GDPR and HR: How to Handle Employee and Candidate Data Legally

HR teams sit at the intersection of some of the most sensitive personal data an organisation ever handles. Job applications, background checks, salary information, performance reviews, disciplinary records, health and sickness data — all of it falls squarely within the scope of GDPR. And that includes data about people who never actually joined your organisation.

For many HR professionals, GDPR feels like a legal compliance burden layered on top of an already complex job. This guide strips it back to what you actually need to know: the lawful bases that apply to HR processing, what you can collect and when, retention timelines, monitoring limits, employee rights, and a practical checklist to take back to your team.

---

Why HR Data Is Different

Most GDPR guidance is written for marketing and website compliance — consent banners, cookie policies, email lists. HR compliance is a different beast.

Employees are in a position of dependency on their employer. They need their job. That dependency fundamentally undermines the idea of freely given consent, which is why the data protection authorities across Europe have consistently said that consent is rarely a valid lawful basis for processing employee data. If an employee feels they must agree to something to keep their job — or to get an offer in the first place — that consent isn't genuinely free.

The practical consequence: HR teams need to lean on other lawful bases, primarily contract, legal obligation, and legitimate interest. Understanding which applies to each processing activity is the foundation of HR compliance.

---

Lawful Bases for HR Data Processing

GDPR requires a lawful basis for every processing activity. Here are the ones most relevant to HR — and when each applies.

Contract (Article 6(1)(b))

Processing is lawful when it is necessary for the performance of a contract to which the data subject is party, or to take steps at their request prior to entering a contract.

For HR purposes, this covers:

• Processing payroll
• Managing leave and absence records
• Providing employee benefits
• Pre-employment checks directly necessary to assess whether someone can fulfil a role
• Conducting performance management where this is built into the employment contract

Key limitation: The processing must be necessary for the contract. You cannot use contract as a basis for processing that is merely convenient or related to the employment relationship — it needs to be directly required by the contract's performance.

Legal Obligation (Article 6(1)(c))

Processing is lawful when it is necessary to comply with a legal obligation to which the controller is subject.

This covers a significant portion of employment-related processing:

• PAYE and National Insurance records
• Right-to-work checks
• Statutory sick pay records
• Health and safety records (including accident books)
• Disclosure requirements to HMRC
• Pension auto-enrolment records
• Reporting under equality legislation

For legal obligation processing, you don't need consent and you cannot offer an opt-out. The law requires it; GDPR permits it.

Legitimate Interests (Article 6(1)(f))

Legitimate interests can be used where the processing is necessary for a legitimate interest pursued by the controller or a third party, and that interest is not overridden by the fundamental rights and interests of the data subject.

For employees, the threshold is higher than for, say, website visitors — precisely because of the dependency relationship. Legitimate interest assessments (LIAs) are recommended for any HR processing relying on this basis.

Common legitimate interest use cases in HR:

• Fraud prevention and internal investigations
• Network and IT security monitoring (with appropriate limits)
• Business continuity planning
• Reference checking
• Internal communications and directory listings

Why Consent Is Rarely Appropriate for Employees

Consent must be freely given, specific, informed, and unambiguous. In an employment context, the power imbalance between employer and employee means that consent given by an employee is presumed not to be freely given — workers fear that declining will affect their prospects or their job security.

The UK ICO and the EDPB have both issued guidance making this position clear. If you are currently relying on employee consent for routine HR processing activities, you need to revisit your lawful basis.

There are narrow circumstances where consent can be appropriate — for optional benefits schemes, voluntary wellbeing programmes, or employee surveys where participation is genuinely optional and non-participation carries no consequence. But these are exceptions, not the default.

---

What You Can Collect at Each Hiring Stage

Pre-Application and Job Advertising

You can collect data from job boards and direct applications. You should only collect what is relevant to assessing candidates for the role. At this stage:

• Name, contact details, CV/resume — fine
• Work history and education — fine
• References — fine (with appropriate notice)
• Date of birth, gender, disability status — only if required by law or for anonymous diversity monitoring (which should be separated from the selection process)
• Health information — generally not at this stage

Application and Shortlisting

During the shortlisting process, you process application materials to assess suitability. This is covered by the pre-contract limb of Article 6(1)(b).

