yond the platform economy, there is a strong argument for extending these workplace-specific, and explicitly collective, data rights to all workers, irrespective of their sector or type of relationship(Adams-Prassl et al. 2025; ETUC 2025a). This call has been taken up by the European Parlia­ment’s Committee on Employment and Social Affairs which has voted for an own-initiative report calling for a new law on algorithmic management(EP 2025). The Eu ­ropean Commission is more focused on improving the enforcement of existing legislation like the GDPR and the AI Act, but has left the door open to a new legal ini­tiative, provided it is targeted and complementary to the existing legal framework(EC 2025). Yet, despite the al ­leged shortcomings of the current framework, there has been little analysis of how the GDPR is actually applied in the workplace – how is it being implemented, used, and especially enforced. How does it interact with anal­ogous national labour law provisions, which in many Member States provide more specific and more protec­tive rules on workplace data protection? Although hard numbers are difficult to come by, there is strong circumstantial evidence that many workplace sur­veillance and algorithmic management technologies are being adopted without respecting existing data protec­tion laws. For instance, in a survey among managers of EU firms(OECD 2025), 69% of employers said their al ­gorithmic systems did not process the personal data of workers – which is very unlikely given the expansive concept of personal data under the GDPR. As the au­thors infer,“it is likely that managers in these countries underestimate(or underreport) data collection”(OECD 2025: 49). In addition, several studies highlight the intru ­sive software being offered within the EU, with default functionality that is very hard to square with established GDPR principles like data minimisation and fairness (Christl 2021; Christl 2023; Christl 2024). In other words, significant non-compliance is suspected. Therefore, questions of implementation and enforce­ment are central. As has been observed(McDonald 2020), many of the EU’s digital laws, like the GDPR, ena ­ble the EU-wide and global exchange of personal data, whilst paying comparatively little attention to how these rules are to be implemented and enforced in practice. The latter are left to national authorities that – especial ­ly in the absence of a centralised system, harmonised procedures, and adequate resources(Magierska& Has­sel 2025) – may be ill-equipped to adjudicate the dis ­putes arising from the increased processing of personal data. Unsurprisingly, there has been criticism of the lack of GDPR enforcement(ICCL; BEUC; Magierska& Hassel 2025), which has been echoed to some extent by the Eu ­ropean Commissions’ own evaluations(EC 2020; EC 2024). These have led to the imminent adoption of the GDPR procedural rules regulation. 1 Mapping GDPR enforcement in the work­place across the EU The EU, and data protection authorities(DPAs), have been criticised for not sufficiently enforcing the GDPR. Yet, there has been little specific investigation into the situation for workplace data protection. Therefore, the Arbeiterkammer Vorarlberg, together with the Friedrich­Ebert-Stiftung’s Competence Centre on the Future of Work, commissioned a team of experts to map the state of play around workplace data protection in Austria, Bel­gium, France, Germany, Ireland, Italy, Luxembourg, Po­land, Spain and the Netherlands. 2 Based on a question­naire, experts provided insights into the enforcement of the GDPR in the workplace in general, as well as the en­forcement of other data protection rights provided under national labour laws; the complaints, decisions and oth ­er activities of DPAs in the field of workplace data pro­tection; and the activities of courts dealing with work ­place-related data protection issues. Experts were also asked to examine the provisions that may enable collec­tive enforcement, starting with Articles 80(1) and 80(2) GDPR and their national implementation, as well as other domestic mechanisms that may allow trade un­ions and works councils to bring actions to enforce da­ta-protection rights. The study finds that there is a general underenforce­ment of data protection rights in the workplace, as well as significant divergence across the EU when it comes to the implementation of the GDPR in employment con­texts, and how it complements national labour laws. Among the possible solutions, one would consist in the full and effective implementation of Article 80 GDPR, which remains largely unused. While this provision could help with the collective enforcement of worker data rights, it is universally not(fully) implemented. A first recommendation would be to remedy that situation by making the full Article 80 GDPR mandatory, instead of voluntary. This could be done in the Digital Omnibus Act that is now being negotiated at the EU level. Second, there is lack of available and standardised data that would give a clear picture of the situation around the application of the GDPR to workplace contexts. DPAs use different definitions of“workplace” or employ­ee data processing and routinely do not publish fol­low-ups to complaints, let alone specify how many com­1  https://www.europarl.europa.eu/doceo/document/TA-10-2025-0238_EN.html. 2  The experts have collected information on DPA activity until 31 December 2024, and on relevant court cases and legal developments until 30 September 2025. The excep­tion is the Netherlands, where the inventory of relevant court cases and legal developments runs until February 2025. 4 Friedrich-Ebert-Stiftung e.V.