GDPR HR: What You’re Getting Wrong About Data Privacy in HR

The General Data Protection Regulation (GDPR) treats employment data differently from customer data, and the most important practical implication for international employers sits in Article 88: Member States may adopt specific rules concerning the processing of employees’ personal data in the employment context. This means that GDPR alone does not give you the complete answer for HR data processing in any EU country. The federal-level GDPR establishes the floor, and each Member State layers its own employment-specific data protection law on top. Germany has the Bundesdatenschutzgesetz (BDSG), France the Code du travail provisions, the Netherlands the Uitvoeringswet AVG, Italy the privacy provisions in Decreto Legislativo 196/2003 as amended, and so on. Foreign employers who treat GDPR as a single uniform framework miss this layer and routinely create compliance gaps.

For international employers and Employer of Record (EOR) arrangements, GDPR for HR is structurally different from customer-facing GDPR compliance. Employees are data subjects with the same rights as anyone else, but the legal bases that work for customer data (consent, contract, legitimate interests) operate differently in the employment context because of the inherent power imbalance. Consent is rarely a valid legal basis for processing employee data because employees cannot freely refuse without consequences. Legitimate interests must be balanced against employee rights more rigorously. Special category data, including health information, union membership, biometric data, and ethnic background, requires explicit additional safeguards. Cross-border transfers of employee data to non-EU group companies require Standard Contractual Clauses (SCCs) and Transfer Impact Assessments following the Schrems II decision. Each of these is a known failure mode in international HR data programmes.

This guide covers GDPR for HR end-to-end: the lawful bases that actually work in the employment context, the special category data rules under Article 9, employee Data Subject Access Requests (DSARs) and how they differ from customer DSARs, cross-border transfer requirements post-Schrems II, employee monitoring and surveillance limits, the major Member State derogations under Article 88 (Germany, France, Netherlands, Italy, Belgium), Data Protection Impact Assessments for HR systems, breach notification mechanics, common compliance failures, and a practical checklist for foreign employers building or auditing their EU HR data programme. Official guidance is published by the European Data Protection Board (EDPB) and individual national supervisory authorities such as the CNIL (France), BfDI (Germany), and AP (Netherlands).

Article 88 of the GDPR is the provision foreign employers most often miss. It allows Member States to adopt more specific rules on the processing of employees’ personal data, including for purposes of recruitment, performance of the employment contract, management and organisation of work, equality and diversity, health and safety, protection of the employer’s or customer’s property, and termination of the employment relationship. Every EU Member State has used this latitude to adopt at least some employment-specific data protection rules, and several have built extensive frameworks that materially alter the GDPR baseline.

The practical consequence is that compliance for a single EU country requires reading two layers: the GDPR itself, and the relevant Member State employment data law. For international employers operating in multiple EU markets, this means a separate compliance check per country, not a single GDPR programme.

Foreign employers should assume that each EU country where they hire requires a country-specific data protection check, not a generic “we comply with GDPR” programme. Depending on the country, this may include Works Council consultation requirements before deploying HR systems (Germany, Netherlands), restrictions on employee monitoring (Italy, Belgium, France), permitted-data-category lists (Poland), and digital disconnection rights (Spain, France).

GDPR Article 6 sets out six lawful bases for processing personal data. In the employment context, only some of these are practical, and the choice of legal basis dictates downstream compliance obligations including transparency requirements, data subject rights, and retention practices. Choosing the wrong legal basis is one of the most common HR data compliance failures.

Why consent rarely works in HR. The European Data Protection Board’s guidance and consistent national supervisory authority decisions establish that employee consent is rarely a valid legal basis for HR data processing. The reasoning is that consent must be freely given, and the inherent power imbalance between employer and employee means refusal of consent is rarely truly free of consequence. Employers who default to consent forms for HR data processing are typically vulnerable to challenge, with the supervisory authority recharacterising the basis as legitimate interests or contract necessity (or finding no valid basis at all if neither applies).