What you should not be doing:

• Researching candidates on social media beyond professional profiles relevant to the role
• Collecting information about protected characteristics (age, race, religion, disability, pregnancy, sexual orientation, gender reassignment) during the selection process
• Storing data on rejected candidates beyond a defined retention period

Tell candidates what you will do with their data. Your job advertisements and application portals should include a candidate privacy notice covering what you collect, why, how long you keep it, and candidates' rights.

Interviews and Assessment

Interview notes are personal data. Structured interview records, assessment scores, and panel evaluations are all subject to GDPR. Candidates have a right to access these notes if they make a subject access request — something many HR teams don't realise.

Practical implication: interview notes should be professional, relevant, and focused on the candidate's suitability for the role. Personal observations unrelated to job performance should not be recorded.

Pre-Employment Checks

References, qualification verification, and background checks all involve processing personal data. Some checks involve special category or criminal records data (see below).

For standard references: notify candidates that you will take references, and from whom. Most employment contracts make offers conditional on satisfactory references — this is covered by the pre-contract basis.

---

How Long to Keep CV and Application Data

Retention is one of the most frequently non-compliant areas in HR. Many organisations keep rejected candidate data indefinitely "in case a suitable role comes up." GDPR's storage limitation principle prohibits this.

Recommended retention periods:

• Unsuccessful candidates: 6 months from the end of the recruitment process. This gives enough time to respond to any employment tribunal claims (3 months in the UK for most claims) while respecting data minimisation.
• Successful candidates: Data is absorbed into the employee file and retained in line with your employment data retention policy.
• If a candidate consents to being kept on a talent pool: 12 months maximum, with an opt-out mechanism and re-consent after that period.

Document your retention decisions in your Records of Processing Activities (RoPA). If a candidate asks you to delete their data before the retention period ends, you need to balance their erasure request against your legitimate interest in retaining records for potential litigation.

---

Background Checks and Criminal Records Data

Criminal records data is treated as special category data under GDPR, requiring an additional legal basis under Article 10 (in the UK, Schedule 1 of the DPA 2018 provides the relevant conditions).

Key rules:

• In the UK, standard and enhanced DBS checks can only be carried out for roles listed in the Rehabilitation of Offenders Act (Exceptions) Order 1975. Not every job qualifies.
• Only request the level of check appropriate to the role. An enhanced check for a role that only requires a basic check is disproportionate.
• Do not retain copies of DBS certificates longer than necessary — typically no more than 6 months after the recruitment decision, unless a specific ongoing need can be justified.
• Implement a policy on the relevance of criminal convictions to the role. A blanket "no criminal record" policy is likely to breach both GDPR (disproportionate) and equality law.

For credit checks and financial background checks: these require a separate lawful basis (typically legitimate interest, with an LIA) and must be proportionate to the role. Running credit checks on candidates for non-financial roles is hard to justify.

---

Employee Monitoring: Email, Internet, and CCTV

Workplace monitoring is a high-risk area. GDPR requires that monitoring be lawful, transparent, and proportionate. The EDPB has issued specific guidance on employee monitoring (Opinion 2/2017 and more recent guidance).

What You Must Do Before Monitoring

1. Tell employees what is being monitored, why, what data is collected, and how long it is kept. Covert monitoring is only permissible in very limited circumstances (typically a specific, documented investigation of suspected criminal activity or serious misconduct), and even then, only for the minimum period necessary.

2. Conduct a Data Protection Impact Assessment (DPIA). The ICO and most EU supervisory authorities consider employee monitoring to be high-risk processing requiring a DPIA.

3. Identify your lawful basis. For most monitoring, legitimate interest is the applicable basis — and you need a documented LIA showing the monitoring is proportionate.

Email and Internet Monitoring

You can monitor business email accounts and internet use on company systems, but:

• You cannot monitor the content of personal communications on personal email accounts, even if accessed via company equipment
• You should have a clear acceptable use policy
• Monitoring should focus on metadata (time, recipient, volume) rather than content where possible
• Content monitoring should only occur in specific, documented, proportionate circumstances

CCTV

CCTV in the workplace is subject to GDPR. Requirements:

• Signage informing people that CCTV is in operation
• A documented purpose (security, safety) — not general surveillance of work performance
• Retention limited to what is necessary — typically 30 days for routine footage
• A DPIA for extensive surveillance systems

Monitoring employees' output, performance, or keystrokes is higher-risk still. Location tracking of remote workers, screen monitoring software, and productivity scoring tools all require robust justification and transparent disclosure.

