GDPR (EU)

The European Union's General Data Protection Regulation (Regulation 2016/679), which took effect on 25 May 2018, establishing a unified data protection framework across the EU/EEA with strict rules on how organisations collect, process, store, and share personal data.

What Is the GDPR?

Key Takeaways

  • The General Data Protection Regulation (GDPR) is the EU's data protection law, directly applicable in all 27 EU member states plus Iceland, Liechtenstein, and Norway (EEA countries). It replaced the Data Protection Directive 95/46/EC.
  • It applies to any organisation that processes personal data of individuals in the EU/EEA, regardless of where the organisation is located. A US or Indian company processing EU employee or customer data must comply.
  • Personal data means any information relating to an identified or identifiable natural person: name, email, employee ID, IP address, location data, genetic data, biometric data, health data, and more.
  • The GDPR establishes 7 key principles: lawfulness/fairness/transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality, and accountability.
  • Maximum fines reach EUR 20 million or 4% of global annual turnover (whichever is higher) for the most serious infringements, with over EUR 4.5 billion in cumulative fines issued since 2018 (GDPR Enforcement Tracker).

The GDPR fundamentally changed how organisations handle personal data. Before 2018, data protection in Europe was governed by a directive that each member state implemented differently, creating inconsistent rules across 28 countries. The GDPR replaced that patchwork with a single regulation that applies uniformly. For HR teams, the GDPR touches almost every process: recruitment (collecting CVs, conducting background checks, storing applicant data), employment (processing payroll, managing performance, monitoring attendance), and offboarding (retaining records, providing references, deleting data). Employee data is some of the most sensitive data an organisation processes: salary information, health records, disciplinary history, diversity data, and communications. The GDPR doesn't ban the processing of personal data. It requires that processing has a lawful basis, is transparent, is limited to what's necessary, and is protected by appropriate security measures. Getting it right requires both legal understanding and operational discipline.

EUR 1.3B+Total GDPR fines issued by EU supervisory authorities in 2023, up from EUR 50M in the regulation's first year (GDPR Enforcement Tracker)
99 ArticlesTotal articles in the GDPR, organised across 11 chapters covering everything from principles to enforcement
72 hoursMaximum time to notify the supervisory authority of a personal data breach (from the moment of becoming aware)
EUR 1.2BLargest single GDPR fine to date, issued to Meta for transferring EU personal data to the US without adequate safeguards (Irish DPC, 2023)

The 7 GDPR Principles

Article 5 sets out seven principles that govern all personal data processing. Every decision about how you collect, store, use, and share data should pass through these principles.

PrincipleWhat It MeansHR Example
Lawfulness, fairness, and transparencyProcessing must have a legal basis, be fair to the individual, and be clearly communicatedTell employees what data you collect about them and why (privacy notice)
Purpose limitationData collected for one purpose can't be reused for an incompatible purposeRecruitment data can't be repurposed for marketing without consent
Data minimisationCollect only the data that's necessary for the stated purposeDon't collect marital status if it's not needed for benefits enrollment
AccuracyPersonal data must be accurate and kept up to dateCorrect employee records when changes are reported (address, name, bank details)
Storage limitationData shouldn't be kept longer than necessary for its purposeDelete job applicant data after the retention period (typically 6-12 months)
Integrity and confidentialityData must be protected against unauthorised access, loss, or destructionEncrypt employee data at rest and in transit, restrict HR system access by role
AccountabilityThe controller must demonstrate compliance with all of the aboveMaintain records of processing activities (ROPA), conduct DPIAs, train staff

Lawful Bases for Processing Employee Data

Article 6 lists six lawful bases. For HR data, the most commonly used are contractual necessity, legal obligation, and legitimate interests. Consent is problematic in employment contexts.

Contract performance (Article 6(1)(b))

Processing is necessary to perform the employment contract. This covers: paying salaries, administering benefits, managing working hours, and providing the tools and information needed for the employee to do their job. It doesn't cover everything an employer might want to do with employee data. Monitoring employee emails "just in case" isn't necessary to perform the employment contract.

Legal obligation (Article 6(1)(c))

Processing is required by law. This covers: tax withholding and reporting, social security contributions, health and safety record-keeping, equality monitoring (where required by law), and responding to court orders. The legal obligation must be specific. "We might need it for legal purposes one day" isn't a valid legal obligation basis.

