rights of works councils under the Works Constitution Act. Together they make Germany one of the most protective jurisdictions in the world for workers. Monitoring is permitted, but an employer must have a lawful basis, meet a strict proportionality test, and in most workplaces obtain the agreement of the works council before any system goes live. This guide explains each layer and what a compliant program looks like in practice.
The legal framework at a glance
German employee monitoring law rests on three pillars that apply at the same time. The GDPR sets the baseline for any processing of personal data, the BDSG adds employment-specific rules in Section 26, and the Works Constitution Act gives works councils a co-determination right over technical systems that can monitor staff. An employer has to satisfy all three, not just one.
This layered structure is why Germany is stricter than most of Europe. A practice that is lawful under the GDPR alone can still be blocked by a works council, and a works council agreement does not excuse a failure to meet GDPR principles. For the wider European picture, our GDPR monitoring guide covers the baseline that Germany builds on.
Because all three layers apply together, the practical question for an employer is never whether one basis is satisfied but whether the weakest link holds. A program can look sound on GDPR paperwork and still fail because the works council was not consulted, so German compliance is best treated as a chain in which every link must bear the load.
BDSG Section 26 and the lawful basis
Section 26 of the BDSG is the core provision for the employment relationship. It permits processing of employee data where that processing is necessary for the employment relationship, and it sets a higher bar for monitoring aimed at detecting criminal conduct, which requires a documented suspicion. Necessity, not convenience, is the standard the law applies.
In practice this means an employer must be able to explain why each category of data collected is genuinely required for a defined purpose. Blanket collection of everything an employee does, justified only by a general wish for oversight, does not meet the necessity test and is a common reason German monitoring programs are found unlawful.
German courts read necessity narrowly, and the burden sits with the employer to justify each category of data. A useful discipline is to write down, before deployment, the specific business question each data type answers, because a category that cannot be tied to a defined purpose is exactly the kind of collection Section 26 does not permit.
The proportionality test
Proportionality is the decisive test German courts apply to monitoring. An employer must show that the monitoring pursues a legitimate aim, that it is suitable for that aim, that no less intrusive means would achieve it, and that the intrusion is reasonable when weighed against the employee interest affected. All four elements have to hold.
The least-intrusive-means element matters most in disputes. If aggregated activity data would answer the business question, continuous screenshots will usually fail the test. Designing monitoring to collect the minimum needed, the approach in our privacy-first guide, is the most reliable way to stay proportionate.
German case law offers concrete guidance here: courts have struck down permanent keylogging and continuous video precisely because less intrusive measures existed. Treating those rulings as a checklist, always asking whether a lighter measure would do, keeps a program on the right side of the proportionality standard rather than testing its limits.
Proportionate by Design
Compliance layers
Activity mix
▲ Minimal, transparent collection passed the proportionality test and works council review.
Illustrative eMonitor dashboard.
Works council co-determination
Works councils hold a co-determination right under Section 87 of the Works Constitution Act over the introduction and use of technical devices designed to monitor employee behavior or performance. Where a works council exists, the employer cannot deploy monitoring software without its agreement, usually recorded in a works agreement called a Betriebsvereinbarung.
This right is powerful because it is not merely consultative. A works council can refuse, negotiate limits on scope, retention, and access, and take a dispute to a conciliation board. Employers who plan a rollout should involve the works council early rather than present a finished system, as forced-through deployments are frequently unwound.
The most reliable way to work with a works council is to bring it the purpose and the problem, not a pre-configured product. Councils negotiate scope, retention, and access, and an employer that arrives with those points open, rather than fixed, reaches a durable works agreement far faster than one that presents a finished system for rubber-stamping.
Why consent is rarely the answer
Consent is a weak basis for monitoring in Germany because the employment relationship is seen as unequal, so an employee cannot freely refuse. German regulators and courts treat employee consent with suspicion, and a program built on it can collapse if the consent is judged not to be genuinely voluntary.
For this reason compliant employers rely on necessity under Section 26 and a works agreement rather than on consent forms. Where consent is used at all, it must be genuinely optional and separable, a point our consent form guide explains for jurisdictions where consent carries more weight.
Where an employer does want a voluntary element, such as an optional productivity self-view, it should be built as a genuine opt-in that carries no consequence for declining. Keeping optional features clearly separate from mandatory processing under Section 26 avoids contaminating the lawful basis with consent that a regulator would question.
What German law effectively prohibits
Several practices are effectively off-limits in Germany. Secret monitoring without a documented, serious suspicion of a crime is generally unlawful, as is continuous keystroke logging of content, permanent screen recording, and monitoring of private communications. The Constitutional Court has repeatedly protected a core area of private life even at work.
Location tracking outside working duties, monitoring during breaks, and any collection touching special-category data such as health or trade-union activity attract the highest scrutiny. Employers moving from a lighter jurisdiction should assume that what is normal elsewhere may be prohibited here, and check each feature against the proportionality test.
For multinationals, the trap is assuming a policy that works in the United States or United Kingdom transfers to Germany. Features that are routine elsewhere, such as always-on screenshots, are frequently unlawful here, so a German rollout should start from a clean assessment of each feature rather than a lift-and-shift of an existing global standard.
Monitor Within German Law
eMonitor gives you the minimal-data controls, transparency, and access limits a German works agreement and proportionality test require.
Transparency and employee rights
German law requires that employees be informed clearly about monitoring: what is collected, why, on what legal basis, how long it is kept, and who can see it. The GDPR access, rectification, and erasure rights all apply, and employees can ask to see the data held about them, as covered in our data subject access request guide.
Transparency is not only a legal duty but a practical safeguard. Open monitoring that employees understand is far easier to defend before a works council or a court than a system discovered after the fact, and it aligns with the trust-first approach that works best everywhere.
A data protection impact assessment is effectively mandatory for systematic monitoring under the GDPR, and in Germany it doubles as the evidence base for the proportionality argument and the works council discussion. Completing it early, rather than as an afterthought, shapes the configuration and gives the employer a documented defense if the program is ever challenged.
Building a compliant program
A compliant German monitoring program starts with a defined, legitimate purpose, collects only the data necessary for it, and documents the proportionality assessment. It secures a works agreement where a works council exists, informs employees fully, limits retention, and restricts access by role. Each element addresses one of the three legal layers.
The practical order matters: define purpose, run a data protection impact assessment, draft the works agreement, then configure the tool to match, never the reverse. Configuring a maximal system first and negotiating scope afterward is the pattern that most often fails in Germany.
The sequence that succeeds in Germany is deliberate: define the purpose, run the impact assessment, negotiate the works agreement, then configure the tool to match what was agreed. Employers who invert that order, buying and configuring first, repeatedly find themselves unwinding a system that the works council or a regulator will not accept.
How eMonitor fits German requirements
eMonitor is built for the minimal, transparent monitoring German law favors, with configurable data collection, work-hours-only tracking, role-based access, employee self-views, and retention controls that let an employer collect only what a defined purpose needs. Those controls make it straightforward to match a works agreement and a proportionality assessment.
eMonitor is a data processor, and the employer remains the controller responsible for the legal basis, the works council process, and the impact assessment. At $3.90 to $13.90 per user with a 7-day free trial, it gives German employers the granular controls to build a program that meets Section 26, GDPR, and co-determination, without collecting more than the law allows.
Because the employer carries the legal responsibility, the value of a processor like eMonitor lies in how precisely its controls can be dialed down to match a works agreement. Granular toggles, short retention windows, and role-restricted access mean the agreed limits are enforced by the tool itself, not left to manager discretion, which is what German scrutiny expects.