AI productivity scoring and bossware: what may an employer do?
Adopted 2026-06-22 ยท ≈ 2 min read ยท 
edited by Dirk Baaijen
Continuous AI monitoring and performance scoring ("bossware") collides with GDPR proportionality, purpose limitation and transparency, with good employership and with the works council's consent right. Covert or all-encompassing measurement is not allowed.
Short answer: Continuous productivity measurement with AI is not simply permitted. The GDPR requires a legal basis, a defined purpose, proportionality and transparency; employment law requires good employership; and introducing or changing such systems requires, in the Netherlands, the consent of the works council. Covert or all-encompassing monitoring is unlawful.
"Bossware" continuously collects signals about employees: keystrokes, screenshots, active time, mouse movement, application use and sometimes camera footage, and converts these into a productivity or performance score. The more fine-grained the measurement, the higher the legal bar. The interplay of the GDPR, employment law and codetermination determines what is permitted.
What the GDPR requires
Monitoring is processing of personal data and must comply with the principles of Article 5 GDPR: a predetermined, legitimate purpose (purpose limitation), no more data than necessary (minimisation) and fairness and transparency. Consent is rarely freely given in an authority relationship and is therefore rarely usable; one usually ends up with legitimate interest (Article 6), which requires a balancing test in which the employee's interest may prevail. Continuous, all-encompassing measurement rarely survives that test. A DPIA is mandatory for systematic monitoring.
Proportionality and purpose limitation
The core question is whether a less intrusive means achieves the same purpose. Permanently logging every keystroke to measure "engagement" is generally disproportionate; targeted, temporary measurement for a concrete and legitimate purpose may be allowed. Data collected for one purpose may not be reused without limit for assessment or sanctioning. Covert monitoring is, save in very exceptional cases such as a concrete suspicion of fraud, not permitted.
Algorithmic management and transparency
Anyone who uses scores to assign tasks, assess or sanction is engaged in algorithmic management. Employees are entitled to intelligible information about which data are processed, with what logic and with what consequences. A purely automated decision with significant effects engages Article 22 GDPR and requires human involvement and the ability to contest. The broader mechanisms are set out in Algorithmic management at work; the monitoring side in AI employee monitoring.
Good employership
Beyond the GDPR, the employment-law standard of good employership applies. Constant surveillance affects the employee's private life, including at the workplace, and may constitute an unlawful intrusion even where a legal basis formally exists. Trust, reasonableness and refraining from unnecessarily intrusive control weigh in any review by a court.
The works council's consent right
In the Netherlands, introducing, changing or withdrawing an arrangement for personnel monitoring systems or for recording attendance, conduct or performance is subject to consent (Article 27 of the Works Councils Act). Without the works council's consent the decision is void. Involve the works council early and substantively; see Codetermination, works councils and AI.
What is and is not allowed
Not allowed: covert measurement, permanent total surveillance, scores as the sole basis for sanctions, and reuse of data outside the original purpose. Allowed, provided it is substantiated: targeted, transparent and proportionate measurement for a concrete purpose, with a DPIA, works council consent, human oversight and a genuine opportunity for the employee to contest outcomes. You measure productivity with trust and frameworks, not with a camera on every keystroke.
Sources
- https://eur-lex.europa.eu/eli/reg/2016/679/oj
Regulation (EU) 2016/679 (GDPR); Articles 5 (principles), 6 (legal basis) and 22 (automated decisions). - https://eur-lex.europa.eu/eli/reg/2024/1689/oj
Regulation (EU) 2024/1689 (AI Act); framework for AI systems, also relevant to performance assessment.
Read next
GDPR Article 88 and employee data: what does it mean for AI at work?
GDPR Article 88 lets Member States set their own rules for processing in the employment context. The Netherlands has no specific Art. 88 law, so the general GDPR plus the Dutch Implementation Act apply. With the weak basis of consent, purpose limitation and the role of works councils.
Works councils and AI: when employee representatives must agree
AI systems for staff often trigger works-council consent rights. The Dutch Works Councils Act requires consent for staff-monitoring and appraisal systems; the AI Act additionally requires informing workers and their representatives. Rolling out without the works council is a real risk.
Monitoring employees with AI: what is allowed and what isn't?
AI monitoring of employees quickly clashes with the rules: emotion recognition at work is banned (Art. 5), performance monitoring can be high-risk (Annex III), and the GDPR requires a legal basis, transparency and proportionality. Continuous, intrusive monitoring is legally risky.