Legitimate interests requires documented analysis. Where legitimate interests is the chosen basis, the employer must conduct and document a Legitimate Interests Assessment (LIA) showing that the legitimate interest is identified, the processing is necessary, and the employee’s rights and freedoms do not override the interest. The LIA must be performed before processing begins and updated when circumstances change. Failure to maintain documented LIAs is a routine finding in supervisory authority audits.

GDPR Article 9 prohibits processing of special category personal data unless one of ten specific conditions applies. In the HR context, several types of special category data routinely arise: health data (sick leave records, occupational health information, accommodations), biometric data (fingerprint or facial recognition for access control or attendance), trade union membership, racial or ethnic origin (in equal opportunities monitoring), religious belief (in dietary or holiday accommodations), and sexual orientation (rare but relevant in some HR contexts).

The conditions in Article 9(2) that most often apply to HR data processing are:

• Article 9(2)(b): necessary for carrying out obligations in employment, social security, or social protection law (the most common HR basis)
• Article 9(2)(h): necessary for assessment of working capacity, occupational medicine, or social and preventive medicine (occupational health processing)
• Article 9(2)(a): explicit consent (rarely valid in employment as discussed above, but occasionally appropriate for genuinely optional health benefits)
• Article 9(2)(f): necessary for establishment, exercise, or defence of legal claims (employment litigation)

The Article 9(2)(b) employment law basis is the workhorse for most HR-related special category processing, but it requires the underlying employment law to actually authorise the specific processing activity. This is where Member State derogations under Article 88 become particularly relevant: the same processing activity might be permitted under German labour law (e.g., processing employee health data for company medical insurance enrolment) but require additional safeguards under Italian labour law.

Special category data also requires enhanced organisational and technical safeguards beyond standard personal data: stricter access controls, encrypted storage, retention reviews tailored to the data type, and often Data Protection Impact Assessments (DPIAs) before processing begins. Foreign employers using a single global HR data architecture sometimes apply uniform controls to all employee data and end up under-protecting special category fields relative to GDPR’s heightened requirements.

Data Subject Access Requests (DSARs) from employees and former employees are operationally distinct from customer DSARs. The volume is typically lower but the data scope is broader, the data resides across more systems (HR, payroll, performance, communications, monitoring), and the requests are often filed in the context of grievances, dismissal disputes, or litigation rather than genuine privacy interest.

GDPR Article 15 grants employees the right to access their personal data, including: confirmation that processing is occurring, the categories of data being processed, the purposes, the recipients (including international transfers), the retention period, and the source of data not collected from the employee. Employees may also request a copy of the data being processed.

The response window is one month from receipt, extendable by a further two months for complex requests with notification to the employee within the original month. The response must be provided in a commonly used electronic format unless the employee specifies otherwise. The first request is free; subsequent unfounded or excessive requests can be charged a reasonable fee or refused.

Employee DSAR scoping is more challenging than customer DSAR scoping because employee data resides in more systems. Standard scope includes: the HR information system, payroll system, performance management records, email and chat messaging where the employee is a sender or recipient, monitoring system data (entry/exit, network activity if logged), employee benefits provider records, and any external systems used for HR processes (background checks, reference checks). Underestimating scope is one of the most common DSAR compliance failures.

Three exemptions and limitations matter most in employee DSARs. Third-party data: where responsive records contain other identifiable individuals (typically other employees), their data must be redacted unless they consent or it is reasonable to disclose without consent. Legal privilege: documents covered by legal professional privilege are exempt. Pending litigation or grievance: data being collected for the establishment, exercise, or defence of legal claims may be exempt under Article 9(2)(f), but this is narrowly construed and should not be used to refuse routine DSAR responses.

For international employers, the most operationally significant GDPR development since the regulation entered force is the July 2020 Schrems II decision invalidating the EU-US Privacy Shield. Cross-border transfers of EU employee personal data to non-EU group companies or service providers now require Standard Contractual Clauses (SCCs) plus a Transfer Impact Assessment (TIA) demonstrating that the destination jurisdiction provides essentially equivalent protection to GDPR.

