Employee Monitoring Laws in Belgium: CLA 81, CLA 68, and GDPR Requirements for 2026

What Does CLA 81 Actually Require From Belgian Employers?

CLA 81 — formally the Collective Labor Agreement No. 81 of 26 April 2002, concluded in the National Labor Council — is the cornerstone of Belgian employee monitoring law for anything involving electronic data. If you are monitoring email traffic, internet usage, application activity, or computer behavior of any kind, CLA 81 applies. Understanding its four requirements in detail is essential before configuring any monitoring platform.

Requirement 1: A Legitimate Purpose From the Defined List

CLA 81 does not permit monitoring for any reason an employer finds commercially convenient. It permits monitoring only for one or more of the following four purposes, which must be declared before monitoring begins:

1. Prevention of unauthorized or illegal online activity. This covers monitoring to detect access to prohibited content, illegal downloads, use of company systems for fraud, or other activity that would expose the employer to legal liability. The monitoring must be targeted at detecting such activity, not general productivity surveillance dressed up as security.
2. Protection of the company's confidential business information and trade secrets. This allows monitoring to detect potential data leakage, unauthorized sharing of proprietary information, or communications that could compromise intellectual property. GDPR's data minimization principle applies alongside this — you cannot collect more data than necessary to detect the specific risk.
3. Security of IT systems and network infrastructure. Monitoring to detect malware, unauthorized access attempts, unusual data transfers, or other activities that could compromise system integrity falls under this purpose. This is the widest-used basis in practice and has the most clearly defined technical scope.
4. Compliance with company communication policies. If you have a documented policy on acceptable use of company communications infrastructure and you are monitoring compliance with that specific policy, CLA 81 permits this. The policy must exist and be documented before the monitoring begins — you cannot retroactively invoke this purpose.

Any purpose outside these four is not permitted under CLA 81. Monitoring purely to track productivity metrics, confirm employees are "working," or gather performance data is not among the permitted purposes — unless it is explicitly tied to one of the four above and the connection is genuine, not a rationalization.

Requirement 2: Works Council Consultation Before Implementation

Before introducing any monitoring that falls under CLA 81, the employer must inform and consult the works council (Conseil d'entreprise / Ondernemingsraad). In companies with fewer than 50 employees where no works council exists, the obligation passes to the union delegation (délégation syndicale / vakbondsafvaardiging). Where no representative body exists at all, employees must be informed through other collective means.

Consultation does not mean the works council has a veto. However, the consultation must be genuine — not a formality completed the day before launch. The works council has the right to receive full information about the monitoring system, express an opinion, and propose modifications. Documented evidence that consultation occurred is essential, because in subsequent labor disputes, the burden falls on the employer to prove compliance. This is also explored in our guide to working with works councils on monitoring in Europe.

Requirement 3: Individual Notice to Each Employee

Beyond works council consultation, CLA 81 requires individual notice to each employee who will be subject to monitoring. This notice must cover:

• What is being monitored (specific data types — email headers vs. content, URL logs, application usage, keystroke intensity)
• The specific CLA 81 purpose or purposes that justify the monitoring
• How long monitoring data will be retained
• Who has access to the monitoring data (role-based access must be defined)
• Employee rights under GDPR (access, rectification, erasure where applicable)

This notice should be in the employee's language — French, Dutch, or German depending on the workplace location in Belgium — and should be delivered in writing with acknowledgment. Adding monitoring terms to the employment contract or employee handbook is good practice, but a standalone notice document is also acceptable.

Requirement 4: Purpose Limitation — The Most Commonly Violated Rule

CLA 81 prohibits using monitoring data for any purpose other than the one declared at the outset. This is where many Belgian employers unknowingly expose themselves to liability. A company that implemented monitoring under the "IT security" purpose and then uses activity logs in a disciplinary proceeding for poor performance has violated CLA 81's purpose limitation rule — even if GDPR's broader legitimate interest basis could theoretically cover the use.

