Workplace monitoring in Romania has expanded rapidly as employers adopt digital tools such as CCTV, access control systems, GPS tracking, and corporate email monitoring to manage their workforce more effectively. These technologies are now common in sectors such as retail, logistics, manufacturing, and IT. While they can enhance security, productivity, and compliance, they also raise significant data protection concerns.
Romanian employers must strike a careful balance between their legitimate business interests and employees’ fundamental rights to privacy and data protection. Workplace monitoring is not prohibited, but it is tightly regulated under the General Data Protection Regulation (GDPR) and Romanian labour law. Poorly implemented monitoring practices frequently lead to sanctions, labour disputes, and reputational damage.
Legal framework governing workplace monitoring in Romania
Workplace monitoring in Romania is primarily regulated by the GDPR, supplemented by national labour legislation and guidance from the Romanian data protection authority. Employers are required to respect core data protection principles such as lawfulness, transparency, proportionality, and data minimisation.
In parallel, Romanian labour law protects employees’ dignity and private life, even during working hours. This means that monitoring measures must always be justified, limited to what is strictly necessary, and implemented with appropriate safeguards. Blanket or intrusive surveillance is rarely defensible.
Lawful grounds for monitoring employees
Employers often assume that monitoring can be justified simply because equipment or systems belong to the company. In practice, this is not sufficient. Monitoring must be based on a valid legal ground under GDPR.
Legitimate interest is the most commonly relied-upon basis, but it requires a careful balancing test. Employers must be able to show that the monitoring is necessary to achieve a legitimate aim, such as protecting assets, ensuring workplace safety, or preventing misconduct, and that these interests are not overridden by employees’ rights.
Consent is rarely appropriate in the employment context, as it is difficult to demonstrate that consent is freely given when there is an imbalance of power. Romanian authorities and courts are generally sceptical of employer reliance on employee consent for monitoring activities.
CCTV surveillance in the workplace
CCTV is one of the most visible and heavily scrutinised forms of workplace monitoring. Romanian employers may install cameras for security purposes, prevention of theft, or health and safety reasons. However, cameras must never be used to continuously monitor employee performance.
A very critical consideration must be made in the placement of CCTVs. It is absolutely forbidden to monitor areas with toilets, changing rooms, or any rest area. In areas where it would be permissible, camera coverage should be as limited as possible, and recording should not be carried out where live monitoring would suffice.
The data subjects have to be clearly informed of the presence of CCTV, purposes of recording, retention period, and their rights in that respect. Lacking or unclear notices are one of the most frequent failures detected during the Controls.
Monitoring of emails, internet, and communications
Monitoring corporate e-mail accounts or Internet use is especially tricky. Employers can certainly put some limits on the use of work tools, yet reading private communications is an extremely sensitive issue.
Romanian courts, as well as European case law, require employers to take a graduated approach: first, less intrusive measures should be taken, such as traffic monitoring or access logs, and only then content review should be considered. Access to the content of e-mails is to be allowed only in exceptional cases when there is a strong suspicion of misconduct and no other measures are possible
Clear internal policies are essential. Employees must know whether personal use of work email is permitted and under what conditions monitoring may occur. Silent or covert monitoring almost always leads to compliance issues.
GPS tracking and employee location monitoring
GPS tracking is frequently used in logistics, delivery, and field-based roles. While it may be justified for route optimisation, vehicle security, or safety reasons, continuous tracking can easily become excessive.
Romanian employers must ensure that tracking is limited to working hours and that data is not used for purposes unrelated to employment. Monitoring employees outside working time, or using location data to assess performance without transparency, exposes companies to significant legal risk.
Transparency and employee information obligations
Transparency is one of the most critical compliance requirements. Employers must provide detailed information to employees before implementing monitoring measures. This includes explaining the purpose, scope, legal basis, retention period, and potential recipients of the data.
In practice, many employers rely on generic privacy notices that fail to address monitoring in sufficient detail. This is a frequent reason for sanctions imposed by the ANSPDCP. Information must be clear, specific, and easily accessible.
Retention periods and data security
Monitoring data cannot be stored indefinitely. Romanian employers must define retention periods based on the purpose of monitoring and delete data once it is no longer necessary. Excessive retention is treated as a serious violation.
In addition, appropriate technical and organisational measures must be in place to protect monitoring data. Access should be restricted, logs maintained, and any data breaches handled in accordance with GDPR requirements.
Sanctions and litigation risks
Improper workplace monitoring has led to numerous fines, labour disputes, and court challenges in Romania. Employees may contest monitoring measures through labour courts or lodge complaints with the data protection authority.
Beyond administrative fines, unlawful monitoring can undermine disciplinary proceedings. Evidence obtained in breach of GDPR or labour law may be excluded, weakening the employer’s position in disputes.
Building a compliant monitoring strategy
For Romanian companies, the safest approach is to treat workplace monitoring as a compliance project rather than a technical one. This involves conducting impact assessments where required, updating internal policies, training managers, and regularly reviewing whether monitoring measures remain necessary and proportionate.
Early legal advice is particularly important when introducing new technologies or expanding existing monitoring systems. What may appear to be a minor operational tool can quickly become a source of regulatory and litigation risk.