RE-SEARCH
Wet- en regelgeving

Internet Filtering at Work: Can Employers Block Websites or Restrict Internet Use?

Employers can restrict workplace internet access—but within strict legal boundaries. Learn what the law allows, what IT infrastructure matters, and how to balance security with employee rights.

May 13, 202616 minMiquel van Dongen
Share this article
AI Summary

 

Whether an employer can block websites or restrict internet use at work is a question that sits at the intersection of business security, employee rights, and data protection law. The short answer is: yes, employers can restrict internet access—but only under strict conditions. This article explores the legal framework, practical considerations, and how the quality of your office's digital infrastructure plays a role in implementing a sustainable internet policy.

Can an Employer Restrict Internet Use at Work?

Dutch and European employment law permits employers to regulate internet usage on company networks and devices. However, this right is not unlimited. Restrictions must be justified by a legitimate business interest, implemented transparently, and proportionate to the risk or problem they aim to solve. Blanket surveillance or excessive blocking without clear communication or justification typically violates employee privacy rights under the General Data Protection Regulation (AVG) and Dutch labour law.

Why Employers Regulate Internet Access

Organisations implement internet policies for several legitimate reasons:

  • Cybersecurity: Blocking malware-laden sites, phishing links, and unvetted downloads protects the network and data from breaches.
  • Productivity: Limiting access to streaming, gaming, or excessive social media can help staff stay focused on work tasks.
  • Bandwidth management: High-bandwidth activities (video streaming, large file downloads) can slow network performance for critical business operations.
  • Legal compliance: Some industries must prevent access to content that could expose the organisation to legal liability.
  • Reputation protection: Preventing staff from visiting illegal or offensive sites from company networks protects brand integrity.
  • Confidentiality: Restricting access to unauthorised cloud storage or AI tools helps prevent accidental data leaks.

Filtering vs. Blocking vs. Monitoring: What's the Difference?

Filtering means the network automatically blocks access to categories of websites (e.g., adult content, gambling) without logging individual user activity. Blocking is more targeted—specific sites are prevented from opening, often with a visible notification. Monitoring means tracking which sites employees visit, how long they spend there, or even recording screen activity. Each approach carries different legal implications and privacy risks.

What Does the Law Say?

The AVG (General Data Protection Regulation)

The AVG, implemented in the Netherlands as Dutch law, restricts how organisations can collect and process personal data—including internet usage logs. Any monitoring of employee internet activity constitutes data processing and must meet strict conditions:

  • There must be a legitimate legal basis (e.g., network security, contractual necessity, or compliance with a legal obligation).
  • The processing must be transparent—employees must be informed clearly and in advance about what is being monitored, how, and why.
  • It must be proportionate—the intrusiveness must match the actual security or business risk.
  • Data must be kept only as long as necessary and securely stored.
  • Employees have rights to access, correct, and challenge the data collected about them.

Covert or extensive monitoring without clear notice typically violates AVG requirements, even if technically possible.

Labour Law and Employee Rights

Dutch labour law recognises employees' right to privacy, including a degree of privacy at work. Courts and the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) have ruled that blanket, continuous monitoring of all internet activity—particularly logging of every website visited—often exceeds what is proportionate. However, filtering to prevent access to specific categories (malware, gambling, explicit content) is generally considered reasonable if implemented transparently.

Proportionality and Subsidiarity

These principles, rooted in Dutch and European law, require that any restrictive measure (including blocking or monitoring) be the minimum necessary to achieve a legitimate goal. For example, if bandwidth is limited, selectively throttling video streaming is more proportionate than blocking all external websites. If cybersecurity is the concern, blocking known malware sources is more proportionate than monitoring all employee browsing.

Consultation and Works Council Approval

If your organisation has a Works Council, monitoring or filtering arrangements that significantly affect working conditions typically require consultation or even formal approval under the Works Councils Act (Wet op de Ondernemingsraden). Failing to involve the Works Council in such decisions can render the policy invalid, even if legally sound otherwise.

