top of page

Employee Data Processing under the GDPR

Updated: May 29, 2023

The European Union’s General Data Protection Regulation (GDPR) is designed to protect European Union’s residents in relation to the processing of their personal data.

Processing of employees’ data is the tricky part for most of the organizations. The employer can process it to meet certain legal requirements, which come with many constraints.

Employee data includes but is not limited to employee’s application file, personal file, payroll information, leave/medical file, and all the information employers have about their employee whether it be to hire/fire, pay, provide benefits etc.

Employees must understand their responsibilities under data protection law and employers need to have adequate data protection policies and procedures in place. In some countries of the EU, employers need to take permission from the Work’s Committee before indulging in some kind of processing activity over the employees.

The employer can process employees’ data for:

  • Recruitment

  • Execution of employment contracts

  • Diversity and equality in the workplace

  • Planning and organization of work

  • Management of the company

  • Safety and health in the workplace

  • Protection of employer’s or customers’ property, or

  • Any other obligation the employer may have under the applicable laws and collective agreements.

I. Employer obligations

Apart from abiding by labor laws, the employers must also abide by the GDPR. Employers must be transparent about how they are using and safeguarding employees’ personal data, inside, and outside the organization. They must be accountable for the data processing activities.

Employers must:

A) Comply with the principles relating to processing and protecting personal data

The 7 key data protection principles have been laid out by the GDPR that all data controllers need to abide by. These data protection principles are:

  1. Lawfulness, fairness, and transparency

  2. Purpose limitation

  3. Data minimization

  4. Accuracy

  5. Storage limitation

  6. Integrity and confidentiality

  7. Accountability:

B) Lawful processing


For most data processing happening under workplace circumstances, the legal basis cannot be the employee’s consent because of the imbalance of power between an employer and employee. The employee may worry that his/her refusal to consent may have severe negative consequences on his/her employment relationship. As a result, the employee’s consent cannot be freely given.

Employers can rely on an employee’s consent only in very few exceptional circumstances such as to retain job applicant’s data for future roles as there are no adverse consequences on the employment relationship for refusal. Such consent must be freely given, specific, informed, unambiguous and documented. Employers should also note that where consent is used as the basis for lawful processing, the data subject has the right to have their data erased under the new ‘right to be forgotten’ unless there are other legal grounds to justify the processing.

Legitimate interests

Another frequently relied on basis for lawful processing of HR data is that it is in the legitimate interests of the business to do so.

So, for example, there may be a legitimate interest in monitoring employees but to help ensure that the employer’s interests are not outweighed by the rights of the employees, there must be full transparency about what monitoring takes place and for what purposes.

Necessary for performance of a contract

Processing will also be lawful where it is necessary for the performance of a contract to which the data subject is a party or to take steps at the data subject’s request prior to entering a contract (which includes employment contracts), and where it is necessary to comply with a legal obligation.

C) GDPR training and communication with employees

An employer, must inform employees about:

  • What personal data is being collected

  • How the data will be processed

  • Why the data will be processed

The Data protection policy should be in place and should provide training to employees on GDPR.

GDPR requires that certain information must be given to job candidates before their personal data is collected and processed. This information must be clear and accessible and may be a privacy notice on the website and a letter to the candidate.

II. Role of Employees

The employee can exercise their data subject rights. Employers are required to fulfill the Data Subject Requests (DSR) of their employees within stipulated deadlines.

Right to access. The employee can always request access to the personal data that the employer processes. At the same time, the employee can enquire about the processing purposes and learn whether the data is being processed only for employment purposes or not.

Right to objection. If the employee determines that some of the data is being processed for the wrong reasons, they can object to it. The employer will have to cease the processing for those specific purposes. However, if the data is processed solely for employment purposes, there is no room for objection.

Right to correction. The employee has the right to get their inaccurate data corrected. The employer must make the requested corrections.

Right to be forgotten. The employee has the right to be forgotten under certain circumstances. He or she can request to have their data erased from employee’s records if both the following two conditions have been met: - The employee is not employed with the employer anymore, and - The employer doesn’t need the employee’s personal data. In all other cases, the employer can refuse to erase the employee’s personal data.

III. Constraints on HR Data & Employers:

There are a number of GDPR compliance concerning HR data as opposed to compliance obligations for customer or vendor data. Here are a few.

Requirements for Sensitive HR Data :

Sensitive data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Employers receive sensitive personal data of employees during hiring or during the course of employment.

Data Protection Impact Assessment (DPIA) :

The GDPR requires data controllers to conduct DPIA where data processing is likely to result in a high risk to data subjects. A DPIA might be conducted for the HR process since there’s an involvement of sensitive personal data and profiling.

Notice of Rights :

Under the GDPR, data subjects have several rights regarding their personal data. Employers must ensure they have put measures in place to notify employees of these rights.

Penalty :

The GDPR has two levels for fines for GDPR violations depending on the nature of the violation. For employers, the majority of processing HR data triggers risk exposure in the higher fine category which allows fines of 20 million euros or 4 percent of the company’s worldwide revenue, whichever is greater.

Security obligations :

Data must be protected by ‘appropriate technical and organizational measures’. Data must be kept secure, for example, by using anonymization, encryption, antivirus security measures, or by backing up data. Employers must test these security measures and be able to show that they have complied with GDPR security obligations.

Records of processing activities :

The employer must maintain records of data processing activities under its responsibility. This obligation does not apply to enterprises employing fewer than 250 persons unless the processing it carries is likely to result in a risk to the rights and freedoms of data subjects.

Personal data breach notification :

In case of any personal data breaches, the employers must notify the regulatory authority They must notify within 72 hours after having become aware of the breach.

Data sharing with third parties :

While sharing an employee’s personal data with external third parties and vendors such as HR services, security contractors or medical insurance services, etc., the employer must assess their privacy practices and their third-party/vendor’s compliance with GDPR’s requirements.

Cross-border data transfers :

Companies must ensure that personal data transfers to a third country outside the EU take place only where an adequate level of protection is ensured, and that the data shared outside the EU and subsequent access by other entities within the group remains minimally necessary for the intended purposes.

GDPR is not very strict when processing data for employment purposes. It leaves some space for labor laws and collective bargain contracts to determine the categories of data that can be processed.

With the LightBeam PrivacyOps Pro module, businesses can respond to up 25 requests per year at no charge.

666 views0 comments

Recent Posts

See All
bottom of page