Blog / Guides
What employee records are employers legally required to keep?
EU employers must keep specific records on work time, payroll, leave, and contracts, often for 5–10 years. Here's what the law actually requires, and what most spreadsheet setups miss.
Most employers know they should keep employee records. Fewer know which records are legally required, how long to retain them, or what happens when an employee requests access to their data.
A 2024 survey by HR.com found that 64% of HR managers say they lack the time and resources to meet HR compliance challenges, and employee record-keeping is one of the most commonly cited gaps.
The rules come from multiple directions: GDPR, the EU Working Time Directive, national labor law, and tax regulations, and they don’t all agree on timelines. Here’s what you’re actually obligated to keep.
TL;DR
- EU employers are legally required to maintain records on employment contracts, payroll, work hours, and leave, most categories for 5–10 years after termination
- The EU Working Time Directive (reinforced by ECJ ruling C-55/18) requires objective, verifiable work time tracking for every employee, not just shift workers
- GDPR limits what employee data you can store and requires a legal basis for each data category
- Employees have the right to request their records at any time, you have 30 days to respond
- Most spreadsheet setups fail at least two of these requirements without the employer realizing it
What employee records are you legally required to keep?
The core categories that EU employment law requires employers to maintain:
Employment and contract records
- Signed employment contract (and all amendments)
- Job title, department, and reporting line history
- Probation documentation and outcome
- Termination notice and reason for leaving
Payroll and compensation records
- Gross and net salary by pay period
- Deductions (tax, social security, pension)
- Bonus and variable pay records
- Any salary change history with effective dates
Work time records
- Hours worked per day and per week
- Overtime and compensatory time
- Rest periods and break records (for certain roles and countries)
Leave and absence records
- Annual leave entitlement, accrual, and usage
- Sick leave dates and duration
- Parental leave periods
- Any other statutory leave taken
Documents
- Copy of identity verification (for right-to-work compliance where applicable)
- Bank account details used for payroll (retained during employment, deleted after)
- Emergency contact details (with explicit consent)
The exact scope varies by country, but these categories are required across all EU member states in some form.
How long do you need to keep employee records?
Retention periods vary by record type and by country. These are the typical minimums across EU jurisdictions:
| Record type | Typical retention period |
|---|---|
| Employment contracts | 5–7 years after termination |
| Payroll records | 5–10 years (Germany: 10 years; Finland: 10 years; Sweden: 10 years) |
| Work time records | 5 years in most EU countries |
| Annual leave records | 5 years after the leave year closes |
| Sick leave records | 5 years in most jurisdictions |
| Termination documents | 5–7 years (statute of limitations for employment claims) |
The critical mistake most small employers make is deleting records when an employee leaves. Under EU law, most payroll and work time records must be retained for years after termination, because they may be needed to defend against a historical wage claim or tax audit.
What does the EU Working Time Directive require you to track?
This is the part most employers miss.
In 2019, the Court of Justice of the EU ruled in case C-55/18 (CCOO v. Deutsche Bank) that all EU employers must set up an objective, reliable system for recording daily work time for every employee, not just hourly workers or shift staff.
The ruling applies to:
- Full-time salaried employees
- Remote workers
- Hybrid workers
- Part-time employees
The record must show how many hours were worked each day, not just a total for the week. A system that lets employees self-declare a weekly total without daily breakdown does not meet the standard.
This has practical implications. If an employee disputes unpaid overtime, the burden falls on the employer to show what was actually worked. Without systematic records, you can’t defend the position.
In Nordic countries, this obligation was already embedded in national law before the ECJ ruling. In Germany, the 2022 Federal Labour Court decision (BAG 1 ABR 22/21) reinforced the same requirement. The direction of travel is clear: work time records are mandatory, and “we trust our employees” is not a compliance strategy.
What does GDPR add on top of labor law?
GDPR doesn’t replace employment record requirements, it adds a layer of obligations on top of them.
The key rules for employee data:
You need a legal basis for each data category. For most employment records, the legal basis is either performance of the employment contract (Article 6(1)(b)) or compliance with a legal obligation (Article 6(1)(c)). You don’t need employee consent to store payroll records, you need them to pay the person correctly and report to tax authorities.
Sensitive data requires a higher bar. Health data (including sick leave diagnoses), trade union membership, and biometric data are “special category” data under Article 9. You need explicit consent or a specific legal obligation to process these. Note: storing that someone was on sick leave is generally fine; storing the diagnosis is not, unless medically necessary and legally justified.
Data minimization applies. You can only store what you actually need for the stated purpose. A home address is required for contract and payroll purposes. A photograph of the employee is not, unless there’s a specific operational reason.
Employees have access rights. Any employee can submit a data subject access request (DSAR) asking for a copy of all personal data you hold on them. You have 30 days to respond, and the response must be complete and free of charge.
What happens when records aren’t in order?
The practical risks come from two directions.
First, employment disputes. If a former employee claims unpaid overtime, wrongful termination, or incorrect leave calculation, you need records to defend your position. Courts in most EU countries treat inadequate records as a point against the employer, the assumption is that if you don’t have the records, the employee’s account of events is more credible.
Second, regulatory audits. GDPR supervisory authorities can audit employer data practices. Tax authorities can audit payroll records. Labor inspectorates can audit work time records. The fines for GDPR violations can reach €20 million or 4% of annual global turnover, though in practice, SME fines tend to be much lower. The greater exposure is usually reputational and operational: the cost of scrambling to produce records under a deadline.
How does a proper employee records system make this manageable?
The core problem with spreadsheets isn’t just that they’re manual, it’s that they don’t create the kind of timestamped, auditable trail that compliance requires.
When an employee’s salary changes in a spreadsheet, the previous salary disappears. When someone’s leave balance is manually adjusted, there’s no record of who changed it or when. When an employee leaves, their records often get archived in a personal Drive folder that doesn’t have proper access controls.
A proper HRIS maintains a full history of every field, who changed what, when, and to what value. Leave accrues automatically against the right policy for each employee’s location. Work time records are captured systematically. When someone submits a DSAR, you can export their complete record in minutes rather than spending a week hunting through spreadsheets.
Taito.ai stores all employment records with full audit history, handles work time and leave tracking automatically for Finnish, Swedish, Norwegian, and Danish law, and lets HR leads generate a full employee data export in response to a DSAR. Setup takes days, not months.
See how Taito.ai works, or request access and we can walk you through it in 30 minutes.
