GDPR for HR: Employee Data Compliance Checklist for Regulated Employers: A practical GDPR compliance checklist for HR teams and regulated employers. Employee data categories, lawful bases, retention, monitoring, and the DSAR…
HubSecure is relevant when teams need secure client records, document collection, workflow ownership, role-based access and audit-ready evidence in one governed workspace.
Related HubSecure buying path
Compliance CRM guidecompliance CRM for growing companiesCRM moduleHubSpot comparisoncompliance CRM guideGuide Librarybook a workflow demo
Related security, privacy and governance resources
Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.
Related use case
This guide belongs to the Workspace Alternatives and Tool Consolidation Guides cluster. Continue with the product hub for workspace alternatives and tool consolidation.
Why Employee Data Is a Compliance Priority, Not Just an HR Matter
HR departments process some of the most sensitive personal data in any organisation: health records, performance data, disciplinary records, financial information (salaries, pensions, expenses), family circumstances, and in regulated sectors — criminal records checks, regulatory fitness and propriety assessments, and mandatory reporting data.
Despite this, employee data GDPR compliance is frequently treated as a lower priority than client data compliance. Regulators have noticed. Several of the enforcement actions in 2025–2026 involved HR-related violations: employee monitoring without disclosure, excessive retention of former employee records, DSARs from staff during dispute proceedings that revealed systematic data governance failures.
For firms in financial services, legal, healthcare, and other regulated sectors, the stakes are higher still. Regulatory fitness and propriety data, disciplinary records that touch on AML or fraud, and whistleblower data all intersect HR obligations with compliance obligations — creating a more complex risk landscape than typical employers face.
GDPR and employment law interact. Employee data compliance is not purely a GDPR question — national employment law, works council consultation rights (in Germany, Netherlands, France and others), collective bargaining agreements, and sector-specific regulations all layer on top. The checklist below focuses on GDPR obligations; always cross-reference with applicable national employment law.
What Employee Data Does Your Firm Process?
Before you can assess compliance, you need a complete inventory. Most HR functions underestimate how much data they hold. A complete inventory includes data at every stage of the employment lifecycle:
Recruitment and pre-employment
- CV, cover letter, application form data
- Interview notes and assessment scores
- Reference letters and referee contact information
- Right-to-work verification documents
- Criminal records checks (DBS/disclosure checks) where legally permitted
- Financial background checks for regulated roles (FCA fit and proper, FINMA, etc.)
- Regulatory reference requests and responses (mandatory in UK financial services)
Active employment
- Personal details (name, address, date of birth, national insurance/tax number)
- Employment contract and terms
- Payroll, salary, and benefits data
- Pension and life assurance nominations
- Performance reviews and objectives
- Training records and professional qualifications
- Disciplinary and grievance records
- Absence and sickness records
- Flexible working and family leave documentation
- IT access logs, email monitoring data (if applicable)
- Travel expense claims and corporate card data
- Regulatory registrations (SMF, AR status in UK; MiFID tied agent registration)
Post-employment
- Resignation / termination documentation
- Settlement agreements and NDA terms
- Regulatory reference data (mandatory in financial services)
- Pension records and deferred benefit documentation
- HMRC / tax authority submissions
- Litigation hold data (if disputes are ongoing)
Lawful Basis for Employee Data Processing
GDPR requires a lawful basis for every processing activity. For employee data, the most commonly applicable bases are:
| Lawful basis | When it applies in HR | Key limitations |
|---|---|---|
| Article 6(1)(b) — Contract | Processing necessary to perform the employment contract (payroll, managing leave, administering benefits) | Only covers what is genuinely necessary. Cannot be stretched to cover all HR processing. |
| Article 6(1)(c) — Legal obligation | HMRC reporting, pension automatic enrolment, GDPR obligations themselves, AML staff screening, FCA Senior Managers reporting | The legal obligation must be specific and clear. Cannot be used for internally-generated policies. |
| Article 6(1)(f) — Legitimate interests | Fraud prevention, security monitoring, business continuity planning, reference provision to prospective employers | Requires a balancing test. Employees' interests can override if processing is disproportionate. |
| Article 6(1)(a) — Consent | Only where genuinely optional and the employee can refuse without detriment (e.g., optional wellbeing programmes, opt-in benefits) | Consent is generally inappropriate as the main basis for employment processing because the power imbalance means it is rarely freely given. |
The consent trap in HR: Many HR departments use consent forms as the primary mechanism for employee data collection. The GDPR consent standard requires consent to be freely given — but employees are rarely in a position to decline without consequence. The Article 29 Working Party (now EDPB) has repeatedly stated that consent is "unlikely to be freely given in the context of employment". Use contract performance, legal obligation, or legitimate interests as your primary bases — and only use consent for genuinely optional, low-stakes processing.
