DEV Community

Custodia-Admin
Custodia-Admin

Posted on • Originally published at app.custodia-privacy.com

GDPR and HR Software: What BambooHR, Workday, and HiBob Users Must Know

#gdpr #hr #privacy #saas

HR software sits at the heart of some of the most sensitive personal data an organisation holds. Salary history. Performance reviews. Disciplinary records. Medical absences. Bank account details. Nationality and visa status. In many cases, this data covers every single person who works for you — and it lives inside a SaaS platform you don't control.

Most HR teams know GDPR exists. Far fewer understand what it actually requires when your HR software is involved. There's a widespread assumption that because BambooHR or Workday or HiBob handles the platform, compliance is somehow handled too. It isn't. The vendor builds the tool; your organisation remains legally responsible for the data inside it.

This guide covers everything HR managers and IT/operations teams need to know: the controller/processor distinction, data processing agreements, data residency, the categories of data involved, integration risks, employee rights, deletion workflows, breach response, and a vendor evaluation checklist for procurement.

Your Organisation Is the Data Controller. Your HR Vendor Is a Processor.

This is the most important thing to understand. Under GDPR, your organisation — the employer — is the data controller. You decide what employee data to collect, why you collect it, and what you do with it. The HR software vendor is a data processor: they process data on your behalf, under your instructions.

The practical implication is significant. As the data controller, your organisation bears primary legal responsibility for GDPR compliance. The vendor's GDPR compliance with their own systems is their problem; the compliance of what you put into those systems is yours.

This means:

  • You need a lawful basis for every category of employee data you process
  • You are responsible for ensuring employees receive privacy notices about how their data is used
  • You must respond to employee subject access requests, even if the data sits in your HR platform
  • If your HR vendor has a breach, you have the notification obligations — not the vendor (though they must tell you promptly)

The vendor's role is to provide a technically secure, contractually bound platform for processing. Which brings us to DPAs.

Data Processing Agreements: What They Are and How to Get One

A Data Processing Agreement (DPA) is a legally binding contract between you (the controller) and your HR software vendor (the processor). GDPR Article 28 makes these mandatory — you cannot lawfully use a third-party processor without one.

The DPA must specify:

  • The subject matter, duration, nature, and purpose of processing
  • The type of personal data and categories of data subjects
  • The obligations and rights of the controller
  • That the processor only processes data on documented instructions from the controller
  • That anyone with access to the data is under confidentiality obligations
  • That appropriate technical and security measures are in place
  • Rules on engaging sub-processors (the vendors your HR vendor uses — payroll integrations, cloud hosting, support tools)
  • Assistance obligations for data subject rights and security incidents
  • Deletion or return of data at the end of the contract
  • Audit rights

How to get a DPA from major HR platforms:

BambooHR: BambooHR offers a Data Processing Addendum available on request. UK and EU customers should contact their account manager to execute it. BambooHR is a US company and relies on Standard Contractual Clauses (SCCs) for international transfers.

Workday: Workday publishes its GDPR commitments and provides DPAs through its trust portal. Enterprise customers negotiate DPAs as part of their master services agreement. Workday offers EU data residency options for customers requiring in-region hosting.

HiBob: HiBob provides a DPA to all customers and specifically markets GDPR compliance as a feature. They offer EU data residency. Execute the DPA before going live.

Personio: Personio is a German company (Munich-headquartered), which makes data residency simpler for EU customers. Their DPA is available in their legal documentation and covers their sub-processor list.

Rippling: Rippling is a US company. Execute their DPA addendum, available in their privacy documentation. Review sub-processors carefully — Rippling integrates with a large number of third-party services.

Charlie HR: UK-based, specifically built for GDPR compliance from the ground up. DPA available on request. Particularly suitable for UK small businesses post-Brexit.

If you're using HR software without an executed DPA, you're in breach of GDPR Article 28 regardless of anything else you're doing right.

Data Residency: EU vs. US Hosting

Where your HR data is physically stored matters for GDPR. The EU standard is that personal data shouldn't be transferred outside the European Economic Area (EEA) without adequate safeguards.

