Your responsibilities when monitoring employees with WorkComposer
Last modified: July 8, 2026
This guide is practical information, not legal advice. Employee-monitoring law varies significantly by country, state, and even by workplace agreement. Use this as a starting checklist and consult qualified counsel for your jurisdiction — especially before enabling any covert (“Silent” or “Silent-Extended”) monitoring.
Who this is for
You are the account owner or administrator of a WorkComposer account, and you are (or will be) monitoring your team. In data-protection terms, you are the “controller” — you decide who is monitored and why. WorkComposer is the “processor” — we provide the tools and process the data on your instructions. That means the legal duty to monitor lawfully sits with you, and this guide helps you meet it. (The contractual detail is in our Data Processing Agreement.)
The people you monitor — your employees, workers, or contractors — are the “Monitored Users” and, in law, the “data subjects” with rights over their data.
The short version — a five-point checklist
- 1. Legal basis. I have a valid legal basis for monitoring (see below — usually a “legitimate interest,” not consent, in the employment context).
- 2. Notice. I have clearly told the people being monitored that they are monitored, what is collected, and why — in writing, before monitoring starts.
- 3. Proportionality. The monitoring is limited to what I actually need (right scope, right frequency, no more intrusive than necessary).
- 4. Consultation (where required). I have consulted or notified any works council / employee representatives, and completed a data protection impact assessment where one is required.
- 5. Rights & transparency. I can tell Monitored Users how to see, correct, or object to their data, and I have a way to handle those requests.
If you are enabling Silent / Silent-Extended (covert) monitoring, add a sixth: 6. I have specifically confirmed that covert monitoring is lawful and justified in my situation — the bar is much higher (see the dedicated section below).
1. Establish a lawful basis (GDPR / EU/UK)
- Consent is usually the wrong basis in an employment context. Regulators (and the EDPB's guidance on data processing at work) take the view that employees cannot give genuinely free consent to their employer, because of the power imbalance. Relying on employee consent for monitoring is fragile.
- “Legitimate interests” (Art. 6(1)(f)) is the basis most employers rely on — for example, an interest in security, billing accuracy, or productivity management. To use it, you must run and document a balancing test: your interest vs. the Monitored User's rights and reasonable expectations of privacy. The more intrusive the monitoring (screenshots, URL capture, covert modes), the harder it is to justify.
- Contract or legal obligation may apply in narrower cases.
- Special-category data (Art. 9) — screenshots can incidentally capture health, union, religious, or other sensitive information. If you knowingly process such data, you need an Art. 9 condition too. Configure the Services to minimize this (for example, screenshot frequency, exclusions, or blurring where available).
Article 88 GDPR specifically allows EU Member States to set extra rules for employee data — so check your local law, which may go beyond the GDPR baseline.
2. Give notice (this is non-negotiable)
- that monitoring takes place, and by what tool;
- what is collected (time, activity levels, applications and URLs, screenshots, etc.);
- why (your purposes) and your legal basis;
- how long data is kept (WorkComposer deletes tracking data after one year — see our Data Retention Policy);
- who it is shared with (WorkComposer as processor, and our subprocessors);
- how Monitored Users can exercise their rights and who to contact.
Put this in an employee monitoring policy, an employment-contract clause, or an onboarding acknowledgment. WorkComposer's desktop application also surfaces an “About” notice on the device; that supplements, but does not replace, your own notice. You can also point employees to our Employee Privacy Notice.
3. US state monitoring-notice laws
- New York — requires employers to give written notice of electronic monitoring (email, internet, telephone) to employees upon hiring, with acknowledgment, and to post the notice (N.Y. Civil Rights Law § 52-c).
- Connecticut — requires prior written notice to employees of electronic monitoring (Conn. Gen. Stat. § 31-48d).
- Delaware — requires notice/acknowledgment before monitoring or intercepting employees' telephone, email, or internet use (Del. Code tit. 19 § 705).
- Other states vary; some restrict specific techniques. Federal and state wiretap / electronic-communications laws (for example, the federal ECPA) can also apply to interception of communications.
4. Works councils and co-determination (EU, especially Germany & France)
- Germany — a works council (Betriebsrat) generally has co-determination rights over the introduction and use of technical systems designed to monitor employee behavior or performance (§ 87(1) no. 6 Betriebsverfassungsgesetz). Deploying monitoring software typically requires a works agreement (Betriebsvereinbarung). Skipping this can make the monitoring unlawful and the data unusable.
- France — employers must inform and consult the Comité Social et Économique (CSE) before deploying monitoring tools, inform employees individually, and (historically) consider CNIL formalities. Covert monitoring is very tightly constrained by French case law.
- Other EU states have analogous employee-representation and consultation requirements.
If you operate in these countries, complete the required consultation before enabling monitoring.
5. Covert monitoring — Silent / Silent-Extended (highest risk)
WorkComposer offers monitoring postures (“Silent” and “Silent-Extended”) that reduce the on-screen signals a Monitored User would normally see. Covert monitoring carries substantially higher legal risk than visible monitoring, and in many jurisdictions is lawful only in narrow, exceptional circumstances (for example, a specific, evidenced investigation into serious wrongdoing where overt methods would not work).
- a specific, documented justification (not general productivity monitoring);
- that less intrusive means would not achieve the purpose;
- that you have still met your notice obligations to the extent required (in many places, employees must at minimum be told that covert monitoring may occur, even if not when);
- that you have a documented lawful basis and balancing test specific to the covert use; and
- that you have completed any works-council consultation and DPIA.
WorkComposer providing this capability is not a statement that your use of it is lawful. When you enable a Silent posture in WorkComposer, you will be asked to attest that you have a lawful basis and have met your notice obligations — that attestation reflects your legal responsibility as the controller. You will be asked to re-confirm this attestation every 12 months while a silent posture remains active, and again each time you newly enable silent mode, so that your lawful-basis record stays current.
6. Data protection impact assessment (DPIA)
Under Article 35 GDPR, you must carry out a DPIA before processing that is likely to result in a high risk to individuals. Systematic monitoring of employees is a classic DPIA trigger — and covert monitoring almost always requires one. A DPIA documents what you process, why, the risks, and your mitigations, and it is often the first thing a regulator asks to see.
WorkComposer can provide a DPIA template you can adapt for a WorkComposer deployment — contact support@workcomposer.com to request it. Complete it before you monitor a real team, keep it on file, and update it when your monitoring changes.
7. Data-subject rights and requests
Monitored Users have rights over their data (access, correction, deletion, objection, and more under GDPR Arts. 12–22; comparable rights under some US state laws). As the controller, you are the first point of contact for these requests. WorkComposer will assist you as your processor (see DPA, Section 8). Make sure your Monitored Users know who to contact and that you have an internal process to respond in time (usually one month under GDPR).
How WorkComposer helps
- Processor commitments in our Data Processing Agreement.
- A published Subprocessor list and change notifications.
- A one-year retention limit on tracking data, enforced automatically.
- A device-level notice in the desktop app's About dialog.
- A lawful-basis attestation step before covert postures are enabled.
- A DPIA template to get you started.
- Self-service account and data deletion.
These help you comply — but the legal responsibility for lawful monitoring remains yours as the controller.
This guide is provided for general information only and does not constitute legal advice. Employee-monitoring law is jurisdiction-specific and changes over time. Consult qualified legal counsel for your locations before deploying monitoring, and especially before enabling any covert monitoring. — WorkComposer Inc