News
AI Systems Track Employees' Typing Speed and Eye Movements as Polish Labor Law Struggles to Keep Up

In Polish companies, AI systems increasingly monitor employees' typing speed, mouse movements and facial expressions, and lawyers warn such surveillance may violate GDPR and expose employers to mobbing claims.
Contents
More and more employers in Poland are turning to AI-based software that analyzes how employees work in real time, from keyboard typing speed and mouse movements to eye tracking and facial micro-expressions during remote work. Lawyers cited by Forsal.pl warn that this form of algorithmic management increasingly goes beyond what Poland's Labor Code (Kodeks pracy) and the EU's GDPR allow.
How the Surveillance Works
The tools described go far beyond traditional time trackers. They log every keystroke, measure typing speed and compare it against set benchmarks, track mouse cursor movement as an activity indicator, and in the most advanced versions analyze webcam footage for gaze direction and facial micro-expressions. The results feed into performance evaluation systems that can affect bonuses, promotions or decisions to end employment.
For employers, this promises an objective, continuous measure of productivity without the need for manual supervisor assessment. For employees, however, it means working under constant, automated observation, often without full knowledge of exactly what data is being collected or how it translates into personnel decisions.
Limits Under the Labor Code
Polish labor law permits employee monitoring, but only under strictly defined conditions. Articles 22(2) and 22(3) of the Kodeks pracy (Poland's Labor Code) allow such surveillance only when necessary to ensure the organization of work, and it must also meet a proportionality test and not infringe on personal rights protected under Article 11 of the Labor Code and Article 23 of the Civil Code. Under procedural requirements, employers must notify employees in writing at least two weeks before rolling out such a system.
The key constraint, however, remains Article 22 of the GDPR, which prohibits decisions that have a significant effect on an employee from being based solely on automated data processing, without human involvement. In practice, this means that even if an algorithm calculates a performance score based on typing speed or mouse movement, the final decision on pay, promotion or dismissal must be approved by a person, not made solely by the system.
Lawyers also point out that continuous video monitoring of home settings during remote work is, in most cases, considered a violation of the GDPR's proportionality principle as well as the privacy of the employee's household members, who are not party to the employment relationship but may end up in the camera's frame.
The AI Act and the December Deadline
The issue takes on added significance in light of the EU's AI Act. Algorithmic management systems and automated recruitment systems are classified under the AI Act as high-risk, which means they require certification by the manufacturer and employers must inform employees about how such workplace tools operate. Poland is required to implement these rules by December 2026, meaning within the next five months.
This means companies currently using tools that monitor typing speed or facial micro-expressions will soon have to go through a compliance process, including a data protection impact assessment and verification that the software vendor meets certification requirements for high-risk systems. For many smaller companies that adopted such tools without a thorough legal review, this could mean a rapid revision of their current practices.
Risk for Employers
Lawyers warn that the constant pressure of algorithmic surveillance can, in extreme cases, meet the legal threshold for mobbing (workplace bullying) under the Labor Code, opening the door to employee damages claims. The risk grows where a system not only logs data but automatically generates warnings, lowers ratings or affects pay without any correction from a supervisor accounting for an individual's specific work context.
For Polish HR and legal departments, this means that deploying AI-based analytical tools today requires not just approval at the level of internal work regulations, but full documentation of GDPR compliance and preparation for AI Act requirements taking effect later this year. Companies that fail to do so risk not only labor disputes but also inspections by the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO).
Sources: Forsal.pl (forsal.pl).