The practical consequence: decide all intended uses of monitoring data before implementation, declare all of them, and document that decision. If you want to be able to use monitoring data for performance management discussions, state that as a purpose from the beginning and ensure it maps to one of the four CLA 81 grounds. Belgian labor courts and the GBA have both taken a strict approach to purpose limitation in workplace monitoring contexts.

How Does EU GDPR Layer on Top of Belgian Monitoring Law?

EU GDPR applies to all processing of personal data about employees in Belgium, including monitoring data. It does not replace CLA 81 or CLA 68 — both frameworks must be satisfied simultaneously. GDPR adds obligations that the CLAs do not cover, and the CLAs add obligations that GDPR does not cover. Together they create Belgium's complete monitoring compliance picture.

Lawful Basis for Processing Monitoring Data

Belgian employers processing employee monitoring data must have a lawful basis under GDPR Article 6. The most commonly used bases in the monitoring context are:

• Article 6(1)(f) — Legitimate interests: The most frequently relied-upon basis. The employer must demonstrate that the monitoring serves a genuine legitimate interest (which must align with a CLA 81 purpose), that the monitoring is necessary for that interest, and that the interest is not overridden by employee privacy rights under a balancing test. A Data Protection Impact Assessment (DPIA) is strongly recommended for systematic monitoring and is mandatory under Article 35 where monitoring is likely to result in high risk to employee rights.
• Article 6(1)(c) — Legal obligation: Applicable where monitoring is required by specific Belgian sectoral regulation, such as financial services supervision or certain safety requirements.
• Article 6(1)(b) — Performance of a contract: Less commonly used for monitoring; the EDPB has expressed skepticism about over-reliance on this basis for employee monitoring beyond what is strictly necessary to perform the employment relationship.

Employee consent (Article 6(1)(a)) is generally unsuitable as a basis for employer monitoring in Belgium due to the power imbalance in the employment relationship — consent is considered unlikely to be freely given. The European Data Protection Board (EDPB) Guidelines 05/2020 on consent and Guidelines 06/2020 on data processing in the employment context both caution against relying on consent for systematic workplace monitoring.

Employee Rights Under GDPR That Apply to Monitoring Data

Employees subject to monitoring in Belgium have the following GDPR rights that employers must be prepared to fulfill:

• Right of access (Article 15): Employees can request a copy of all personal data held about them, including monitoring records. Employers must respond within 30 days.
• Right to rectification (Article 16): Employees can request correction of inaccurate data. Relevant for attendance records and time data.
• Right to erasure (Article 17): Employees may request deletion of monitoring data that is no longer necessary for its stated purpose. This right is subject to exceptions where retention serves a legitimate legal purpose.
• Right to object (Article 21): Where processing is based on legitimate interests, employees have the right to object. The employer must demonstrate compelling legitimate grounds to continue.
• Right to data portability (Article 20): Applies where processing is based on consent or contract and carried out by automated means. Limited relevance in most monitoring contexts.

These rights must be addressed in the employee monitoring policy and individual notices. See our employee monitoring consent and notice form templates for practical documentation that covers GDPR rights disclosure.

The GBA's Enforcement Record: Real Numbers

The Gegevensbeschermingsautoriteit (GBA) — Belgium's data protection authority — has demonstrated that workplace monitoring violations attract serious financial consequences. Notable enforcement actions include:

• A Belgian telecom company received a fine of €525,000 for systemic GDPR violations that included inadequate employee notice and excessive data retention across monitoring systems.
• The GBA issued multiple decisions between 2021 and 2024 finding employers had insufficient legal basis for email content monitoring that went beyond what was disclosed to employees.
• In its 2023 annual report, the GBA identified workplace data processing as one of its three priority investigation areas, signaling ongoing enforcement focus through at least 2026.
• The EDPB's coordinated enforcement action on data subject access rights (2022-2023) found that 50% of EU organizations failed to properly fulfill access requests — particularly relevant for employers holding employee monitoring data.