---

Health and Sickness Data

Health data is special category data under Article 9 GDPR, requiring an additional lawful basis on top of your Article 6 basis.

In employment contexts, the relevant additional conditions are typically:

• Employment law obligations (Schedule 1, Part 1 of the DPA 2018 in the UK) — covering processing necessary for employment law purposes, including occupational health, statutory sick pay, reasonable adjustments
• Vital interests — in genuine emergency situations

What this means in practice:

• Sickness absence records: lawful under employment law obligations, subject to appropriate access controls
• Occupational health referrals: lawful, but employees should not be penalised for engaging with occupational health and the employer should only receive conclusions and recommendations, not full medical reports, unless the employee consents
• Return-to-work interviews: lawful; retain records proportionately
• Disability-related information for reasonable adjustments: lawful and necessary; handle with strict access controls and on a need-to-know basis only
• General wellness information (fitness data, diet preferences for lunch orders): treat with caution; voluntary participation, clear separation from HR records

Access controls for health data are essential. Health data should not be accessible to line managers, payroll, or general HR staff beyond those with a legitimate need. Document who can access what and why.

---

The Right of Access for Employees

Employees have the same rights as any data subject under GDPR, including the right to make a Subject Access Request (SAR). They can request a copy of all personal data the organisation holds about them.

This is one of the most contentious areas of HR data compliance. Employees who are in a dispute with their employer — or who suspect something is happening — frequently submit SARs. Employers often underestimate what they hold.

What You Must Provide

In response to an employee SAR, you must provide:

• Personnel files
• Emails containing the employee's personal data (including emails about the employee sent between managers)
• Performance review records
• Disciplinary and grievance records
• Sickness records
• Interview and assessment notes (including notes made at panel interviews)
• CCTV footage in which the employee appears
• Any other processing activity in which the employee is a data subject

Exemptions and Redactions

You can redact third-party data where disclosure would infringe the rights of another individual — for example, references about the employee written by named referees (though the gist of the reference may need to be provided), or information that identifies another employee whose data is intertwined with the subject's.

You can withhold data subject to legal professional privilege.

You cannot withhold data simply because disclosure would be inconvenient, would reveal unflattering opinions, or might assist the employee in litigation.

Timelines and Practical Implications

The deadline is one month from receipt (extendable to three months for complex requests). There is no charge for a SAR.

Practical consequence: HR teams should maintain clean, professional, factual records — because everything written down may eventually be disclosed. Casual, informal observations in emails or messaging apps ("she seems disengaged," "I'm not sure he's management material") are disclosable personal data.

---

Automated Decision-Making in Recruitment

Many organisations use Applicant Tracking Systems (ATS) that automatically screen, score, or rank candidates. GDPR Article 22 gives data subjects the right not to be subject to solely automated decisions that have a significant effect on them.

Automated rejection of candidates based on CV screening, keyword matching, or AI scoring tools likely engages Article 22 if no human meaningfully reviews the decision.

What you should do:

• Ensure a human reviews the automated output before a decision is communicated to the candidate
• Tell candidates if automated tools are used in your recruitment process (this should be in your candidate privacy notice)
• Provide a way for candidates to challenge an automated decision or request human review
• If you use AI screening tools, conduct a DPIA and assess for algorithmic bias, which may also engage equality law obligations

The EU AI Act is now overlapping with GDPR in this space: certain AI systems used in recruitment will be classified as high-risk and subject to additional requirements. For organisations operating in the EU, this is an area of active regulatory development.

---

International Transfers of Employee Data

For multinational organisations, employee data regularly crosses borders: HR systems hosted in the US, payroll providers in another country, shared services centres, global directories.

GDPR restricts transfers of personal data to countries outside the UK/EEA unless an appropriate transfer mechanism is in place.

