Grove HR
Back to Blog
Compliance & Legal

GDPR for HR: Employee Data Processing Guide [2026]

The GDPR applies to every piece of employee data your HR team processes. This guide covers lawful bases, consent issues, data minimisation, retention, DPIAs, DSARs, breach notification within 72 hours, and the penalties for getting it wrong.

RR

Rachel Richardson

Head of Growth & Marketing, Grove HR

Updated 25 March 202615 min read
Share:
This article is part of ourEU Working Time Directive: Complete Employer Guide [2026]guide

Quick Answer: Does GDPR Apply to Employee Data?

Yes. The General Data Protection Regulation (Regulation (EU) 2016/679) applies to all personal data processed in the context of employment. This includes recruitment data, payroll information, performance reviews, health records, disciplinary files, and any other information that identifies or could identify an employee.

GDPR RequirementHR Implication
Lawful basis requiredMust identify a legal ground for each type of HR data processing
Data minimisationOnly collect employee data that is genuinely necessary
Storage limitationSet and enforce retention periods for all HR records
TransparencyProvide employees with a clear privacy notice explaining what data you process and why
Data subject rightsRespond to employee DSARs within 1 month
Breach notificationReport qualifying breaches to the supervisory authority within 72 hours
AccountabilityDocument all processing activities, conduct DPIAs where required

Lawful Bases for HR Data Processing

Article 6 of the GDPR requires a lawful basis for every processing activity. For HR, the most relevant bases are:

1. Performance of a Contract (Article 6(1)(b))

This is the primary basis for most core HR processing. If processing is necessary to fulfil the employment contract, this basis applies:

  • Paying salaries and benefits
  • Managing working time and attendance
  • Administering leave entitlements
  • Providing contractual benefits (health insurance, pension)
  • Issuing employment references upon request

2. Legal Obligation (Article 6(1)(c))

Where processing is required by law:

  • Tax withholding and reporting to revenue authorities
  • Social security contributions
  • Health and safety record-keeping
  • Working time records (per the CCOO ruling, C-55/18)
  • Equality monitoring where required by national law
  • Reporting to labour inspectorates

3. Legitimate Interest (Article 6(1)(f))

Employers may process data where they have a legitimate interest that is not overridden by the employee's rights. This requires a documented balancing test (Legitimate Interest Assessment, or LIA):

  • Performance management and appraisals
  • Internal investigations (disciplinary, grievance)
  • IT security monitoring (with proportionality safeguards)
  • Business planning and restructuring
  • Intra-group transfers of employee data for administrative purposes

4. Consent (Article 6(1)(a)) -- Use With Extreme Caution

Employee consent is problematic in the employment context because of the inherent power imbalance. The Article 29 Working Party (now the European Data Protection Board, EDPB) has stated that consent is rarely freely given in employment. Use consent only where:

  • The employee faces no detriment for refusing (e.g., optional social events, photo consent for company website)
  • There is no alternative lawful basis available
  • The employee can withdraw consent without any negative consequence

Do not rely on consent for core HR processing like payroll, attendance, or performance management. If the employee cannot realistically refuse, consent is not valid.

Special Category Data in HR

Article 9 imposes stricter rules on special category data, which in HR commonly includes:

  • Health data: Sick notes, occupational health reports, disability information, medical certificates
  • Trade union membership: For payroll deduction purposes or consultation requirements
  • Racial or ethnic origin: For equality monitoring
  • Biometric data: Fingerprint or facial recognition for access control or time tracking
  • Religious beliefs: For accommodating religious holidays or dietary requirements

Processing special category data requires both a lawful basis under Article 6 and a condition under Article 9(2). The most relevant conditions for HR:

  • Employment law obligations (Article 9(2)(b)): Processing necessary for employment, social security, and social protection law
  • Explicit consent (Article 9(2)(a)): Only where truly voluntary and specific
  • Legal claims (Article 9(2)(f)): Processing necessary for the establishment, exercise, or defence of legal claims

Data Minimisation and Purpose Limitation

Data Minimisation (Article 5(1)(c))

Only collect data that is adequate, relevant, and limited to what is necessary for the specified purpose. Practical implications for HR:

  • Do not collect information about family members beyond what is needed for benefits administration
  • Remove unnecessary fields from application forms (e.g., date of birth if not legally required)
  • Limit access to sensitive data on a need-to-know basis
  • Do not retain interview notes for unsuccessful candidates longer than necessary

Purpose Limitation (Article 5(1)(b))

Data collected for one purpose must not be processed for an incompatible purpose without a new lawful basis. For example, health data collected for sick leave administration cannot be used to inform promotion decisions, and recruitment data cannot be repurposed for marketing.

