Employee Monitoring Laws in Denmark: GDPR, Datatilsynet Rules, and 2026 AI Monitoring Inspections

Why 2026 Is a Critical Year for Danish Employers Using Monitoring Technology

The Datatilsynet does not inspect companies at random. Each year, Denmark's Data Protection Authority publishes a formal inspection plan identifying the sectors and processing activities it will proactively target. For 2026, the Datatilsynet made an unusually specific declaration: it will conduct systematic inspections focused on four categories of workplace monitoring that have generated increasing volumes of complaints and enforcement inquiries.

Those four categories are:

1. AI-based employee monitoring and automated decision-making — tools that generate productivity scores, performance rankings, attendance risk flags, or any other output that influences employment decisions without human review
2. GPS tracking of field and delivery employees — following the 2024 IDdesign enforcement action, the Datatilsynet has identified out-of-hours GPS tracking as a systemic problem across Danish industries
3. CCTV surveillance in workplaces — particularly camera systems aimed at workstations or designed to monitor work behavior rather than secure physical premises
4. Biometric access control systems — fingerprint scanners, facial recognition, and other biometric authentication tools used for time and attendance or building access

This is not a theoretical compliance concern. Danish employers operating these technologies in 2026 face an elevated and quantifiable probability of receiving an inspection notice from the Datatilsynet. Organizations that have not yet documented their monitoring practices, completed a Data Protection Impact Assessment (DPIA), or updated employee notices are at significant risk of a binding enforcement order — and potentially an administrative fine of up to 20 million EUR or 4 percent of global annual turnover.

The practical implication is straightforward: 2026 is the year to get Danish monitoring compliance right, not the year to plan to address it.

What Datatilsynet Enforcement Cases Tell Danish Employers

The Datatilsynet publishes its enforcement decisions, and those decisions provide the clearest available guidance on where Danish monitoring law draws its practical lines. Three decisions and one formal position are particularly instructive for employers operating monitoring technology in 2026.

IDdesign: The GPS Tracking Fine That Changed the Landscape

In 2024 the Datatilsynet issued a critical decision against IDdesign, a major Danish furniture retailer, for unlawful GPS tracking of employees. The core violation was straightforward: IDdesign had deployed a fleet tracking system that continued to record the GPS location of company vehicles outside working hours. Employees using company vehicles were tracked during evenings, weekends, and leave periods without their knowledge that out-of-hours tracking was active, and without any documented legitimate purpose for collecting location data when employees were off duty.

The Datatilsynet found multiple GDPR violations. The out-of-hours tracking lacked a lawful basis: the employer's legitimate interest in fleet management and vehicle protection did not extend to tracking employees' private movements when they were not working. The employees had not been adequately informed that the tracking system operated outside working hours. The data collected outside working hours served no documented purpose, violating the GDPR data minimization principle. The Datatilsynet's decision resulted in a formal reprimand and a binding order to implement technical controls disabling tracking outside employee working hours.

The practical implications of IDdesign for Danish employers are wide-ranging. Any GPS monitoring system — whether vehicle-based, mobile app-based, or wearable — must be technically configured to disable tracking at the end of an employee's working hours. Relying on employees to disable tracking themselves is insufficient: the employer must implement the control at the system level. The decision has been referenced in subsequent Datatilsynet guidance as the basis for the 2026 GPS inspection priority.

AI Monitoring and Automated Decision-Making: The Datatilsynet's Position

The Datatilsynet has issued formal guidance stating that AI-based monitoring tools that generate automated assessments of employee performance, productivity, or behavior without human oversight violate GDPR Article 22 where those assessments influence employment decisions. The authority has specifically named productivity scoring software, attendance anomaly detection tools, and AI systems that flag employees for manager review based on behavioral patterns as falling within Article 22's scope.

Article 22 applies where a decision is: (1) based solely on automated processing, and (2) produces a legal effect or similarly significant effect on the employee. The Datatilsynet's position is that a "similarly significant effect" includes automatic escalation to a manager for performance review, generation of a productivity score that forms the basis of an appraisal, and any flag that materially affects how the employee is treated in the employment relationship, even if a human nominally makes the final decision. An AI system that produces a performance ranking and a manager who simply approves it without independent review does not satisfy the human oversight requirement.

Lawful AI monitoring under Article 22 in Denmark requires one of three conditions: the employee has given explicit (not implied) consent; the processing is authorized by a specific law; or, crucially for Denmark, a collective agreement expressly authorizes the automated processing. This collective agreement authorization route is the primary lawful basis for AI monitoring in practice, because explicit consent is fragile in employment relationships (the Datatilsynet takes the same position as Sweden's IMY that consent cannot be freely given given the power imbalance) and because few Danish laws specifically authorize AI monitoring. Organizations deploying AI productivity analytics must check whether their applicable collective agreement authorizes this processing and, if not, obtain a legal opinion on the Article 22 compliance pathway.

