The development of remote working since the Covid-19 pandemic has contributed to employers increasingly using IT tools to monitor employees working from home(1). The deployment of such technologies, to the extent that they track employees’ activities and involve the collection and processing of their personal data, raises questions from a data protection law compliance perspective.

A €40,000 sanction from France’s Data Protection Authority (CNIL) of 19 December 2024 against a French real estate company (hereafter, the Company)(2) illustrates the issue. The organisation had, among other things, installed tracking software (named Time Doctor) on employees’ computers working remotely. Although the CNIL chose not to make the Company’s name public (given the limited number of data subjects concerned as it is a small company), the publicity for the sanction is justified by the seriousness of the breaches and the CNIL’s willingness to inform other employees who could be subject to such monitoring. Overall, it shows the importance of this topic for the CNIL which also had the effect of sending a warning signal to other organisations which might be using similar tools. The Company was also sanctioned because of its CCTV system, which was used to film employees and capture sound recordings.