Retention Periods for HR Data

The GDPR does not specify exact retention periods but requires that data is kept for no longer than necessary (Article 5(1)(e)). HR teams should set retention schedules based on:

Data TypeTypical RetentionRationale
Payroll records6-10 years after employment endsTax and social security audit requirements vary by country
Employment contracts6-10 years after terminationStatute of limitations for contractual claims
Recruitment records (unsuccessful)6-12 monthsDiscrimination claim limitation periods
Health and safety records3-40 yearsDepends on hazard type (e.g., asbestos exposure records: 40 years)
Disciplinary recordsDuration of employment + limitation periodTypically 6 years in many jurisdictions
Training recordsDuration of employment + 3-6 yearsCompliance evidence for regulated industries
Working time records2-5 yearsNational law requirements vary

National laws often set minimum retention periods that override the GDPR's general principle. Always check the requirements in each country where you have employees.

Data Protection Impact Assessments (DPIAs)

When Is a DPIA Required?

Article 35 requires a DPIA before processing that is likely to result in a high risk to individuals. In HR, a DPIA is typically required for:

  • Implementing a new HR information system (HRIS)
  • Introducing employee monitoring (email, internet, GPS tracking)
  • Deploying biometric systems (fingerprint, facial recognition)
  • Large-scale profiling (algorithmic performance scoring, AI-assisted recruitment)
  • Processing health data at scale (occupational health programmes)
  • Cross-border transfers of employee data within a multinational group

What a DPIA Must Include

  1. Systematic description of the processing and its purposes
  2. Assessment of necessity and proportionality
  3. Assessment of risks to individuals' rights and freedoms
  4. Measures to address those risks (safeguards, security, mechanisms to ensure compliance)

If the DPIA identifies high residual risk that cannot be mitigated, you must consult your supervisory authority before proceeding (Article 36).

Cross-Border Transfers of Employee Data

Transfers Within the EU/EEA

Data flows freely within the EU/EEA. No additional safeguards are required for transfers between member states.

Transfers Outside the EU/EEA

Transferring employee data to countries outside the EU/EEA (third countries) requires a valid transfer mechanism under Chapter V of the GDPR:

  • Adequacy decision (Article 45): The European Commission has recognised certain countries as providing adequate protection, including the UK (until June 2025, extended to December 2025), Japan, South Korea, Canada (commercial organisations), Israel, Switzerland, New Zealand, and Argentina
  • Standard Contractual Clauses (SCCs) (Article 46(2)(c)): The most commonly used mechanism for transfers to non-adequate countries. The new SCCs adopted in June 2021 (Commission Implementing Decision 2021/914) must be used
  • Binding Corporate Rules (BCRs) (Article 47): For intra-group transfers within multinational companies. Requires approval from the lead supervisory authority
  • EU-US Data Privacy Framework (Article 45): Adopted in July 2023, covering transfers to certified US organisations

Following the Schrems II ruling (C-311/18), organisations using SCCs must conduct a Transfer Impact Assessment (TIA) to evaluate whether the recipient country's laws provide essentially equivalent protection to the GDPR.

Employee Data Subject Access Requests (DSARs)

The Right of Access (Article 15)

Employees have the right to obtain from their employer:

  • Confirmation of whether their personal data is being processed
  • A copy of their personal data
  • Information about the purposes, categories of data, recipients, retention periods, and the source of the data

Handling Employee DSARs

  • Response time: 1 calendar month (extendable by 2 months for complex requests)
  • Format: Data must be provided in a commonly used electronic format if requested electronically
  • Fee: Generally free; a reasonable fee may be charged only for manifestly unfounded or excessive requests
  • Exemptions: You may redact data about other identifiable individuals, legal professional privilege, and in some jurisdictions, management planning information

Common Challenges in HR DSARs

Employee DSARs in the HR context can be complex because they may cover:

  • Emails discussing the employee between managers
  • Performance review notes and calibration discussions
  • Investigation files involving multiple employees
  • References provided to other employers

The key principle is that the employee is entitled to their own personal data, but you can redact information that would reveal personal data of other individuals.

Data Breach Notification

72-Hour Notification to the Supervisory Authority

Article 33 requires that a personal data breach is reported to the competent supervisory authority within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals.

Common HR data breaches include:

  • Payslips or contracts sent to the wrong employee
  • Unencrypted laptop containing HR data lost or stolen
  • Ransomware attack on HR systems
  • Unauthorised access to employee records by a colleague
  • Misdirected emails containing sensitive employee information

Notification to Affected Employees

Article 34 requires that affected individuals are notified without undue delay if the breach is likely to result in a high risk to their rights and freedoms. This might include breaches involving health data, financial information, or identity documents.

Data Protection Officer (DPO) Requirements

When Is a DPO Mandatory?

Article 37 requires a DPO when:

  • The organisation is a public authority (except courts)
  • Core activities involve regular and systematic monitoring of individuals on a large scale
  • Core activities involve large-scale processing of special category data (e.g., a hospital's HR department processing health data)

Many national laws extend the DPO requirement. For example, Germany's Federal Data Protection Act (BDSG) requires a DPO whenever 20 or more employees are constantly engaged in automated data processing.