Biometric Data: Zero Tolerance for Disproportionate Deployment

The Datatilsynet has consistently held that biometric data collection requires a compelling justification because biometric data is a special category under GDPR Article 9 and, in the employment context, employees cannot meaningfully consent given the power imbalance. The use of fingerprint scanners or facial recognition for time and attendance in a typical office or retail environment — where alternative methods like PIN codes or badge systems are readily available and equally effective — does not meet the proportionality standard. The Datatilsynet has stated that biometric authentication for employee time and attendance is only justified where: (a) security requirements for the specific environment genuinely cannot be met by less intrusive methods, and (b) explicit consent is obtained or a specific legal basis applies.

The 2026 inspection program targets biometric workplace controls specifically because the Datatilsynet has observed widespread deployment of fingerprint attendance systems without the required legal basis documentation. Organizations currently using fingerprint or facial recognition for time and attendance should urgently review their legal basis, document it, and assess whether less intrusive alternatives could achieve the same objective.

CCTV Enforcement Patterns

The Datatilsynet has issued multiple decisions regarding workplace CCTV that establish the following pattern: cameras placed at exits, entrances, and areas with legitimate security concerns are generally compliant where employees are notified and data is retained for no more than 30 days. Cameras positioned at individual workstations or service points to monitor work performance face heightened scrutiny. Cameras in break rooms, toilets, changing rooms, or other areas where employees have a reasonable expectation of privacy are prohibited. The Datatilsynet has enforced CCTV compliance through binding orders requiring camera removal, data deletion, and policy revision, in addition to referring particularly serious violations for potential criminal prosecution under Danish law.

What Are the Rules for GPS Tracking Danish Employees?

GPS monitoring is one of the most tightly regulated forms of employee monitoring in Denmark, and the IDdesign decision has defined the compliance boundary more precisely than any prior guidance. Danish employers using GPS tracking — whether for fleet vehicles, delivery drivers, field service technicians, or mobile workforce management — must meet specific requirements before and during GPS data collection.

Permitted Purposes for GPS Tracking

The Datatilsynet has identified the following as legitimate purposes that can support a lawful basis for GPS tracking of Danish employees: route management and optimization for delivery or field service operations; verification of customer visit times and locations for billing or service level compliance; employee safety monitoring in isolated or high-risk environments; and management of company vehicle utilization. Purposes that do not satisfy the legitimate interest standard include: general performance surveillance of desk-based employees using mobile devices; tracking employee movements during rest breaks taken away from the worksite; and monitoring personal vehicle use outside working hours.

Work Hours Only: The Technical Requirement

The IDdesign decision established that work-hours-only GPS tracking is not merely best practice in Denmark — it is a legal requirement. Tracking outside working hours lacks a lawful basis because the employer's legitimate operational interest in employee location does not extend beyond the working day. Employers must implement technical controls that disable GPS tracking at the end of each employee's working hours, rather than relying on employee self-compliance or general policy statements.

Acceptable technical implementations include: automatic tracking suspension when the employee clocks out through the monitoring system; geofence-based tracking that activates only when the employee is within defined work territories during working hours; and mobile app configurations that disable location permissions outside scheduled work hours. Manual policies requiring employees to disable tracking themselves are insufficient because they create the risk of inadvertent out-of-hours collection, which the employer remains responsible for.

Employee Notification for GPS Monitoring

Employees must be informed of GPS monitoring in writing before tracking begins. The notification must specify: what location data is collected (continuous GPS coordinates, periodic check-ins, geofence entry/exit); the frequency of data collection; who can access the location data; the retention period (Datatilsynet recommends a maximum of 30 days for routine GPS logs); the lawful basis for processing; and employees' rights to access their location data and object to processing under GDPR Article 21. Providing this information in an employment contract appendix or a dedicated monitoring policy distributed to affected employees before the monitoring commences satisfies the notification requirement.

DPIA Requirement for GPS at Scale

The Datatilsynet's DPIA obligation list includes large-scale processing of location data. Any employer tracking GPS data for more than a small number of employees — the guidance suggests this threshold is relatively low, given that location data can reveal sensitive information about employees' personal movements — should complete a DPIA before deploying GPS monitoring. The DPIA must assess the specific risks to employees (privacy intrusion, profiling risk, potential for data misuse), the measures taken to mitigate those risks, and the proportionality of the monitoring relative to the stated purpose. A DPIA template for GDPR employee monitoring compliance provides a starting framework that can be adapted for the Danish GPS context.