Most US-headquartered HR vendors offer data residency options:

  • Workday offers EU data centres
  • HiBob offers EU hosting
  • Rippling hosts US data by default; EU customers should request EU data residency
  • BambooHR is US-hosted; transfers are covered by SCCs

Even where a vendor offers EU data residency, check:

  1. Support staff access: Customer support engineers in the US can access your data for troubleshooting even if it's hosted in the EU. This is a data transfer — it needs to be covered in the DPA or sub-processor list.

  2. Sub-processors: Your HR vendor will use sub-processors — Stripe for payments, AWS or GCP for hosting, Zendesk for support. Each sub-processor is a data transfer risk. You're entitled to a list and the right to object to new sub-processors.

  3. Backup locations: Backups may replicate to different regions. Confirm in writing where backup data lives.

What Employee Data Categories Live in HR Systems

Employee data in HR systems is, almost uniformly, sensitive. Some of it is special category data under GDPR Article 9 — the highest-protection tier.

Standard employee data (Article 6 processing):

  • Full name, home address, date of birth
  • Employment history, job title, department
  • Salary, bonus, equity, pay history
  • Bank account details for payroll
  • Performance reviews, goals, ratings
  • Disciplinary records and outcomes
  • Leave history (annual leave, parental leave)
  • Training records

Special category data (Article 9 processing — requires explicit consent or another specific condition):

  • Health and medical data (required for sick leave, occupational health referrals, reasonable adjustments)
  • Disability information
  • Pregnancy and maternity details
  • Mental health information (particularly in platforms with wellbeing modules)

Other sensitive data:

  • National insurance numbers, tax codes, passport details
  • Nationality, visa and right-to-work documentation
  • DBS/background check results (criminal record data — Article 10, even more restricted)
  • Union membership

If your HR platform has a wellbeing module, an absence management module, or an occupational health integration, it is almost certainly processing special category data. This requires:

  • A specific condition under Article 9(2) — most commonly Article 9(2)(b): processing necessary for employment law obligations
  • A documented basis in your HR policies and your privacy notices
  • Likely a Data Protection Impact Assessment (DPIA) given the sensitivity

Integration Risks: When HR Connects to Everything Else

Modern HR platforms don't sit in isolation. They integrate with payroll, benefits administration, applicant tracking systems, communication tools, expense management, and more. Each integration is a data flow — and each data flow needs a legal basis and, often, a sub-processor assessment.

Common HR integrations to assess:

Payroll (Gusto, ADP, Sage Payroll): Every payroll integration transfers salary details, bank account information, and tax data. Confirm that each payroll processor has its own DPA with you, or that the HR platform's DPA covers sub-processors used for payroll.

Benefits administration: Health insurance and pension integrations transfer health-adjacent data. Who receives employee medical plan selection data? Is that processor covered?

Applicant Tracking Systems (Greenhouse, Workable, Lever): Candidate data moving from ATS to HR system (upon hire) needs a clear process — the candidate's privacy notice at application stage needs to cover ongoing employment processing.

Slack / Microsoft Teams: Some HR platforms integrate with communication tools for onboarding workflows, anniversary notifications, or directory sync. A directory sync means employee data flowing into a communication platform — check whether that's disclosed.

Background checking (Checkr, Sterling): Background check integrations process criminal record data (Article 10). This requires specific authorisation under member state law. In the UK, this is regulated under the DBS regime. You cannot process DBS results in a general HR system without understanding your obligations as a registered body or using a registered umbrella body.

Document best practices:

  1. Maintain a sub-processor list for every integration
  2. Confirm DPAs exist with each sub-processor
  3. Review integration scope — does the integration receive only the data it needs? (data minimisation)
  4. Include all integrations in your Records of Processing Activities (ROPA)

Employee Rights: Article 15 Right of Access

Under GDPR Article 15, employees have the right to request access to all personal data an organisation holds about them. This includes data held in your HR system.

This is not hypothetical. Employee subject access requests (SARs) are the most common GDPR complaint mechanism. An employee who is unhappy — particularly one who has been disciplined or dismissed — may submit a SAR knowing that it will require you to disclose performance notes, manager commentary, and disciplinary records.