The main mechanisms for HR data transfers:

• Adequacy decisions: The country has been deemed adequate by the UK or EU. The UK-US adequacy framework and EU-US Data Privacy Framework are the most relevant for US-based HR systems.
• Standard Contractual Clauses (SCCs): The EDPB's 2021 SCCs (or UK International Data Transfer Agreement for UK transfers) can be used with a Transfer Impact Assessment (TIA).
• Binding Corporate Rules (BCRs): For multinationals with regular intra-group transfers, BCRs provide a comprehensive framework but require supervisory authority approval.

Intra-group transfers are not exempt. The fact that data is being transferred within the same corporate group does not remove the need for a transfer mechanism. Many multinationals use intra-group data sharing agreements underpinned by SCCs or BCRs.

Common HR scenarios requiring transfer mechanisms:

• US-headquartered HR platforms (Workday, SAP SuccessFactors, BambooHR) accessed from EU/UK offices
• Global payroll processors
• Background check providers operating internationally
• Shared service centres outside the UK/EEA

---

HR GDPR Compliance Checklist

Use this checklist to assess and improve your HR data compliance posture.

Lawful Bases and Documentation

• [ ] Identify the lawful basis for each HR processing activity (recruitment, employment, monitoring, health data)
• [ ] Remove consent as a basis for routine employment processing
• [ ] Complete Legitimate Interest Assessments (LIAs) for processing relying on legitimate interests
• [ ] Document all processing activities in your Records of Processing Activities (RoPA)

Candidate Data

• [ ] Publish a candidate privacy notice on all job adverts and application portals
• [ ] Set and enforce retention periods for unsuccessful candidate data (recommended: 6 months)
• [ ] Remove application data from talent pools after 12 months unless re-consent obtained
• [ ] Ensure interview notes are professional, factual, and role-relevant
• [ ] Review automated screening tools for Article 22 compliance

Employee Data

• [ ] Maintain an accurate, up-to-date employee privacy notice
• [ ] Apply access controls to HR records — restrict to those with a genuine need
• [ ] Apply additional controls to special category data (health, disability, disciplinary)
• [ ] Train HR staff on data handling and subject access request obligations

Monitoring

• [ ] Disclose all monitoring activities to employees in advance
• [ ] Conduct a DPIA for any significant monitoring programme
• [ ] Document the lawful basis and LIA for monitoring activities
• [ ] Set and enforce retention periods for monitoring data (CCTV: typically 30 days)

Criminal Records and Background Checks

• [ ] Verify that roles are eligible for the level of DBS check requested
• [ ] Implement a policy on the relevance of criminal convictions
• [ ] Delete DBS certificate copies within 6 months of the recruitment decision

Subject Access Requests

• [ ] Establish a process for receiving and tracking employee SARs
• [ ] Ensure you can meet the one-month response deadline
• [ ] Train HR and legal teams on what must be disclosed and what can be withheld
• [ ] Conduct a data mapping exercise to know where employee data is held

International Transfers

• [ ] Identify all HR systems and processors that involve international data transfers
• [ ] Verify that appropriate transfer mechanisms are in place (adequacy, SCCs, BCRs)
• [ ] Conduct Transfer Impact Assessments where required
• [ ] Review intra-group data sharing arrangements

---

Where to Start

If your HR function hasn't systematically reviewed its GDPR compliance, the place to start is a data mapping exercise. Understand what personal data your HR team holds, where it came from, what it is used for, how long it is kept, and who has access to it.

From that map, you can assess your lawful bases, identify gaps, and prioritise remediation.

Many of the systemic risks — uncontrolled retention, inappropriate access, monitoring without disclosure — are visible once you map the data. The hard part is usually the organisational change needed to fix them, not the legal analysis.

For your website's privacy compliance — cookie consent, privacy policies, tracker auditing — Custodia can scan your site and generate a compliant privacy policy in minutes. HR compliance starts with understanding what data you collect and process everywhere, including your digital properties.

---

Last updated: March 27, 2026. This post provides general information about GDPR compliance for HR purposes. It does not constitute legal advice. Requirements vary based on jurisdiction, sector, and specific business circumstances — consult a qualified employment and data protection lawyer for advice specific to your situation.