How Do Collective Agreements Shape Employee Monitoring in Denmark?

Collective agreements occupy a more significant role in Danish employment monitoring compliance than in most other EU countries. They can both restrict monitoring below what GDPR would otherwise permit, and authorize monitoring (including AI monitoring under Article 22) that would otherwise require explicit consent. Navigating this dual function correctly is one of the more complex aspects of Danish monitoring compliance.

Consultation Requirements Before Deploying Monitoring Tools

Most Danish collective agreements include provisions requiring employers to consult with union representatives or shop stewards (tillidsrepresentanter) before introducing new monitoring technologies. The consultation requirement typically applies to any monitoring system that: collects data about individual employee performance or behavior; operates continuously rather than episodically; or affects working conditions in a way that employees could reasonably consider a change to their contract of employment. Employers who bypass this consultation do not necessarily violate GDPR, but they breach the collective agreement, which can result in arbitration proceedings and damages awards from the Danish Industrial Court.

Consultation is not a veto right in most Danish agreements: the employer who has consulted and not reached agreement with employee representatives can generally proceed with deployment. But the consultation must be genuine — not a formality — and its outcome documented. The Datatilsynet treats evidence of genuine employee consultation as a positive factor in proportionality assessment.

Agreement Provisions That Restrict Monitoring Scope

Common collective agreement restrictions on monitoring in Denmark include:

• Prohibition on using monitoring data as the sole or primary basis for disciplinary action (the monitoring data must be corroborated by manager observation or other evidence)
• Requirements for a minimum notice period — often 1 to 3 months — before a new monitoring system becomes operational for employees covered by the agreement
• Restrictions on continuous screenshot capture or keystroke logging without specific incident justification
• Employee rights to receive regular summaries of their own monitoring data
• Restrictions on retaining monitoring data beyond defined periods (some agreements specify 3 months for activity data, shorter for location data)

These provisions interact with GDPR requirements. Where a collective agreement provides a shorter retention period than the employer's GDPR retention analysis would support, the shorter period applies. Where the agreement restricts a monitoring practice that GDPR might otherwise permit, the restriction applies. The employee monitoring policy template can be configured to reflect collective agreement obligations alongside GDPR requirements.

Agreement Provisions That Authorize AI Monitoring

As noted above, GDPR Article 22(2)(b) as implemented in Denmark allows collective agreements to authorize automated decision-making affecting employees, provided appropriate safeguards are put in place. The key question for Danish employers is whether their applicable collective agreement actually contains such authorization. Most existing Danish collective agreements were negotiated before AI productivity monitoring tools became widespread, and do not include explicit AI monitoring provisions. An agreement that refers generally to "use of IT systems for work management" or "electronic monitoring" may not be specific enough to satisfy the Article 22 requirement that the authorization be sufficiently precise and subject to defined safeguards.

Employers seeking to deploy AI monitoring tools in 2026 should: review their applicable collective agreement text with a Danish employment lawyer; assess whether existing provisions cover the specific AI monitoring tool they intend to deploy; and, if not, engage with the relevant union to negotiate an agreement amendment or a specific technology agreement (IT-aftale) that addresses AI monitoring under appropriate safeguards. Many Danish unions are willing to negotiate AI monitoring agreements where the employer is transparent about what the system does, how it is used, and what safeguards apply.

How Does Denmark's Approach Compare to Sweden and Norway?

Nordic employers operating across multiple countries often treat the three countries as a single compliance jurisdiction. This is a mistake: Denmark, Sweden, and Norway take meaningfully different approaches to employee monitoring, and the differences matter particularly in 2026 given Denmark's targeted inspection program.

Organizations operating across the Nordic region should treat each jurisdiction as distinct and maintain country-specific monitoring policies. The Sweden employee monitoring guide and the Norway employee monitoring guide provide the equivalent analysis for those jurisdictions. For EU-wide AI monitoring obligations that overlay all three countries, the EU AI Act employee monitoring guide covers the additional obligations taking effect through 2025 and 2026.

Danish Employee Monitoring Compliance Checklist for 2026

This checklist reflects the Datatilsynet's 2026 inspection priorities and the core GDPR and Danish Data Protection Act requirements. Use it to assess your current monitoring program and identify gaps before the Datatilsynet arrives.