Which Websites Are Commonly Blocked or Filtered?

Internet policies vary widely by industry and organisational risk tolerance. Here are common categories:

  • Malware and phishing sites: Almost universally blocked; essential for cybersecurity.
  • Illegal download sites: Copyright infringement, gambling, and dark web marketplaces are typically blocked.
  • Explicit adult content: Commonly blocked for legal and professional reasons.
  • Streaming services (Netflix, YouTube, Twitch): Often restricted to save bandwidth, but some organisations permit them during breaks.
  • Social media (Facebook, Instagram, Twitter): Policies vary; some block entirely, others restrict access to break times, and some (especially marketing or PR firms) allow unrestricted access as these are work tools.
  • Gambling sites: Blocked for productivity and legal liability reasons.
  • Cloud storage (personal Google Drive, Dropbox): Sometimes restricted to prevent unauthorised data transfers.
  • AI tools (ChatGPT, Copilot, Claude): Some organisations block or log usage to prevent accidental sharing of confidential data.
  • Gaming sites: Blocked to protect bandwidth and focus, but approach varies.
  • News and current affairs: Rarely blocked; essential for informed workers.

Each category reflects different priorities. A financial services firm prioritises compliance and data security. A logistics company focuses on bandwidth. A creative agency may need social media access for legitimate work.

Can an Employer Monitor Internet Use?

When Monitoring is Permitted

Monitoring is legally permitted when:

  • There is a clear, documented business reason (security threat, compliance requirement, suspected policy breach).
  • Employees are informed in advance about what is monitored and why (e.g., in a staff handbook or ICT policy document).
  • The monitoring is proportionate and time-limited; continuous, granular surveillance of all activity is rarely justified.
  • Monitoring is necessary because less intrusive alternatives are insufficient.
  • The Works Council (if present) has been consulted or has approved the measure.

When Monitoring Goes Too Far

Monitoring is likely unlawful if it:

  • Is conducted without employee knowledge or consent (covert).
  • Logs every single website visited and keystroke (excessive).
  • Extends to personal devices or home networks without explicit, informed agreement.
  • Is used to monitor behaviour unrelated to legitimate business interests (e.g., tracking an employee's political views or health searches).
  • Lacks a clear data retention policy or keeps logs indefinitely.
  • Fails to inform employees of their data access rights.

Best Practices for Monitoring Compliance

  • Adopt a Data Protection Impact Assessment (DPIA) before implementing monitoring; this helps identify risks and justify necessity.
  • Draft a clear Privacy Notice explaining what data is collected, how it is used, how long it is kept, and employees' rights.
  • Include monitoring arrangements in your ICT Policy and make this accessible to all staff.
  • Set reasonable data retention periods (e.g., 30–90 days for access logs, longer only if a specific investigation requires it).
  • Ensure Works Council consultation where required.
  • Provide employees with a mechanism to request access to data collected about them (AVG Article 15).

Cybersecurity and Network Safety: Why Internet Policy Matters

A robust internet policy is not just about policing employee behaviour—it is a cornerstone of cybersecurity defence. Cybercriminals exploit insecure networks, phishing, malware downloads, and unvetted cloud applications to breach organisations.

Key Threats Mitigated by Internet Policy

  • Phishing: Employees clicking malicious links can compromise entire networks. Filtering suspicious domains and training reduce this risk.
  • Ransomware: Often delivered via infected downloads or watering-hole attacks. Blocking suspicious file types and sources helps prevent infection.
  • Data exfiltration: Restricting unauthorised cloud services and email forwarding reduces the risk of accidental or intentional data leaks.
  • Shadow IT: Employees using unapproved software or cloud services can create unmanaged security gaps. Policy enforcement addresses this.
  • Bandwidth abuse: Can degrade network performance and reduce availability for critical business functions.
  • Malware and trojans: Downloaded from compromised or illegal sites, these can spread across the network.

