Employee Data Protection: GDPR Requirements for HR
Employee data represents one of the most common, and often overlooked, areas of GDPR compliance. Organizations process significant amounts of employee personal data throughout the employment lifecycle, from recruitment through termination and beyond. Understanding the specific requirements for HR data helps organizations manage this area appropriately.
Key Takeaways
| Point | Summary |
|---|---|
| Employees are data subjects | Staff have full GDPR rights over their personal data |
| Consent rarely appropriate | Power imbalance means consent is often not freely given |
| Legitimate interests/necessity | Most HR processing relies on employment contract or legitimate interests |
| Extensive data categories | HR processing often includes sensitive data (health, diversity) |
| Full employment lifecycle | GDPR applies from recruitment through post-employment retention |
Quick Answer: Employee data is fully protected by GDPR. Because of the employer-employee power imbalance, consent is rarely appropriate; most processing relies on contractual necessity or legitimate interests. Organizations must be transparent, minimize data collected, and respect employee rights.
Legal Bases for Employee Data Processing
Why Consent Is Problematic
The power imbalance in employment relationships means consent is rarely "freely given":
| Issue | Why It's Problematic |
|---|---|
| Power imbalance | Employees may feel pressure to consent |
| Employment dependency | Refusal could affect employment |
| Withdrawal difficulty | Hard to withdraw consent from employer |
| GDPR view | Consent "should not be relied on" per EDPB |
When consent may still be appropriate:
- Genuinely optional benefits not tied to employment
- Photo/video for marketing (with genuine choice to decline)
- Participation in voluntary programs
Appropriate Legal Bases
| Legal Basis | HR Use Cases |
|---|---|
| Contractual necessity | Payroll, benefits administration, work scheduling |
| Legal obligation | Tax reporting, right to work checks, health and safety |
| Legitimate interests | Performance management, security, internal communications |
| Vital interests | Emergency medical situations |
| Explicit consent | Voluntary health programs, marketing use of photos |
Legal Basis by Processing Activity
| Activity | Typical Legal Basis |
|---|---|
| Recruitment processing | Legitimate interests / Contract steps |
| Employment contract administration | Contractual necessity |
| Payroll and tax | Contractual necessity / Legal obligation |
| Benefits administration | Contractual necessity |
| Performance management | Legitimate interests |
| Disciplinary procedures | Legitimate interests / Legal obligation |
| Health and safety | Legal obligation |
| Absence management | Contractual necessity / Legal obligation |
| Training records | Contractual necessity / Legitimate interests |
| References | Legitimate interests |
| Workplace monitoring | Legitimate interests (with DPIA) |
Employee Data Throughout the Employment Lifecycle
Recruitment
| Data | Considerations |
|---|---|
| CVs/applications | Retention limits for unsuccessful candidates |
| Interview notes | Factual, non-discriminatory, appropriate retention |
| Background checks | Proportionate to role, candidate informed |
| References | Processed lawfully, appropriate retention |
Retention guidance:
- Unsuccessful candidates: 6-12 months typically sufficient
- Document basis for longer retention (talent pool with consent)
Onboarding
| Data | Considerations |
|---|---|
| Identity documents | Right to work verification, secure storage |
| Bank details | Payroll necessity, secure handling |
| Emergency contacts | Vital interests basis, keep current |
| Health information | Only if necessary for role, explicit consent often needed |
During Employment
| Data | Considerations |
|---|---|
| Performance data | Fair, transparent, employee access |
| Absence records | Legitimate business need, appropriate retention |
| Training records | Contractual/legitimate interests, employee access |
| Communications | Monitoring only with transparency and proportionality |
| Security data | CCTV, access logs (legitimate interests with safeguards) |
Termination and Beyond
| Data | Considerations |
|---|---|
| Exit documentation | Retain per legal requirements |
| Reference requests | Legitimate interests, accuracy, fairness |
| Pension records | Legal retention requirements |
| Personnel file | Retention schedule, eventual deletion |
Special Category Employee Data
HR often involves special category data:
Health Data
| Processing | Legal Basis |
|---|---|
| Sick leave management | Employment law obligation |
| Occupational health assessments | Legal obligation / Legitimate interests |
| Disability accommodations | Employment law obligation |
| Health insurance | Explicit consent / Contract |
| Wellness programs | Explicit consent (truly voluntary) |
Diversity Data
| Processing | Legal Basis |
|---|---|
| Equal opportunity monitoring | Employment law (varies by country) |
| Diversity reporting | Legitimate interests with safeguards |
| Positive action measures | Legal basis varies by jurisdiction |
Best practices for diversity data:
- Voluntary collection
- Anonymize/aggregate where possible
- Separate from personnel decisions
- Clear explanation of purpose
Employee Rights
Employees have full GDPR rights:
Right to Access
Employees can request copies of their personal data:
| Included | Potentially Excluded |
|---|---|
| Personnel file | Legal professional privilege |
| Performance records | Management forecasts/planning |
| Emails about them | Third-party personal data |
| Disciplinary records | Trade secrets |
| Payroll records | Ongoing investigations |
Practical considerations:
- Prepare for requests taking significant time
- Redact third-party information
- Include processing information (sources, recipients, purposes)
Right to Rectification
Employees can request correction of inaccurate data:
| Approach | Implementation |
|---|---|
| Factual errors | Correct promptly |
| Opinion vs. fact | Note that opinions are subjective |
| Disputed facts | Note dispute, investigate |
| Historic records | Consider whether correction appropriate |
Right to Erasure
Limited in employment context:
| Generally Deleted | Generally Retained |
|---|---|
| Withdrawn consent data | Legal obligation records |
| Data beyond retention period | Ongoing employment needs |
| Unsuccessful candidates (after period) | Tax and pension records |
Right to Object
Employees can object to legitimate interests processing:
| Response | When Appropriate |
|---|---|
| Stop processing | If no compelling grounds |
| Continue processing | If compelling legitimate grounds exist |
| Always stop | Direct marketing objections |
Workplace Monitoring
Monitoring employees requires careful GDPR consideration:
General Principles
| Principle | Application |
|---|---|
| Transparency | Employees must know monitoring occurs |
| Proportionality | Monitoring must not be excessive |
| Purpose limitation | Use data only for stated purposes |
| Data minimization | Collect minimum necessary |
| Security | Protect monitoring data appropriately |
Types of Monitoring
| Monitoring Type | Considerations |
|---|---|
| Email/internet | Clear policy, no expectation of privacy if communicated |
| CCTV | Proportionate coverage, clear signage, retention limits |
| Access control | Legitimate security purpose, limited access to data |
| GPS/location | Proportionate to business need, clear policy |
| Screen monitoring | High privacy impact, strong justification needed |
| Social media | Limited to public information, clear policy |
DPIA for Monitoring
Systematic employee monitoring typically requires a DPIA:
| Factor | Consideration |
|---|---|
| Nature | What is being monitored |
| Scope | How many employees, how extensive |
| Context | Employment relationship, expectations |
| Purpose | Business justification |
| Risks | Privacy intrusion, chilling effect |
| Safeguards | Transparency, access limits, retention |
International Employee Data
For organizations with international operations:
Transfer Considerations
| Scenario | Requirement |
|---|---|
| Centralized HR system | Transfer mechanism for non-EEA access |
| Global reporting | Aggregation/anonymization where possible |
| Shared services | DPAs and transfer mechanisms |
Local Requirements
Many countries have specific employment data rules:
- Germany: Strong works council involvement
- France: CNIL guidance on employee monitoring
- Netherlands: Active regulator on workplace privacy
Retention Schedules
Employee data requires clear retention periods:
| Record Type | Typical Retention |
|---|---|
| Recruitment records (unsuccessful) | 6-12 months |
| Personnel file | 6-7 years post-employment |
| Payroll records | 6-7 years (varies by country) |
| Tax records | Per tax authority requirements |
| Pension records | Until pension administration complete |
| Health and safety | Per legal requirements (often 40 years for some records) |
| Training records | During employment + 6 years |
| Disciplinary records | Per policy, often 1-3 years |
Note: Retention requirements vary significantly by country. Consult local requirements.
Employee Privacy Notice
Separate privacy information for employees should include:
| Element | Content |
|---|---|
| Identity | Who is processing (group companies) |
| DPO contact | If applicable |
| Categories of data | What employee data is processed |
| Purposes | Why each category is processed |
| Legal bases | Basis for each processing activity |
| Recipients | Who data is shared with |
| Transfers | International transfer details |
| Retention | How long data is kept |
| Rights | How employees can exercise rights |
| Complaints | Right to complain to DPA |
How Bastion Helps
Employee data protection involves navigating complex requirements while maintaining practical HR operations. Working with experienced partners helps ensure your approach is both compliant and workable.
| Challenge | How We Help |
|---|---|
| Legal Basis Analysis | Guidance on appropriate bases for HR processing activities |
| Policy Development | Employee privacy policies and monitoring policies |
| DPIA Support | Assessment of monitoring and high-risk HR processing |
| Rights Handling | Processes for handling employee data requests |
| International HR | Navigation of multi-country requirements |
| Training | Manager and HR team training on employee privacy |
Getting employee data protection right matters both for compliance and for the trust relationship with your workforce. Expert support helps ensure your approach respects employee privacy while meeting legitimate business needs.
Questions about employee data protection? Talk to our team →
Sources
- EDPB Opinion on Processing in Employment Context - Guidance on consent and employment
- ICO Employment Practices Code - UK guidance on employee data