Fines under GDPR in Belgium can reach up to €20 million or 4% of global annual turnover, whichever is higher, for the most serious violations. For employer monitoring violations, the GBA has typically applied fines in the €50,000–€525,000 range depending on the severity and scale.

Seven Practical Steps to Belgian Monitoring Compliance in 2026

This framework translates the legal requirements above into an actionable implementation sequence. Work through these steps in order — each step builds on the previous one, and the documentation from earlier steps is needed to satisfy requirements in later steps.

1. Step 1: Define Your Legitimate Purpose (CLA 81 Grounds)

   Before doing anything else, determine which of the four CLA 81 permitted purposes genuinely applies to your monitoring program. Be specific: "IT security monitoring to detect malware and unauthorized access" is a valid purpose. "We want to see what employees are doing" is not. Document this decision in writing, including the business rationale. If you intend to use monitoring data for multiple purposes — including performance discussions — list all of them now and map each to a CLA 81 ground. Changing declared purposes after implementation is far more disruptive than front-loading this analysis.

2. Step 2: Conduct a Data Protection Impact Assessment (DPIA)

   Under GDPR Article 35, a DPIA is mandatory before implementing monitoring that is likely to result in a high risk to employees' rights and freedoms. Systematic monitoring of work activity qualifies in most cases. The DPIA documents the nature and purpose of the monitoring, the necessity and proportionality assessment, the risks identified, and the measures taken to mitigate those risks. The GBA has published sector-specific DPIA guidance that is relevant for Belgian employers. Retain the completed DPIA as part of your ROPA (Record of Processing Activities).

3. Step 3: Inform and Consult the Works Council

   Present the proposed monitoring program to the works council with full documentation: what system will be used, what data will be collected, the stated CLA 81 purpose, retention periods, and access controls. Allow genuine time for the works council to review, ask questions, and express its opinion. Document the consultation date, the information provided, the works council's response, and any modifications made as a result. This documented record is your primary defense in any future labor dispute about the lawfulness of the monitoring.

4. Step 4: Update Employment Policies and Documentation

   Revise your acceptable use policy, employee handbook, and any relevant employment contract clauses to reflect the monitoring program. The employee monitoring policy template covers the specific clauses required under Belgian law. Ensure the policy is available in the relevant workplace language(s) — Dutch for Flanders, French for Wallonia and Brussels, German for the German-speaking community. Translate and adapt as needed; using a French-only policy in a Dutch-speaking workplace will not satisfy the individual notice requirement.

5. Step 5: Deliver Individual Notice to Each Employee

   Send individual written notice to every employee subject to monitoring. This is not a collective announcement — each employee must receive personal notice. The notice must cover: what is monitored, the CLA 81 purpose, retention period, who has access, and GDPR rights. Obtain acknowledgment of receipt (signed or electronic). For new employees, include monitoring notice in the onboarding documentation. Retain acknowledgment records. See our employee monitoring notice form for a Belgium-specific template.

6. Step 6: Configure Monitoring to Minimize Data Collection

   Configure your monitoring platform to collect only what is necessary for the stated purpose. If your stated purpose is IT security, there is no justification for capturing full email content — metadata and anomaly detection may be sufficient. eMonitor allows granular configuration of what is captured, at what frequency, and for which employee groups. Role-based access controls should limit who can view sensitive monitoring data. Set automatic data deletion schedules that match your declared retention period. Document your configuration choices and why they reflect data minimization principles.

7. Step 7: Document Everything in Your ROPA

   Under GDPR Article 30, organizations with more than 250 employees (and smaller organizations processing monitoring data regularly) must maintain a Record of Processing Activities. Your ROPA entry for employee monitoring should document: the data controller identity, purpose of processing, categories of data subjects and data, recipients, transfers outside the EU (if any), retention periods, and a general description of security measures. Update the ROPA whenever the monitoring program changes. The GBA can request your ROPA during an audit, and an up-to-date ROPA demonstrates accountability — one of GDPR's core principles.

