News

THE DANISH DATA PROTECTION AGENCY STEPS UP SUPERVISION OF EMPLOYEE MONITORING IN 2026

In 2026, the Danish Data Protection Agency will focus on data controllers and data processors that use new technologies for monitoring and control. This places stricter requirements on companies that use technologies such as access logging, CCTV surveillance, GPS tracking or AI-based solutions.

DATATILSYNET INTENSIVERER TILSYN MED OVERVÅGNING AF ANSATTE I 2026

New technologies increasingly enable employers to monitor and control employees. IT systems, access logging, CCTV surveillance and GPS tracking are already widespread tools in many workplaces, and their use has only grown in recent years.

For this very reason, the Danish Data Protection Agency will place particular focus on this type of processing of personal data in 2026.

Based on a mapping exercise from 2024, the Danish Data Protection Agency will in 2026 carry out targeted inspections of employers’ processing of personal data in connection with the monitoring and control of employees. Since the mapping was conducted, the technology has developed further, as have the requirements employers must comply with.
 

WHAT YOU NEED TO BE AWARE OF
 

If you are an employer and monitor employees, you often process large amounts of personal data. As an employer, you are the data controller for this processing and must therefore comply with the data protection requirements that apply to the processing of personal data.

From the employee’s perspective, monitoring may also be experienced as intrusive, and it can be difficult to object or lodge a complaint. It is therefore crucial that monitoring is carried out with respect for employees’ rights and in compliance with the GDPR.

In addition to the GDPR, the AI Act, which entered into force last year, is also relevant to consider. It may entail requirements, for example regarding risk assessments and transparency, if you use AI-based monitoring that falls within the scope of the Regulation. Similarly, there are requirements for adequate AI skills in the workplace, and as an employer you must ensure that employees and other persons involved in the operation and use of AI systems are trained and have the necessary knowledge of both the capabilities and limitations of the system.

As an employer, you should therefore pay attention to whether the company’s processing of personal data complies with the GDPR requirements, including purpose limitation, legal basis for processing, retention periods and proportionality, as well as whether the requirements of the AI Act are met.

We recommend that the company reviews its policies and practices for the monitoring and control of employees.

Download PDF