Documentation and Legal Basis

• Identify the lawful basis under GDPR Article 6 for each monitoring activity and document it in a Record of Processing Activities (ROPA)
• For AI monitoring that produces outputs influencing employment decisions, identify the Article 22 gateway (explicit consent, legal basis, or collective agreement authorization) and document it
• For any processing of special category data (biometrics, health data), identify the Article 9 condition and document it
• Review applicable collective agreements for monitoring-specific provisions and ensure monitoring configurations comply with those provisions
• Complete a DPIA for: AI monitoring systems, GPS tracking at scale, biometric access control, and continuous screenshot or activity monitoring deployed across the workforce

GPS-Specific Requirements (Post-IDdesign)

• Implement technical controls — not just policies — that disable GPS tracking at clock-out
• Verify that no GPS data is collected outside declared working hours
• Issue written employee notifications specifying what location data is collected, frequency, retention period, and employee rights
• Configure automatic deletion of GPS logs at 30 days (or the retention period specified in the DPIA)
• Document the specific operational purpose for GPS monitoring (route management, visit verification, safety) with supporting analysis

CCTV Requirements

• Post conspicuous notices at every camera location before cameras become operational
• Document the security purpose for each camera installation
• Remove or redirect cameras pointed at individual workstations for performance monitoring (rather than security)
• Configure automatic CCTV footage deletion at 30 days (or shorter where possible)
• Conduct employee consultation before installing new cameras where required by collective agreement

Biometric Access Control

• Audit all biometric systems (fingerprint, facial recognition, iris scanning) currently used for time and attendance or building access
• For each system, assess whether a less intrusive alternative (PIN, badge, mobile app) could achieve the same objective
• Where biometric systems are retained, document the specific necessity and complete a DPIA
• Prepare to respond to a Datatilsynet inspection request regarding biometric access control in 2026

AI Monitoring and Automated Decision-Making

• Map all AI or automated tools that analyze employee behavior, productivity, or performance
• For each tool, assess whether its outputs constitute Article 22 automated decision-making with significant effects
• For tools caught by Article 22, identify the lawful gateway and document it
• Implement and document substantive human oversight processes — not rubber-stamp approvals
• Complete a DPIA for AI monitoring tools before deployment

Employee Transparency

• Issue a monitoring-specific privacy notice (separate from the general employment privacy notice) to all employees subject to monitoring
• Ensure the notice describes each monitoring tool, what data it collects, the frequency, retention period, lawful basis, and employee rights
• Provide employees with access to their own monitoring data through a self-service mechanism
• Document employee notification dates to demonstrate pre-deployment compliance

Download the full editable version of this checklist through the employee monitoring policy template, which includes Word and PDF formats pre-mapped to GDPR and Datatilsynet requirements.

How Can eMonitor Support Danish Monitoring Compliance?

eMonitor is designed around the principle that monitoring should happen during work hours, with employee visibility, and with data retained only as long as needed. These design choices align directly with the Datatilsynet's requirements and make Danish compliance configuration straightforward rather than a retrofit exercise.

Work-Hours-Only Tracking

eMonitor's time tracking and activity monitoring activates only when an employee is clocked in. When an employee clocks out, monitoring stops. There is no mechanism for capturing data outside working hours, which eliminates the IDdesign-category violation from the outset. This is a technical control — not just a policy — which is precisely what the Datatilsynet's GPS decision requires.

Employee-Visible Dashboards

Every eMonitor user has access to their own monitoring dashboard showing their tracked hours, activity patterns, and productivity data. This transparency mechanism addresses the Datatilsynet's requirement for employee notification and access rights simultaneously: employees can see their own data without needing to submit a formal data subject access request. Transparent monitoring is the most effective way to meet both legal requirements and collective agreement expectations about employee awareness.

Configurable Data Retention

eMonitor's retention settings can be configured to automatically delete monitoring data at the employer's specified retention period. Setting a 30-day automatic deletion for activity logs aligns with Datatilsynet guidance for routine monitoring data. DPIA documentation should reference the configured retention period and confirm that automatic deletion is active — this is the kind of evidence that demonstrates good-faith compliance during an inspection.

Granular Monitoring Scope Control

Danish employers concerned about biometric data incidentally captured by monitoring tools (for instance, a screenshot monitoring system that might capture a health portal or union website in the background) can use eMonitor's screenshot blur feature to protect sensitive on-screen content. The configurable activity monitoring scope allows employers to restrict what categories of application or website activity are tracked, supporting the data minimization principle and reducing the risk of special category data capture.

The Role of eMonitor in the DPIA Documentation Process

A DPIA is a documentation exercise that requires an accurate description of what monitoring data is collected, by whom, for what purpose, and under what controls. eMonitor's audit log and data processing documentation provide the factual basis for completing a DPIA accurately. Organizations using eMonitor can use the platform's own documentation of its data processing (available from eMonitor's Data Processing Agreement) as a starting point for the technical section of their DPIA, complemented by the employer's own policy documentation and risk assessment.

Frequently Asked Questions: Employee Monitoring Laws in Denmark