Special Category Data in HR
Several categories of HR data are "special category" under GDPR Article 9, requiring explicit consent or a specific Article 9 condition alongside the Article 6 lawful basis. In HR, the most common special categories are:
- Health data — sickness absence records, occupational health reports, disability accommodations, phased return-to-work plans. Most common special category in HR. Lawful basis is typically Article 9(2)(b) (employment law obligations) combined with Article 6(1)(c).
- Trade union membership — where employees disclose membership or where deductions are made for union dues. Article 9(2)(b) typically applies.
- Biometric data — fingerprint clocking-in systems, facial recognition access control. Requires explicit consent or Article 9(2)(b) employment law justification with a DPIA.
- Criminal conviction data — DBS checks, financial conduct checks, AML-related screening. Article 10 applies (not Article 9) — requires specific domestic law authorisation. In the UK, this is governed by the Rehabilitation of Offenders Act; in other EU jurisdictions, equivalent national provisions apply.
Employee Monitoring: The GDPR High-Risk Zone
The shift to remote and hybrid work dramatically increased employer use of monitoring software — productivity trackers, keyloggers, screenshot tools, email surveillance, and GPS tracking for remote workers. This is now one of the most actively enforced areas of employee data GDPR compliance.
The legal position across EU supervisory authorities is consistent:
- Employee monitoring is not inherently unlawful — but it must have a valid legal basis (typically legitimate interests or legal obligation)
- It must be proportionate — the least intrusive method that meets the legitimate aim
- Employees must be transparently informed — in their contract, a policy document, or a specific privacy notice — before monitoring begins
- A DPIA is required for systematic or large-scale employee monitoring (GDPR Article 35)
- In many EU jurisdictions (Germany, Netherlands, France, Austria), works council consultation is required before implementing monitoring systems
The keylogger fine: In 2025, a Dutch accounting firm was fined €2.8M for installing keylogging software on employee laptops without disclosure, without a DPIA, and without a lawful basis beyond internal policy. The firm argued it was "standard security practice". The Dutch DPA disagreed. The fine represents approximately 8% of the firm's annual turnover.
Data Subject Rights for Employees
Employees have the same GDPR data subject rights as any individual. In practice, the most commonly exercised are:
Right of access (DSAR)
Employees can request all personal data held about them. This is most commonly exercised during disciplinary proceedings, grievance procedures, or employment tribunal claims — precisely when you least want to discover that your data management has gaps. Common issues in employee DSARs include:
- Email records and informal manager communications that contain negative assessments
- Performance note files maintained outside formal HR systems
- IT monitoring data that reveals the extent of surveillance
- Payroll system data revealing pay equity issues
- References provided to other employers without the employee's knowledge
Right to erasure
Erasure requests from employees are more complex than client erasure requests because employment law creates overlapping retention obligations. You cannot delete payroll records that HMRC requires you to retain for 6 years, or pension records needed for 60 years, in response to an erasure request. Retention obligations override the right to erasure — but only for the data that is genuinely covered by the obligation. Extraneous data (informal notes, excessive monitoring data, old performance emails) can and should be deleted when no longer necessary.
Right to object
Employees can object to processing based on legitimate interests. If an employee objects to a monitoring programme, you must assess whether compelling legitimate grounds override their interests. This is a genuine balancing exercise — not a rubber-stamp to continue monitoring regardless.
HR Data Retention: Key Periods
Over-retention is one of the most common HR GDPR failures — and one of the easiest to fix. Establish a retention schedule and enforce it with periodic deletion reviews.
The HR GDPR Compliance Checklist
- Staff privacy notice (employee-facing) in place and current — separate from client-facing privacy notice
- Article 30 Records of Processing Activities (RoPA) includes all HR processing activities
- Lawful basis documented for each HR processing activity (contract, legal obligation, legitimate interests, consent where appropriate)
- Special category data processing documented with Article 9 condition
- Employment contracts updated to reference data processing activities
- Recruitment data retention policy in place (unsuccessful candidates deleted within 12 months)
- DBS / disclosure check policy: results not retained, notation only
- HR data systems access controls: least-privilege, role-based access to sensitive records
- Employee monitoring policy documented, disclosed in contracts/privacy notice, proportionate
- DPIA completed for any systematic employee monitoring
- Works council / employee representative consultation completed for monitoring (where required)
- DSAR procedure covers employee requests, not just client requests
- Retention schedule in place covering all HR data categories
- Annual deletion review scheduled for expired records
- Data breach procedure covers HR data breaches (e.g., emailing payroll data to wrong recipient)
- Third-party HR software and payroll providers have signed DPAs (GDPR Article 28)
- Cross-border transfers assessed where payroll is processed by a US-owned provider
- HR team trained on GDPR data subject rights, breach notification, and data minimisation
Frequently Asked Questions
Get GDPR and compliance insights in your inbox
Join 300+ compliance officers and legal teams getting weekly updates on GDPR, AML, and regulatory technology — no noise, unsubscribe anytime.
See HubSecure in action
GDPR-compliant records management, DSAR automation, data retention workflows, and encrypted document handling — built for regulated businesses where compliance is not optional.
Book a 20-minute demo →