Legitimate interests (Article 6(1)(f))

The controller (employer) has a legitimate interest that isn't overridden by the individual's rights and freedoms. This is the most flexible basis but requires a documented Legitimate Interests Assessment (LIA). Common HR uses: internal HR reporting and analytics, monitoring workplace IT for security purposes, conducting disciplinary investigations, and managing company property. The employee's interests, rights, and expectations must be weighed against the employer's interests. Covert monitoring of employees, for example, is very difficult to justify under legitimate interests without strong evidence of suspected wrongdoing.

Why consent is problematic for employers

GDPR consent must be freely given, specific, informed, and unambiguous. In an employment relationship, the power imbalance between employer and employee means consent is rarely considered "freely given." An employee who's asked to consent to data processing may feel they can't refuse without consequences. For this reason, EU data protection authorities generally advise against relying on consent for employee data processing. Use contractual necessity, legal obligation, or legitimate interests instead. Consent may be appropriate for genuinely optional activities (joining a social committee, participating in voluntary surveys) where refusal has no negative consequences.

Data Subject Rights Under GDPR

The GDPR grants individuals eight rights. Each one creates operational obligations for HR teams.

RightArticleWhat It Means for HR
Right of access (SAR)Art. 15Employees can request a copy of all personal data held about them
Right to rectificationArt. 16Employees can request correction of inaccurate personal data
Right to erasure (right to be forgotten)Art. 17Employees can request deletion of data, subject to legal retention requirements
Right to restrict processingArt. 18Employees can request that processing is limited while a dispute is resolved
Right to data portabilityArt. 20Employees can request their data in a structured, machine-readable format
Right to objectArt. 21Employees can object to processing based on legitimate interests (employer must demonstrate overriding grounds)
Rights related to automated decision-makingArt. 22Employees have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or significant effects
Right to be informedArt. 13/14Employees must be told what data is collected, why, how long it's kept, who it's shared with, and their rights

Data Breach Notification Requirements

When a personal data breach occurs, the GDPR imposes strict notification obligations on both timing and content.

Notification to the supervisory authority (Article 33)

The controller must notify the relevant supervisory authority (e.g., the ICO in the UK, CNIL in France, BfDI in Germany) within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. The notification must include: the nature of the breach, categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach. "Becoming aware" means the point at which the controller has a reasonable degree of certainty that a breach has occurred. Deliberately delaying investigation to avoid triggering the 72-hour clock is a compliance failure in itself.

Notification to affected individuals (Article 34)

If the breach is likely to result in a high risk to individuals' rights and freedoms, the controller must also notify the affected individuals "without undue delay." The notification must be in clear, plain language and describe the nature of the breach, the likely consequences, the measures taken, and how the individual can protect themselves. Notification to individuals isn't required if: the data was encrypted or otherwise unintelligible, the controller took measures that eliminated the high risk, or individual notification would involve disproportionate effort (in which case a public communication is required).

International Data Transfers

Transferring personal data outside the EU/EEA is one of the most complex areas of GDPR compliance, particularly for multinational employers.

Adequacy decisions

The European Commission can determine that a third country provides an adequate level of data protection. Transfers to adequate countries don't require additional safeguards. As of 2024, countries with adequacy include: the UK (until June 2025, subject to renewal), Japan, South Korea, Canada (for commercial organisations), New Zealand, Israel, and the US (under the EU-US Data Privacy Framework, adopted July 2023). The adequacy decision for the US followed the invalidation of the Privacy Shield in Schrems II (2020) and requires US companies to self-certify under the Data Privacy Framework.

Standard Contractual Clauses (SCCs)

In the absence of an adequacy decision, the most common transfer mechanism is Standard Contractual Clauses (updated versions adopted by the European Commission in June 2021). SCCs are pre-approved contractual terms that the data exporter and importer must sign. However, following Schrems II, organisations must also conduct a Transfer Impact Assessment (TIA) to verify that the SCCs provide adequate protection in practice, considering the laws and surveillance practices of the recipient country.

GDPR Compliance Checklist for HR Teams

Practical steps every HR department should take to comply with GDPR requirements for employee data.

