GDPR and Employee Data: What Employers Must Do to Stay Compliant
Your employees are data subjects too. The moment you collect a CV, run a background check, or install time-tracking software, GDPR applies — and most employers are underestimating exactly how much GDPR employee data regulation covers.
This guide covers every category of employee data you are likely to collect, the lawful basis for processing it, the rules on special categories, monitoring, retention, and what happens when things go wrong.
What Employee Data Employers Typically Collect
GDPR employee data obligations begin before the employment relationship even starts. Across the typical employee lifecycle, employers collect:
Recruitment data: CVs, cover letters, interview notes, psychometric test results, background check results, references, salary expectations.
Employment contracts and onboarding: Name, address, national insurance or social security numbers, bank details, tax codes, emergency contacts, proof of right to work.
Payroll and benefits: Salary, bonus structures, pension contributions, sick pay records, expense claims, company benefits elections.
Performance management: Appraisal notes, performance improvement plans, disciplinary records, meeting notes, peer feedback.
Health and medical information: Sick leave records, fit notes from GPs, occupational health assessments, disability disclosures, medical reports where relevant to role adjustments.
Communications: Emails sent and received on company systems, instant message logs, phone call records, video meeting recordings.
Location and access data: Building entry and exit logs, vehicle tracking for company cars or fleet vehicles, remote work location data, VPN and system access logs.
Training and qualifications: Certificates, CPD records, mandatory compliance training completion.
Each of these represents GDPR employee data that requires a lawful basis, a defined retention period, and disclosure in an employee privacy notice.
Legal Basis for Processing GDPR Employee Data
Unlike customer data — where consent is often the most practical basis — GDPR employee data processing typically rests on three legal grounds.
Contract (Article 6(1)(b))
Processing necessary for the performance of a contract is the most commonly used basis for core HR processing. Payroll, employment contracts, benefits administration, and most standard HR data all fall under this basis. If the employer cannot perform the employment contract without processing the data, this basis applies.
Legal Obligation (Article 6(1)(c))
Many employment data obligations are required by law. Payroll records must be kept for HMRC or equivalent tax authorities. Right-to-work checks are legally mandated. Certain health and safety records must be retained. Where a legal obligation requires the processing, employers do not need to ask for consent.
Legitimate Interest (Article 6(1)(f))
Security monitoring, fraud prevention, and some business analytics may rely on legitimate interest. This requires a three-part balancing test: the interest must be legitimate, the processing must be necessary for that interest, and the employer's interest must not be overridden by the employee's rights and freedoms.
Why Consent Is Almost Never the Right Basis for GDPR Employee Data
Many employers default to asking employees to sign consent forms for HR data processing. This is a significant mistake. GDPR requires consent to be freely given — and employment relationships create a power imbalance that makes genuine freely given consent nearly impossible. An employee who fears dismissal or disadvantage if they refuse consent has not given free consent.
The ICO and other data protection authorities have been explicit: relying on employee consent for routine GDPR employee data processing is problematic. Use contract, legal obligation, or legitimate interest instead. Reserve consent only for genuinely optional processing — like using an employee's photo in marketing materials — where refusal has no employment consequence.
Special Category Data in Employment
Some GDPR employee data is subject to elevated protection as "special category data" under Article 9. In the employment context, this includes:
- Health data: Sick leave records, disability disclosures, mental health information, occupational health reports
- Trade union membership: Union affiliation or collective bargaining participation
- Biometric data: Fingerprint access control systems, facial recognition
- Racial or ethnic origin: Equal opportunities monitoring data
- Religious or philosophical beliefs: Prayer room requests, religious holiday requirements
- Sexual orientation: Disclosed or recorded for equality monitoring purposes
Processing special category GDPR employee data requires both a lawful basis under Article 6 AND a condition under Article 9. The most relevant Article 9 conditions for employers are:
- Article 9(2)(b): Processing necessary for obligations and rights in the field of employment law — this covers most health, disability, and union membership data processed to comply with employment legislation
- Article 9(2)(h): Processing for occupational medicine purposes — covers occupational health referrals and fit-for-work assessments
- Explicit consent: Can be used where the above conditions do not apply, but carries the same limitations as consent generally in employment
Employers must document which condition applies for each type of special category processing.