DPO Independence

The DPO must be able to perform their duties independently (Article 38). They cannot be dismissed or penalised for performing their tasks, must report to the highest management level, and cannot hold a position that creates a conflict of interest (e.g., they should not also be the HR Director or IT Director).

Fines and Enforcement

Two Tiers of Fines

TierMaximum FineApplies To
Lower tierEUR 10 million or 2% of global annual turnover (whichever is higher)Violations of obligations on controllers/processors, certification bodies, monitoring bodies
Upper tierEUR 20 million or 4% of global annual turnover (whichever is higher)Violations of data processing principles, lawful basis, data subject rights, cross-border transfers

Notable HR-Related Enforcement Actions

  • H&M (Germany, 2020): EUR 35.3 million fine for extensive employee surveillance, including recording private details about employees' health, family situations, and religious beliefs
  • Clearview AI (France, Italy, Greece, 2022-2023): Multiple fines totalling over EUR 50 million for scraping biometric data, including from employees
  • IKEA France (2021): EUR 1.1 million fine for unlawfully surveilling employees through accessing police and tax records
  • Dedalus Biologie (France, 2022): EUR 1.5 million fine for insufficient security measures leading to a health data breach

How Grove HR Supports GDPR Compliance

Grove HR is designed with GDPR compliance built in:

  • Lawful basis documentation for each category of employee data processing
  • Automated retention policies that flag and archive data when retention periods expire
  • DSAR workflow enabling employees to submit access requests and HR to respond within the 1-month deadline
  • Audit trail recording every access, modification, and export of employee data
  • Role-based access control enforcing data minimisation and need-to-know principles
  • Data encryption at rest and in transit for all employee records
  • EU hosting on European infrastructure with no third-country transfers
  • Breach notification workflow to document incidents and track the 72-hour reporting deadline

Tags:

GDPRemployee datadata protectionDSARdata breachEU employment lawDPIA
RR

Rachel Richardson

Head of Growth & Marketing, Grove HR

Rachel leads growth and marketing at Grove HR, with over a decade of experience in UK HR technology. She writes practical guides to help small businesses navigate employment law and build better workplaces.

Frequently Asked Questions

What is the lawful basis for processing employee data under GDPR?

The most common lawful bases for HR data are performance of a contract (payroll, leave, benefits), legal obligation (tax reporting, health and safety records), and legitimate interest (performance management, internal investigations). Employee consent is rarely appropriate due to the power imbalance in employment.

How long can employers retain employee data under GDPR?

The GDPR does not set specific periods but requires data to be kept no longer than necessary. Typical retention: payroll records 6-10 years (tax requirements), employment contracts 6-10 years after termination, unsuccessful recruitment records 6-12 months, and health and safety records 3-40 years depending on hazard type.

What happens if an employee submits a DSAR to their employer?

The employer must respond within 1 calendar month with a copy of the employee's personal data, information about processing purposes, recipients, and retention periods. Data about other identifiable individuals can be redacted. The response is free unless the request is manifestly unfounded or excessive.

When must an employer report a data breach under GDPR?

Personal data breaches must be reported to the supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals. If the breach creates a high risk, affected employees must also be notified without undue delay.

What are the maximum GDPR fines for HR data violations?

Upper-tier fines can reach EUR 20 million or 4% of global annual turnover, whichever is higher. These apply to violations of core principles, lawful basis requirements, and data subject rights. H&M was fined EUR 35.3 million in 2020 for extensive employee surveillance.

Related HR Terms

GDPRData Subject Access RequestRemote Work Policy

Related Articles

Non-Compete Agreements: State Enforceability Guide [2026]
Compliance & Legal🇺🇸 US

Non-Compete Agreements: State Enforceability Guide [2026]

Non-compete enforceability varies wildly by state. California bans them outright, Colorado and Illinois restrict them by income, and the FTC proposed ban remains in legal limbo. This guide covers every state approach, drafting tips, and practical alternatives.

29 March 202614 min read
Harassment Prevention Training: State Requirements [2026]
Compliance & Legal🇺🇸 US

Harassment Prevention Training: State Requirements [2026]

While no federal law mandates harassment prevention training, six states and multiple cities require it by law. This guide covers every state mandate, training content requirements, documentation rules, and compliance strategies for multi-state employers.

29 March 202613 min read
US Minimum Wage 2026: Federal + State-by-State Guide
Compliance & Legal🇺🇸 US

US Minimum Wage 2026: Federal + State-by-State Guide

The federal minimum wage has been $7.25 since 2009, but 30+ states set higher rates. This guide covers every state rate, tipped minimums, city ordinances like Seattle and San Francisco, scheduled increases, and what employers must do to stay compliant.

28 March 202612 min read
Ready to transform your HR?

Let your team flourish

Get started with Grove and see how it can help you manage your team more effectively.

Get StartedBook a Demo

30-day money-back guarantee. Cancel anytime.