Modern Cybersecurity Approaches

Leading organisations adopt a Zero Trust model: verify and control all access, monitor continuously, and assume no device or network segment is inherently safe. This goes beyond simple blocking—it involves user authentication, device compliance checks, encrypted connections, network segmentation, and continuous threat detection. An effective internet policy supports these measures.

Additionally, organisations increasingly implement guest networks to isolate visitor and contractor traffic from core business systems, reducing contamination risk.

Digital Infrastructure in Modern Offices: Why It Matters for Internet Policy

A robust internet policy is only as effective as the infrastructure that supports it. When selecting or designing office space, business leaders increasingly prioritise digital infrastructure alongside location and square meterage. When evaluating office space for rent in Amsterdam or other major business hubs, consider these critical factors:

Essential IT Infrastructure for Today's Workplaces

  • Fibre optic connectivity: Not just fast, but reliable and future-proof. Fibre offers symmetrical upload/download speeds, essential for large file transfers, video conferencing, and cloud applications.
  • Redundant connections: Multiple independent internet feeds (e.g., fibre from two different providers) ensure business continuity if one connection fails.
  • Wi-Fi coverage: Modern offices require robust, encrypted Wi-Fi throughout—especially for flexible workspaces and meeting rooms.
  • Wired network (Cat6/Cat6A cabling): For sensitive operations, trading floors, or server rooms where security and speed are paramount.
  • Server rooms and equipment racks: Properly cooled, secure rooms for network equipment, servers, and backup systems.
  • Patch panels and network closets: Well-organised infrastructure makes it easier to manage, monitor, and secure the network.
  • Data centres or co-location options: For organisations that need resilient, off-site backup and disaster recovery.
  • Access control: Physical security of IT rooms prevents unauthorised tampering.
  • Power resilience: Uninterruptible Power Supplies (UPS) and backup generators protect critical systems.

Buildings with poor or outdated IT infrastructure make it harder to implement modern security practices. When evaluating office space for rent in Rotterdam, office space for rent in Utrecht, or other locations, inquire about the landlord's IT capabilities, upgrade track record, and support for tenant network requirements.

Practical Implementation: A Checklist for Employers

If you are developing or updating an internet and ICT policy, consider these steps:

  1. Define your business needs. What specific risks or objectives drive the policy? (Cybersecurity, productivity, compliance, bandwidth?)
  2. Conduct a DPIA. Assess the privacy impact of any monitoring or filtering; document your justification.
  3. Engage the Works Council. If one exists, consult early and transparently.
  4. Draft a clear ICT and Internet Policy. Specify:
    • Which categories of websites are blocked and why.
    • What monitoring occurs and what data is collected.
    • Employees' acceptable use obligations.
    • Consequences of policy breaches.
    • Access rights and data retention practices.
  5. Communicate transparently. Share the policy with all staff; make it easy to understand and accessible.
  6. Provide a guest network. Allow visitors and contractors to access the internet without accessing business systems.
  7. Train staff on cybersecurity. Educate employees about phishing, password safety, and safe browsing; this reduces reliance on pure blocking.
  8. Implement technical controls proportionately. Use filtering for clear, high-risk categories (malware, phishing, illegal content). Avoid excessive monitoring that violates privacy expectations.
  9. Log and review access. Keep logs of blocked requests and policy violations; review periodically to refine the policy.
  10. Evaluate and update regularly. Technology and threats change; review your policy annually.
  11. Document everything. Maintain records of policy decisions, DPIA, Works Council consultations, and privacy notices; this demonstrates compliance if challenged.

Real-World Scenarios: How Internet Policy Varies by Industry

Scenario 1: An Accounting and Advisory Firm

A mid-sized accountancy firm handles sensitive client financial data and operates under strict audit and regulatory requirements. They implement:

  • Strict website filtering: All personal cloud storage (Google Drive, Dropbox, OneDrive personal accounts) is blocked; only approved SharePoint/Teams repositories are permitted.
  • AI tool restrictions: ChatGPT and other large language models are blocked or logged, as the firm cannot risk client data being uploaded to external servers.
  • VPN enforcement: All remote access uses a corporate VPN; no direct internet access from home devices.
  • Email scanning: Outbound emails are scanned for attached files; large external transfers require approval.
  • Monitoring: Internet logs are retained for 180 days and reviewed quarterly; any suspicious access triggers an investigation.