How Does eMonitor Support Belgian Compliance Requirements?

Belgian employers choosing a monitoring platform need one that can be configured to operate transparently within CLA 81's boundaries, not one that defaults to maximum data collection. eMonitor is built around transparent, disclosed monitoring — the kind that aligns with how Belgian law expects monitoring to work.

Granular Scope Configuration for Data Minimization

eMonitor allows you to configure precisely which data categories are captured for which employee groups. You can enable application usage tracking for IT security purposes while disabling screenshot capture for roles where visual oversight is not proportionate. Monitoring scope can be set by team, role, or individual, allowing the data minimization principle to be applied practically rather than theoretically. This configuration produces a defensible record of why each monitoring element was enabled — useful documentation for your DPIA and for any GBA audit.

Transparent Employee Dashboards

Every employee subject to monitoring through eMonitor has access to their own dashboard, where they can see the same activity data their manager sees. This transparency is not just a feature — it is a compliance mechanism. Where employees can see what is being collected about them, the transparency requirement under GDPR Article 5(1)(a) and CLA 81's individual notice requirement are reinforced in practice, not just on paper. Employees who can see their own data are also less likely to raise GBA complaints about undisclosed monitoring.

Role-Based Access Controls

CLA 81 requires that access to monitoring data be restricted to those with a legitimate need. eMonitor's role-based access system allows you to define exactly who can view what level of monitoring data — line managers may see team-level activity summaries while only HR directors and IT security teams can access detailed logs. These access restrictions, once configured, are logged automatically, providing an audit trail that demonstrates you have operationalized the access limitation requirement, not just written about it in a policy.

Automated Data Retention and Deletion

Setting a retention period in a policy document is easy. Enforcing it when you have years of monitoring data across hundreds of employees is harder. eMonitor's retention management allows you to set automatic deletion schedules aligned with your declared retention periods. When data reaches its retention limit, it is deleted automatically without requiring manual intervention — eliminating the gap between declared and actual retention that the GBA frequently finds in employer audits. This directly addresses GDPR Article 5(1)(e)'s storage limitation principle.

eMonitor pricing starts at $3.50 per user per month — a cost that is typically recovered many times over in reduced compliance risk and administrative overhead compared to managing monitoring through ad-hoc IT tools without centralized controls. For organizations managing Belgian compliance alongside broader EU GDPR requirements, a single configured platform is far more manageable than multiple siloed tools.

Legal Sources and Further Reading

This guide draws on the following primary and authoritative sources. Consult these directly — or work with a Belgian employment lawyer who has — before finalizing your monitoring compliance program.

• CLA 81: Collective Labor Agreement No. 81 of 26 April 2002 on the protection of privacy of employees with regard to the monitoring of electronic online communication data, National Labor Council (Conseil National du Travail / Nationale Arbeidsraad) — cnt-nar.be
• CLA 68: Collective Labor Agreement No. 68 of 16 June 1998 on camera surveillance in the workplace, National Labor Council — cnt-nar.be
• CLA 85: Collective Labor Agreement on structural telework and remote work conditions, National Labor Council
• Belgian Act of 13 June 2005: Loi du 13 juin 2005 relative aux communications électroniques — etaamb.be
• Private Investigation Act (amended 2024): Loi du 19 juillet 1991 relative à l'exercice de la profession d'enquêteur privé, as amended — Belgian Official Gazette
• GBA / APD: Gegevensbeschermingsautoriteit / Autorité de protection des données — enforcement decisions and sector guidance available at gegevensbeschermingsautoriteit.be
• EDPB Guidelines 06/2020: European Data Protection Board, Guidelines on the processing of personal data in the context of connected vehicles and mobility related applications — workplace context guidance
• EDPB Opinion 2/2017: Data processing at work — provides interpretive guidance on the balance between employer monitoring interests and employee privacy under GDPR
• Belgian Labor Code: Loi du 5 décembre 1968 sur les conventions collectives de travail et les commissions paritaires — the statutory basis for the CLA system