What you must provide:

  • All personal data held about the employee
  • The purposes of processing
  • The recipients or categories of recipients (including which third-party platforms hold their data)
  • Retention periods
  • The right to request correction or deletion

What HR software complicates:

Modern HR platforms often have extensive audit logs, activity histories, and comment threads that technically contain personal data. A thorough SAR response means searching across all modules: payroll, performance, absence, documents, notes, and audit logs.

Practical steps:

  1. Know where all employee data lives — not just the HR platform, but payroll, benefits, communications, and document storage.
  2. Build a SAR response process that covers all systems, with a clear owner.
  3. Most HR platforms have data export functionality — use it. But also check whether notes entered by managers in freeform fields are included.
  4. You have one calendar month to respond. Start the clock from the day you receive the request.
  5. Don't charge a fee (unless requests are manifestly unfounded or excessive).

If an employee requests access to their data and you cannot provide it because it's scattered across systems you don't have a clear data map for, that's a compliance gap — and it's one you should fix proactively. Running a Custodia privacy scan can help identify which third-party systems are receiving employee data from your website and HR integrations.

Deletion Workflows When Employees Leave

When an employee leaves, GDPR's storage limitation principle (Article 5(1)(e)) requires that you delete their personal data when it's no longer necessary. But "no longer necessary" has nuance in employment contexts.

What you can typically retain, and for how long:

  • Payroll records: HMRC requires six years. Keep salary records, P60s, and payroll history for six years from the end of the relevant tax year.
  • Employment contracts: Retain for six years after employment ends (to cover limitation periods for breach of contract claims).
  • Pension records: Some pension scheme records must be retained for 75 years (lifetime of the member, in some cases).
  • Disciplinary records: Generally retain for six years, or as set out in your HR policy.
  • Recruitment records for unsuccessful candidates: No business need after the role is filled. ICO guidance suggests up to six months maximum.

What you should delete:

  • Live system access (immediately on leaving)
  • HR platform active user account (deactivate rather than delete, until retention period expires, then delete)
  • Payroll profile once retention period passes
  • Benefits administration records once retention period passes
  • Any data for which there is no specific legal obligation to retain

The problem with "deactivate":

Most HR platforms have an "archive" or "deactivate" function. This removes the former employee from active views but retains all data. That's fine for the retention period — but you need a process to actually delete the data when the retention period expires. Most organisations set the employee to archived status and then forget about them indefinitely. That is a GDPR violation.

Build a retention audit into your HR processes: quarterly or annual reviews of archived employees and data deletion once retention periods are met.

Data Breach Response When Your HR Vendor Is Compromised

If your HR vendor suffers a data breach, the legal obligations fall primarily on you — the data controller — not the vendor. GDPR Article 33 requires you to notify your supervisory authority within 72 hours of becoming aware of a breach (if it poses a risk to individuals' rights and freedoms).

Your HR vendor's obligations:

Under GDPR Article 33(2), a processor must notify the controller "without undue delay" after becoming aware of a breach. Your DPA should specify the time limit — best practice is 24 hours to ensure you have time to assess and notify the ICO/supervisory authority within the 72-hour window.

Your obligations:

  1. Assess the severity: Is the breach likely to result in a risk to individuals? Given the sensitivity of HR data (salaries, health information, bank details), the answer is almost always yes.

  2. Notify the supervisory authority within 72 hours: In the UK, notify the ICO. In the EU, notify the relevant member state authority (or the lead supervisory authority if you have an EU establishment).

  3. Notify affected individuals if the risk is high: If the breach is likely to result in a high risk to individuals, you must also notify the affected employees directly. Given that HR data includes bank account details, health information, and other highly sensitive categories, employee notification is very likely required for any significant HR system breach.

  4. Document everything: Even if you decide not to notify, document the decision and your reasoning.

Practical preparation:

  • Your DPA should specify vendor breach notification timelines (24 hours is appropriate)
  • Know your supervisory authority's reporting portal before a breach happens
  • Have a breach response plan that names responsible parties for assessment and notification
  • Confirm that your HR vendor has cyber insurance and incident response capabilities

International Transfers: The Problem with Non-EU HR Software Vendors

If your HR vendor is based outside the EEA (as most major platforms are — BambooHR, Workday, Rippling, Lattice, 15Five are all US companies), you're involved in international data transfers. GDPR Chapter V governs these.