The mechanism most foreign employers use is the new (June 2021) Standard Contractual Clauses, executed between the EU data exporter (the EU-based subsidiary or EOR) and the non-EU data importer (the foreign parent company or service provider). The SCCs include four modules covering controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller transfers, with module selection depending on the relationship. The SCCs must be executed before transfer begins and updated when circumstances change.

The Transfer Impact Assessment (TIA) is the practical document that supplements the SCCs by analysing whether local law in the destination country provides equivalent protection. For transfers to the United States, the TIA must address US government surveillance powers under FISA Section 702 and Executive Order 12333 that were the basis for invalidating Privacy Shield. The 2023 EU-US Data Privacy Framework provides an alternative basis for transfers to participating US organisations, although adequacy decisions remain subject to ongoing legal challenge.

For employee data specifically, three transfer scenarios recur:

• Intra-group transfers to a non-EU parent company for global HR data consolidation, performance management, or executive reporting. Standard SCC + TIA approach applies.
• Transfers to non-EU service providers such as US-headquartered HR systems (Workday, SuccessFactors), payroll providers, or background check services. SCC + TIA, plus careful review of the service provider’s sub-processor arrangements.
• Transfers to non-EU jurisdictions for assignee tax and immigration processing. Similar SCC + TIA approach, often with sector-specific considerations.

Foreign employers running global HR systems should expect that their EU subsidiaries are exporting employee data to the parent company, and ensure SCC and TIA documentation is in place before any supervisory authority audit. Reactive compliance after an audit notification is significantly more expensive and disruptive than proactive transfer documentation.

A Data Protection Impact Assessment (DPIA) is required under GDPR Article 35 when processing is “likely to result in a high risk to the rights and freedoms of natural persons”. For HR processing, several activities routinely trigger the DPIA requirement: employee monitoring systems, biometric access control, large-scale processing of special category data, automated decision-making with legal effects (e.g. AI-assisted recruitment screening), and cross-border transfers to high-risk jurisdictions.

A complete DPIA includes: a systematic description of the envisaged processing operations, an assessment of necessity and proportionality, an assessment of risks to rights and freedoms, and the measures envisaged to address those risks. The DPIA must be completed before processing begins and consulted with the data protection officer (where appointed) and prior consultation with the supervisory authority is required where high residual risk remains.

The DPIA is a living document. Material changes to processing (new data categories, new transfer destinations, new sub-processors, system upgrades that change data handling) should trigger DPIA review and update. Foreign employers running global HR programmes should maintain a register of DPIAs and review them at least annually as part of their data protection programme governance.

Personal data breaches affecting employee data must be notified to the relevant supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The 72-hour clock starts from awareness of the breach, not from breach occurrence, but supervisory authorities increasingly scrutinise the time between occurrence and detection (the longer the gap, the more likely it indicates inadequate detection controls).

Employee-affecting breaches recur in several patterns. Lost or stolen laptops containing HR data, misdirected emails containing personal data sent to wrong recipients, ransomware affecting HR systems, unauthorised access by departing employees, third-party processor breaches affecting employee data, and inadvertent disclosure during DSAR responses are the most common scenarios.

For breaches likely to result in a high risk to employees, additional notification to the affected individuals is required without undue delay. Notification to employees should explain the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures being taken in response. Employers can sometimes limit individual notification by demonstrating that affected data is encrypted to a sufficient standard or that subsequent measures have rendered residual risk low.

For foreign employers, the practical implication is that the breach notification timeline operates faster than typical incident response cycles. The 72-hour window expires before most internal investigations are complete, so employers must build a parallel track that prepares the supervisory authority notification while investigation continues. Many supervisory authorities accept staged notifications, with initial information provided within 72 hours and supplementary information added as the investigation develops.

For foreign employers building or auditing their EU HR data programme, the following checklist captures the items most often missing or incomplete in supervisory authority audits.

This checklist is not exhaustive but covers the items most likely to be flagged in a supervisory authority audit, employee complaint investigation, or due diligence review. Foreign employers without dedicated EU privacy counsel should consider engaging external advisers for an annual audit covering at least the items in this list, plus any country-specific items relevant to the markets where they hire.