Employment Monitoring: Email, CCTV, and Tracking
Workplace monitoring is one of the most contentious areas of GDPR employee data compliance. Article 88 of GDPR specifically allows member states to adopt more specific rules for employee data processing — which means national employment law significantly shapes what is permissible.
Email and communications monitoring: Employers may have legitimate interest in monitoring company email systems for security, compliance, and business continuity purposes. However, monitoring must be proportionate, targeted, and disclosed to employees in advance. Covert monitoring is generally impermissible except in exceptional circumstances (for example, investigating specific criminal activity with supervisory authority approval in some jurisdictions).
Internet and system access monitoring: Log files, access records, and website monitoring follow similar rules. Employees must be told monitoring occurs, what it covers, and why. Mass surveillance of browsing is harder to justify than targeted monitoring following a specific concern.
CCTV: Where CCTV is used in the workplace, GDPR employee data obligations apply to the footage. Cameras must be necessary and proportionate, disclosed through visible signage and privacy notices, and footage retained only for as long as necessary (typically 30 days unless an incident is under investigation).
Vehicle and location tracking: Company vehicle GPS tracking may be justified under legitimate interest for fleet management, scheduling, or theft prevention. But tracking must be proportionate — turning off tracking outside working hours is considered best practice where the vehicle is used personally.
Key principle: Whatever monitoring you operate, employees must be informed before it begins. Surprise monitoring after hiring is extremely difficult to justify under GDPR.
Data Retention for HR Records
Storage limitation under GDPR Article 5(1)(e) requires that GDPR employee data is not kept longer than necessary. But employment law creates competing obligations — some records must be kept for defined periods.
Typical UK and EU retention guidelines for employment records:
| Record Type | Recommended Retention |
|---|---|
| Payroll and tax records | 6 years after employment ends (UK: HMRC requirement) |
| Employment contracts | Duration of employment + 6 years |
| Disciplinary records | Typically 1-5 years depending on severity |
| Recruitment records (unsuccessful candidates) | 6-12 months after recruitment process |
| Health and safety records | Up to 40 years for some industrial exposures |
| Sickness absence records | 3 years after employment ends |
| Training records | Duration of employment + 6 years |
| CCTV footage | 30 days (unless incident-related) |
| Email monitoring logs | Dependent on purpose, typically 3-12 months |
Document your retention schedule as part of your Records of Processing Activities (RoPA). Set calendar reminders or automated deletion processes for each category. Retaining GDPR employee data beyond these periods without justification is a compliance failure.
Employee Rights Under GDPR
Employees have the same individual rights as any other data subject. In practice, employment context creates some important nuances.
Right of access (DSARs): Employees can request all personal data held about them. This includes HR files, performance notes, disciplinary records, emails where they are the subject, and monitoring logs. Employers have one month to respond. Employment DSAR requests can be complex and voluminous — having a clear process matters.
Right to rectification: Employees can request correction of inaccurate data. An employee who believes a performance review contains factually incorrect information can request it be corrected (though they cannot compel deletion of accurate information they simply disagree with).
Right to erasure: This right has significant limitations in employment. You cannot generally delete records that are required by law (payroll records, for example) or that are necessary to defend against potential employment tribunal claims. Deletion of active employment data while the employment relationship continues is rarely appropriate.
Right to object: Employees can object to processing based on legitimate interest — including some forms of monitoring. You must stop processing unless you can demonstrate compelling legitimate grounds that override the employee's interests.
Right to restrict processing: Where accuracy is disputed or an objection is lodged, employees can request processing is restricted while the matter is resolved.
Document and respond to all employee data rights requests through your standard DSAR process. Having a dedicated HR privacy contact makes this significantly easier.
Data Breach Obligations When Employee Data Is Involved
GDPR employee data breaches follow the same 72-hour notification rule as any other breach. If a breach is likely to result in a risk to the rights and freedoms of employees, you must notify your supervisory authority within 72 hours of becoming aware.