The available mechanisms:

Standard Contractual Clauses (SCCs): The most common mechanism for EU-US transfers. The EU issued updated SCCs in 2021. Your DPA should incorporate the relevant module (Module 2 for controller-to-processor transfers). UK transfers use the UK International Data Transfer Addendum (IDTA) or UK International Data Transfer Agreement (IDTA).

Adequacy decisions: A small number of countries have been deemed adequate by the EU (Canada, Japan, Israel, among others). The US has a partial adequacy arrangement via the EU-US Data Privacy Framework, which US companies can certify to. Check whether your HR vendor is DPF-certified at dataprivacyframework.gov.

Transfer Impact Assessments (TIAs): Following the Schrems II ruling, controllers are expected to conduct a Transfer Impact Assessment to verify that the SCC protections are effective in practice. This means assessing the legal landscape of the destination country (particularly government access laws) and whether additional safeguards are needed.

For most HR teams, the practical approach is: confirm your vendor's transfer mechanism, ensure it's documented in the DPA, verify that US vendors are DPF-certified or that SCCs are properly executed, and file this in your ROPA.

Vendor Evaluation Checklist for Procurement Teams

When evaluating HR software, use this checklist alongside your standard security and commercial assessment:

GDPR Compliance Fundamentals

  • [ ] Does the vendor provide a signed DPA? (non-negotiable)
  • [ ] Does the DPA include all required GDPR Article 28 provisions?
  • [ ] Does the vendor have an up-to-date sub-processor list? Is it publicly accessible?
  • [ ] Does the vendor notify you of new sub-processors with adequate notice to object?
  • [ ] What is the vendor's breach notification timeline commitment?

Data Residency

  • [ ] Where is data hosted by default? Is EU/UK hosting available?
  • [ ] Where are backups stored?
  • [ ] Do support staff in non-EEA countries have access to data? Under what controls?

Security

  • [ ] What certifications does the vendor hold? (ISO 27001, SOC 2 Type II are the benchmarks)
  • [ ] Is data encrypted at rest and in transit?
  • [ ] What are the vendor's access controls — who can access your data within their organisation?
  • [ ] Do they offer SSO and MFA?

Data Subject Rights

  • [ ] Can you export all data for a subject access request easily and completely?
  • [ ] Can you delete a specific employee's data and verify it is deleted across all systems?
  • [ ] Is data deleted from backups within the vendor's retention policy?

International Transfers

  • [ ] What transfer mechanism is used? (SCCs, DPF certification, adequacy)
  • [ ] Is the vendor DPF-certified (for US vendors)? Verify at dataprivacyframework.gov.
  • [ ] Are SCCs executed for UK transfers? (IDTA or Addendum)

Practical Compliance Support

  • [ ] Does the vendor provide privacy notices templates or guidance for employer use?
  • [ ] Do they have a security contact for breach notification?
  • [ ] Do they maintain their own ROPA for their processing activities?

The Bottom Line

HR software vendors are processors of some of the most sensitive personal data your organisation handles. The compliance obligation rests with you, not the vendor.

Get your DPA signed before you go live. Understand what data residency options are available. Build SAR response processes that account for all systems where employee data lives. Create deletion workflows with actual timelines. And before you sign any new integration, ask what data flows where and confirm a processor agreement exists.

This isn't just a legal exercise. Employees increasingly understand their data rights. An HR team that handles subject access requests professionally, has a clear breach response plan, and can articulate what happens to data when someone leaves will have fewer disputes — and far fewer regulatory headaches.

Concerned about what third-party tools are receiving employee or visitor data from your website? Run a free scan at app.custodia-privacy.com/scan. You'll see exactly which trackers and third-party scripts are active, what data they're collecting, and whether your consent configuration is working correctly.

This post provides general information about GDPR compliance for HR software and does not constitute legal advice. Data protection law is complex and jurisdiction-specific. Consult a qualified data protection solicitor or DPO for advice specific to your organisation.

Top comments (0)