Legal basis: Professional obligations, data protection, compliance with audit standards, and legitimate business interest in protecting client confidentiality.

Scenario 2: A Logistics and Warehousing Company

A logistics firm operates across multiple sites with heavy truck traffic and inventory management systems. Internet infrastructure is essential but bandwidth is finite. They implement:

  • Video streaming restrictions: YouTube, Netflix, and Twitch are blocked during working hours; available only during designated breaks to protect bandwidth for critical warehouse management systems.
  • Download controls: Large personal downloads are rate-limited to protect network performance.
  • Basic filtering: Malware, phishing, and adult content are blocked; this is logged but individual staff members are not identified unless an incident occurs.
  • Monitoring: Minimal; the firm uses a transparent bandwidth monitoring tool that shows real-time network load but does not track individual users except when investigating problems.

Legal basis: Network performance and business continuity; the policy is proportionate and transparent.

Scenario 3: A Creative and Marketing Agency

A creative firm depends on social media for client work and employee creativity. They take a different approach:

  • Social media access: Facebook, Instagram, LinkedIn, and Twitter are fully available; staff may use them for research, client work, and approved breaks.
  • Malware and phishing protection: Only clear threats are blocked; the firm trusts employees to use judgment.
  • Cloud restrictions: Personal cloud storage is monitored (not blocked) to ensure confidential client assets are stored securely; staff are trained on the policy.
  • Monitoring: Very light; the firm conducts quarterly bandwidth reviews and annual access audits, but does not surveil individual staff.

Legal basis: Business necessity (social media is core to the work) and trust-based culture; minimal monitoring respects employee privacy while protecting business interests.

Internet Infrastructure and Office Selection: A RE-SEARCH Perspective

RE-SEARCH advises businesses that the quality of a building's digital infrastructure is as important as its location, layout, or square meterage. A modern internet and ICT policy can only be implemented effectively if the building's infrastructure supports it. When evaluating office space, ask:

  • Does the building have high-speed fibre connectivity? Is it available immediately, or does the landlord plan upgrades?
  • Are there redundant internet connections from multiple providers?
  • What is the landlord's support for tenant IT requirements (dedicated circuits, co-location, server room access)?
  • Is Wi-Fi coverage comprehensive and is guest Wi-Fi available?
  • Are there dedicated IT rooms or comms closets with proper cooling and security?
  • Does the building support modern cabling standards (Cat6A or better)?
  • What is the uptime SLA (Service Level Agreement) guaranteed by the landlord or connectivity provider?
  • Is the building prepared for future technologies (5G, mesh networking, IoT)?

Many organisations have struggled with poorly planned moves to offices that lacked adequate digital infrastructure, leading to slow networks, failed implementations of security controls, and reduced productivity. Choosing office space with robust, modern IT infrastructure—alongside a clear internet and ICT policy—is now a strategic business decision.

Frequently Asked Questions

Yes, if there is a legitimate business reason and the policy is transparent and proportionate. Some organisations block it entirely, others restrict it to breaks, and others (especially marketing firms) allow unrestricted access. Courts consider the sector, the nature of the work, and whether less restrictive alternatives are available. Blanket blocking without explanation may be challenged as disproportionate.

2. Can I monitor all websites my employees visit?

Logging every website visited may violate AVG requirements unless there is a specific, documented security or compliance reason. Filtering and blocking are generally more acceptable than continuous individual monitoring. If monitoring is necessary, inform employees clearly, limit data retention, and ensure the Works Council has been consulted.

3. What if an employee suspects unlawful monitoring?

They can file a complaint with the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) or pursue civil action. They also have the right to request a copy of their personal data (AVG Article 15). Employers should document the business justification for any monitoring to defend a challenge.