  • Issue an employee privacy notice at the start of employment covering: what data is collected, the lawful basis for each processing activity, retention periods, who data is shared with, international transfers, and employee rights.
  • Maintain a Record of Processing Activities (ROPA) for all HR data processing operations as required by Article 30.
  • Conduct Data Protection Impact Assessments (DPIAs) before implementing new systems or processes that involve high-risk processing (large-scale monitoring, profiling, processing special category data).
  • Establish clear data retention schedules for all HR data categories: recruitment data (6-12 months after rejection), employment records (6 years after employment ends for tax/legal reasons), and health data (as required by occupational health regulations).
  • Train all HR staff on GDPR obligations, including recognising and handling SARs, breach reporting procedures, and data minimisation principles.
  • Review all HR technology vendors for GDPR compliance, ensure data processing agreements (Article 28) are in place, and verify that sub-processors are disclosed.
  • Implement access controls: restrict HR system access by role, use multi-factor authentication, encrypt data at rest and in transit, and maintain audit logs.
  • Establish a process for handling data subject rights requests (SARs, erasure requests, portability requests) within the statutory deadlines.

GDPR Enforcement Statistics [2026]

Data on GDPR fines and enforcement actions across the EU/EEA.

EUR 4.5B+
Total GDPR fines issued since May 2018GDPR Enforcement Tracker, 2024
EUR 1.2B
Largest single fine: Meta, for transferring EU data to the US without adequate safeguardsIrish DPC, May 2023
2,100+
Total enforcement actions across EU/EEA since GDPR took effectGDPR Enforcement Tracker
72 hours
Maximum time to notify the supervisory authority of a data breachGDPR Article 33

Frequently Asked Questions

Does GDPR apply to companies outside the EU?

Yes, if the company processes personal data of individuals in the EU/EEA. Article 3 establishes extraterritorial scope: GDPR applies to any organisation that has an establishment in the EU (regardless of where processing takes place) or that offers goods or services to individuals in the EU, or that monitors the behaviour of individuals in the EU. A US company with EU employees, EU customers, or EU website visitors processing their data must comply with GDPR.

Can an employer monitor employee emails under GDPR?

Monitoring is possible but must be proportionate, transparent, and based on a lawful basis (usually legitimate interests). The employer must: inform employees that monitoring takes place (in the privacy notice or an acceptable use policy), explain the purpose and extent of monitoring, conduct a DPIA if the monitoring is systematic, and ensure that monitoring is proportionate to the legitimate aim. Blanket monitoring of all employee communications is very difficult to justify. Targeted monitoring in response to specific concerns (suspected data theft, harassment complaints) is easier to justify but must still be proportionate.

How long can an employer keep employee data after they leave?

There's no single answer. Retention depends on the type of data and the legal requirements. General employment records (contracts, pay records, tax documents): 6 years after employment ends (based on UK limitation periods for contract and negligence claims, similar periods apply in most EU countries). Health and safety records: 40 years for occupational health surveillance records. Pension records: until the employee reaches pension age plus 6 years. Recruitment data for unsuccessful applicants: 6 to 12 months is typical, unless the applicant consented to longer retention for future roles.

What counts as 'special category data' in an HR context?

Article 9 defines special category data as: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (used for identification), health data, and data concerning sex life or sexual orientation. HR teams routinely process several of these categories: health data (sick notes, occupational health referrals, disability adjustments), trade union membership (payroll deductions), and diversity monitoring data (ethnicity, religion, sexual orientation). Processing special category data requires meeting both an Article 6 lawful basis and an Article 9 condition (such as employment law obligation, explicit consent, or substantial public interest).

Is a Data Protection Officer (DPO) required?

A DPO is mandatory if the organisation is a public authority, if its core activities involve regular and systematic monitoring of individuals on a large scale, or if its core activities involve large-scale processing of special category data. For private sector employers, a DPO is typically required if the organisation processes employee health data, diversity data, or conducts systematic monitoring (such as CCTV or IT usage monitoring) on a large scale. Even where not legally required, appointing a DPO or a data protection lead is considered best practice. Some EU member states (such as Germany) have lower thresholds for mandatory DPO appointment.

How does GDPR interact with UK data protection law after Brexit?

The UK incorporated GDPR into domestic law as the "UK GDPR" through the European Union (Withdrawal) Act 2018, supplemented by the UK Data Protection Act 2018. The two regimes are currently very similar but can diverge over time as the UK makes amendments. The EU granted the UK an adequacy decision in June 2021 (valid until June 2025, subject to renewal), which allows personal data to flow freely from the EU/EEA to the UK. If adequacy lapses, organisations would need to implement SCCs or other transfer mechanisms for EU-UK data flows.
Adithyan RKWritten by Adithyan RK
Surya N
Fact-checked by Surya N
Published on: 25 Mar 2026Last updated:
Share:
Previous
Next