Hard limits on a boss’s right to track workers

As hybrid and flexible working models continue to evolve, Irish employers are increasingly turning to digital tools to understand how work is being carried out, write Lewis Silkin legal director James Stewart (main picture) and paralegal Rachael Lawless (small picture).

Location-tracking software, QR code attendance systems, and vehicle telematics are becoming part of the modern workplace infrastructure.

Yet these technologies raise difficult questions about privacy, proportionality, and the limits of employer oversight.

At the centre of the debate is a fundamental tension: how to balance an employer’s legitimate interest in monitoring productivity and ensuring operational efficiency with a worker’s right to privacy and autonomy.

Irish law does not prohibit workplace monitoring, but it does impose strict conditions on how, when, and why it can occur.

Understanding these boundaries is essential for employers seeking to adopt new technologies without overstepping legal or ethical lines.

Legal framework: GDPR and Irish context

Any form of employee monitoring involves the processing of personal data and must therefore comply with the GDPR and the Data Protection Act 2018.

Location data is particularly sensitive because it can reveal patterns of behaviour, private life, and movements outside working hours.

According to the Irish Data Protection Commission’s guidance on employer vehicle tracking, the use of in‑vehicle tracking “carries a high risk of interfering with the privacy and data protection rights of the employee.”

It adds that employers must ensure that tracking is limited to working hours and supported by a Data Protection Impact Assessment (DPIA) where monitoring is systematic or intrusive.

Employers must identify a lawful basis for processing.

Consent is rarely valid in an employment context due to the imbalance of power.

Instead, employers typically rely on “legitimate interests” or, in some cases, “performance of a contract.”

However, legitimate interests require a balancing test: the employer’s needs must not override the employee’s fundamental rights.

Transparency is also essential. Employees must be clearly informed about what data is collected, why it is collected, how long it will be retained, and who will have access to it.

In many cases, a DPIA is mandatory, particularly where monitoring is systematic or potentially high‑risk.

Can a worker refuse monitoring?

In practice, yes – if the monitoring is disproportionate, inadequately justified, or overly intrusive.

Employees have the right to object to processing based on legitimate interests.

When they do, the employer must stop unless it can demonstrate compelling grounds that override the employee’s rights.

Continuous or real-time tracking, especially outside working hours, is unlikely to meet this threshold.

For example:

• Tracking an employee’s precise location throughout the day when a simple check‑in system would suffice is unlikely to be considered necessary,
• Monitoring staff during breaks, commutes, or personal time is almost certainly unlawful,
• Using location data for purposes unrelated to the original justification, such as disciplinary action unrelated to safety or attendance, would breach GDPR principles.

Irish case law has also underscored the importance of purpose limitation.

In Doolin v Data Protection Commissioner, the Court of Appeal held that CCTV installed for security purposes could not lawfully be reused for disciplinary action, as this exceeded the original stated purpose.

Although the case concerned video surveillance, the same principle applies to location data: employers cannot repurpose tracking information for unrelated objectives.

The key question is always whether the monitoring is necessary and proportionate to achieve a legitimate aim. If not, an employee’s refusal is likely to be upheld.

Can employer insist on vehicle tracking?

Vehicle tracking is common in sectors such as logistics, utilities, and field services.

Employers often justify it on grounds of safety, route optimisation, asset protection, or compliance with regulatory obligations.

These can be legitimate interests, but only if implemented correctly.

Irish data protection guidance makes clear that:

• Tracking must be limited to working hours,
• Employees must be fully informed about the nature and purpose of the tracking,
• Tracking must not be used for unrelated purposes,
• A privacy mode must be available where vehicles are used for both business and personal use,
• A DPIA is required where tracking is systematic or high risk.

If an employer cannot provide a privacy mode or cannot justify continuous tracking, insisting on vehicle monitoring may breach GDPR.

The position in Britain is broadly similar, with the Information Commissioner’s Office (ICO) emphasising proportionality and the avoidance of excessive monitoring.

Can attendance data be linked to pay?

This is one of the most topical issues in the modern workplace.

Many employers are exploring ways to encourage in‑office attendance, and some are considering linking attendance to pay, bonuses, or promotion opportunities.

GDPR does not prohibit this.

What it regulates is the collection and use of the underlying data.

If an employer uses QR codes, swipe cards, or digital check‑ins to record attendance, the data must be processed lawfully and transparently.

Provided the monitoring is proportionate and limited to verifying attendance, employers may rely on legitimate interests.

However, several pitfalls must be avoided:

• The monitoring must not be more intrusive than necessary. Tracking precise location when a simple entry log would suffice is unlikely to be justified,
• Employees must be clearly informed that attendance data will influence pay or promotion decisions,
• The system must not capture data outside working hours or in private spaces,
• The employer must ensure that the use of attendance data does not indirectly discriminate against certain groups, such as employees with disabilities or caring responsibilities.

Irish workplace surveillance guidance also stresses that employees must be clearly informed about how attendance data will be used and that any monitoring must remain proportionate to the employer’s stated objective.

Linking attendance to reward is therefore permissible – but only if the underlying monitoring is lawful, proportionate, and transparent.

Striking the right balance

The challenge for employers is not whether they can monitor, but how to do so responsibly.

The most successful approaches share three characteristics:

1. Transparency: employees should never be surprised by monitoring. Clear, accessible policies are essential,
2. Proportionality: employers should choose the least intrusive method capable of achieving the intended purpose,
3. Trust: monitoring should support, not undermine, the employment relationship. Overly intrusive systems can damage morale, erode trust, and expose employers to legal risk.

Looking ahead, EU level developments such as the AI Act and the Platform Work Directive are expected to increase scrutiny of digital monitoring tools, particularly where they involve automated decision making or algorithmic management.

Additional obligations may also emerge subject to the outcome of the Digital Omnibus initiative, which is intended to consolidate and update several strands of EU digital regulation and may further shape employer responsibilities in this area.

Privacy expectations

As workplace technologies continue to evolve, so too will expectations around privacy, transparency and oversight.

Employers who approach monitoring with care, clarity and respect for employee rights will be best placed to navigate this complex and rapidly changing landscape.