Common employee data breaches include:
- Payroll spreadsheets sent to wrong recipients
- HR files shared without password protection
- Employee personal data exposed in a system hack
- Unauthorised access by managers to employee health records
- Paper HR files lost or stolen
Where a breach is likely to result in high risk to employees — for example, the exposure of health data or salary information — you must also notify the affected employees directly without undue delay.
Maintain an internal breach register even for low-risk breaches that do not require supervisory authority notification.
Cross-Border Employee Data: Remote Workers in Different Jurisdictions
The rise of remote work has significantly complicated GDPR employee data compliance. Key considerations:
EU employees working remotely: If you are a UK employer with employees based in EU member states, you are transferring GDPR employee data to the UK, which requires either an adequacy decision (currently in place for UK-EU transfers post-Brexit) or appropriate safeguards.
US employees at EU companies: If a European employer engages US-based employees or contractors, transferring their data to the US requires one of the GDPR transfer mechanisms — Standard Contractual Clauses, Binding Corporate Rules, or the EU-US Data Privacy Framework adequacy decision.
HR platforms in multiple jurisdictions: Cloud HR systems that store data on servers in different countries create transfer obligations. Check where your HR system stores data and ensure the appropriate transfer mechanism is documented.
Nomadic workers: Employees who travel or temporarily relocate add complexity. Document your approach and update your RoPA if the location of data processing materially changes.
Privacy Notices for Employees: What to Give and When
Article 13 requires employers to provide employees with a privacy notice at the time their data is collected. A compliant employee privacy notice must include:
- Identity and contact details of the employer (data controller)
- Contact details of the Data Protection Officer (if you have one)
- Purposes and legal basis for each category of GDPR employee data processing
- Categories of special category data processed and the Article 9 condition
- Recipients or categories of recipients (payroll providers, occupational health, pension providers)
- Transfers to third countries and the safeguards in place
- Retention periods for each data category
- Details of employee rights and how to exercise them
- Right to lodge a complaint with the supervisory authority
Timing matters. Give privacy notices:
- To job applicants: At the point their CV or application is received
- To new employees: At or before the start of employment (included in onboarding)
- When processing changes: Any time you introduce new processing — monitoring software, biometric access, new benefits systems — employees must be informed before processing begins
Practical Checklist: 8 Things Employers Must Do
1. Audit your GDPR employee data. Map every category of employee data you collect, why you collect it, where it is stored, who has access, and how long you keep it. This becomes your employment data section of the RoPA.
2. Document your lawful basis. For each processing activity, confirm whether it rests on contract, legal obligation, or legitimate interest. Remove consent from routine HR processing.
3. Identify your special category data. List every category of special category data you process and document the Article 9 condition that applies.
4. Issue or update your employee privacy notice. Ensure it is compliant with Article 13, given to applicants and employees at the right time, and updated when processing changes.
5. Review your monitoring practices. Ensure any email, CCTV, or location monitoring is disclosed, proportionate, and documented in your RoPA and privacy notice.
6. Set and enforce retention periods. Create a retention schedule for all GDPR employee data categories and implement deletion processes.
7. Establish a DSAR process. Train your HR team to identify, log, and respond to employee access requests within one month.
8. Prepare your breach response. Ensure your HR team knows to escalate potential data breaches immediately so the 72-hour supervisory authority notification window can be met.
Manage Employee Data Compliance Across Your Organisation
GDPR employee data compliance is not a one-time project — it is an ongoing programme. Employment relationships generate data continuously, the workforce changes, and monitoring technology evolves.
Custodia helps organisations manage privacy compliance across their entire data footprint — from website trackers and cookie consent through to DSAR management and data mapping. If you are working through your HR data compliance obligations and want to get your broader privacy programme in order at the same time, start with a free scan of your website.
The employee privacy notice is one part of your compliance picture. Make sure the rest of it holds up too.
Last updated: March 27, 2026. This post provides general information about GDPR and employee data. It does not constitute legal advice. Employment and privacy law is complex and jurisdiction-specific — consult a qualified privacy or employment law professional for advice tailored to your organisation.
Top comments (0)