4. Can I block personal cloud storage?

Yes, if you have a legitimate data protection reason (e.g., to prevent accidental uploads of confidential client data). This is common in financial services, law, and healthcare. However, the restriction should be proportionate and clearly explained. Offer secure, approved alternatives (corporate SharePoint, Teams) so employees have a way to share and backup files safely.

5. Must I offer a guest Wi-Fi network?

It is not legally mandatory, but it is strongly recommended. A separate guest network—isolated from your business systems—reduces security risk while providing a professional courtesy to visitors, contractors, and clients. It also protects your data by ensuring visitors are not exposed to your monitoring or filtering policies.

6. What if we use AI tools like ChatGPT at work?

Many organisations restrict or monitor AI tool access because confidential or client data could be uploaded to external servers, violating GDPR and client confidentiality. If you permit AI tools, inform employees that they must not upload sensitive data, provide approved, enterprise versions (e.g., Microsoft Copilot Pro, ChatGPT Business), and consider monitoring access. Document this in your ICT policy.

7. Do I need Works Council approval for internet filtering?

Only if you have a Works Council and the filtering constitutes a "regulation" affecting working conditions. Basic blocking of malware and explicit content usually does not require approval, but extensive monitoring or broad filtering policies typically do. Consult your Works Council early to avoid disputes later.

8. How long should I keep internet access logs?

There is no fixed legal requirement, but the principle is "as long as necessary." For routine network management, 30–90 days is common. If investigating a specific incident, logs can be kept longer (e.g., 180 days). Retain indefinitely only if there is a clear business or legal reason. Excess retention violates AVG data minimisation principles.

9. Can I block websites based on category without naming them specifically?

Yes, and it is common. You might filter "adult content," "gambling," "malware," or "illegal downloads" as categories without listing individual sites. However, you should still explain the categories in your ICT policy so employees understand why something was blocked. Transparency helps with legal defensibility and employee acceptance.

If there is a documented reason for monitoring (e.g., a policy breach has been suspected or reported), targeted monitoring is more acceptable than blanket surveillance. However, you should inform employees and the Works Council; use the least intrusive method that achieves your goal (e.g., weekly bandwidth reports, not keystroke logging); and act on findings fairly and proportionately.

Conclusion: Building a Secure, Compliant, and Productive Workplace

Employers have the right to regulate internet use at work—to protect data, ensure productivity, and maintain security—but this right comes with legal obligations. The law requires that any filtering, blocking, or monitoring be transparent, proportionate, and justified by a legitimate business need. Blanket, covert, or excessive surveillance typically breaches privacy law and employee rights.

A strong internet and ICT policy should:

  • Be documented, transparent, and communicated to all staff.
  • Balance business security with employee privacy and autonomy.
  • Include the Works Council in its design and approval.
  • Rely on technical controls (filtering, blocking) more than invasive monitoring.
  • Include clear data retention and employee access rights.
  • Be reviewed and updated as threats and technology evolve.

Equally important is the underlying infrastructure. Modern office buildings must offer reliable, fast, redundant internet connectivity, robust Wi-Fi, and IT support to make these policies work. When choosing office space—whether warehouse and logistics space in Rotterdam or corporate headquarters—evaluate the building's digital infrastructure carefully. Poor connectivity undermines security, productivity, and your ability to implement a modern ICT policy effectively.

By combining clear policy, transparent communication, proportionate technical controls, and robust infrastructure, organisations can create workplaces that are secure, productive, and respectful of employee privacy.

Tags

Internet filteringWorkplace IT policyAVG complianceCybersecurityOffice infrastructureNetwork securityEmployee privacy
Share this article

About the author

Miquel van Dongen

Miquel van Dongen

TECH DIRECTOR

More about the author

Need help finding the right space?

Our experts are happy to help. Get in touch with no obligation.

Contact us
RE-SEARCH

Questions? Call us directly

Call us