GDPR and employee data: what can employers actually collect, store, and delete?

Most companies have a clear process for handling customer data under GDPR. Fewer apply the same rigour to employee data, even though the obligations are nearly identical, and the exposure when things go wrong is just as real.

GDPR applies to every piece of personal data you hold on employees, job applicants, and former staff. That includes salary records, sick leave history, emergency contact details, and performance reviews. Here’s what you’re allowed to collect, what requires special justification, and when deletion is, and isn’t, the right answer.

The exposure when this goes wrong is real: according to the CMS GDPR Enforcement Tracker, EU data protection authorities have issued over 162 fines specifically related to employee data processing, totalling more than €355 million. The majority weren’t the result of deliberate misuse. They were the result of routine HR practices that hadn’t been updated to reflect the regulation.

TL;DR

• GDPR applies to all employee personal data, you need a legal basis for every category you store
• The most common lawful bases for employment data are performance of contract and compliance with a legal obligation, not consent
• Health data, trade union membership, and biometric data are “special category”, they require a higher legal basis to store at all
• The right to erasure exists, but it does not override your obligation to retain data required by employment or tax law
• Employees can request a full copy of their data within 30 days, and your ability to produce it quickly is itself a compliance signal

Why GDPR applies to your HR data

GDPR defines personal data as “any information relating to an identified or identifiable natural person.” That covers almost everything in your HR system: name, job title, salary, bank account details, home address, attendance records, sick leave dates, and performance notes.

The regulation doesn’t distinguish between customer data and employee data. Both require a lawful basis for processing. Both require appropriate security measures. Both give the individual rights over their data.

The difference is that employee data involves an ongoing relationship with a power imbalance. This matters because it shapes which lawful bases actually apply, and it rules out some approaches that companies commonly assume are safe.

What lawful basis applies to employee data?

GDPR Article 6 lists six lawful bases for processing personal data. For employment data, three are commonly relevant:

Performance of a contract (Article 6(1)(b)) This covers data you need to fulfil the employment contract itself. Name, salary, job title, bank details for payroll, working hours, leave entitlements. If you couldn’t process this data, you couldn’t pay the person or manage the employment relationship.

Compliance with a legal obligation (Article 6(1)(c)) This covers data you must process because the law requires it. Work time records (EU Working Time Directive), payroll data reported to tax authorities, social security contributions, statutory leave records. You’re not choosing to store this, you’re legally required to.

Legitimate interests (Article 6(1)(f)) This applies where you have a genuine business reason to process data that isn’t covered by the other two. It requires a balancing test: your interest must outweigh the employee’s privacy interest. Emergency contact details, for example, are typically justified under legitimate interests, you’re not contractually required to have them, but there’s a clear, reasonable purpose.

What about consent? Consent is generally the wrong basis for employment data. GDPR requires that consent be freely given, but in an employment relationship, the power imbalance means employees may not feel free to refuse. The ICO is explicit on this: “As an employer, you will generally be in a position of power over your workers. They may fear adverse consequences and might feel they have no choice but to agree.” Most data protection authorities recommend against relying on employee consent for core HR data processing. If you’re using consent as your primary basis for payroll records or leave tracking, that’s a vulnerability.

What can employers collect?

The guiding principle is data minimization: only collect what you actually need for the stated purpose.

Generally straightforward to justify:

• Full name and contact details
• Employment contract terms (title, salary, start date, working hours, notice period)
• Tax identification number and bank details (for payroll)
• Work time and attendance records
• Annual leave entitlement, accrual, and usage
• Sick leave dates and duration (not diagnosis, see below)
• Emergency contact name and phone number (with consent or legitimate interests basis)
• Performance review documentation where your company has a formal process

Requires more careful justification:

• Home address (required for some statutory notifications, but shouldn’t be stored unnecessarily)
• Date of birth (sometimes required for tax or pension calculations; otherwise minimize)
• Photographs (rarely required for operational purposes; don’t collect by default)
• Social media profiles (sometimes used in recruitment; only retain with clear purpose)
• Background check results (retain for the minimum period required, then delete)

Special category data, requires explicit legal basis: Under Article 9, health data, trade union membership, biometric data, and data about criminal convictions require either explicit consent or a specific legal justification to process.

For sick leave: recording that an employee was on sick leave for three days is legitimate and necessary. Recording the diagnosis requires specific justification, typically either the employee’s explicit consent or a situation where you’re legally required to report it (e.g., occupational disease reporting in some countries).

What employee data can you NOT store?

There’s no hard list of prohibited data categories, the analysis is always purpose-driven. But some common practices cross the line:

Storing more than you need. If you ask employees to fill in a form with information that has no operational use (political views, religious beliefs, relationship status), that’s a violation of the data minimization principle even if no one ever looks at it.

Keeping data longer than necessary. If an employee leaves and you retain their personal Drive access for six months “just in case,” that’s a storage limitation violation.

Sharing data without justification. Sending an employee’s salary details to a colleague who doesn’t need to know them, or exposing leave records to managers who have no reason to see them, is a breach, even if the data never leaves your organization.

Using health data for decision-making without legal basis. If you track sick leave patterns and use them to make redundancy decisions without a lawful basis, that’s processing special category data without justification.

Does the right to erasure apply to employee data?

Yes, but with important limits.

Under GDPR Article 17, employees have the right to request deletion of their personal data. However, the right to erasure does not apply where you are required by law to retain the data. If you have a legal obligation to keep payroll records for 10 years (as applies in Finland, Germany, and Sweden, for example), you cannot delete them simply because a former employee requests it.

The practical answer: when a former employee requests erasure, delete everything that isn’t covered by a legal retention obligation. Delete photographs, home addresses collected for convenience, personal notes not required for business purposes, and any data you held beyond your stated retention period. Retain payroll records, work time records, and contract documentation for the legally required period, and inform the employee that you’re doing so and why.

How should you respond to a data subject access request?

Under GDPR Article 15, any employee or former employee can submit a Data Subject Access Request (DSAR) asking for a copy of all personal data you hold on them. You have 30 days to respond. The response must be:

• Complete, everything you hold, not a selection
• Free of charge
• In a commonly used format (PDF or structured export is typical)
• Accompanied by an explanation of how the data is used and who it’s shared with

The practical challenge is that most HR setups aren’t built for this. If employee data lives across a spreadsheet, a personal Drive folder, email threads, and a payroll provider’s system, assembling a complete response takes time, and any missing data makes the response incomplete.

A proper HRIS stores all employee data in a single, auditable system with a full change history. A DSAR response becomes an export function, not an investigation.

What should your employee privacy notice cover?

Under Articles 13 and 14, you’re required to give employees clear information about how their personal data is processed at the point of collection (typically at the start of employment). This is usually delivered as an employee privacy notice or an HR data processing appendix to the employment contract.

It should cover:

• What personal data you collect and why
• The legal basis for each category of data
• Who the data is shared with (payroll provider, pension provider, occupational health)
• How long different categories of data are retained
• Employees’ rights (access, correction, erasure where applicable, objection)
• Contact details for your data protection officer (if you have one) or the relevant supervisory authority

This doesn’t need to be a 20-page document. A clear, specific, two-page notice is more useful, and more likely to be read, than an exhaustive legal text.

Taito.ai stores all employee data with audit history, role-based access controls, and a complete export function for DSAR responses. Personal data is stored in EU data centres and the platform is ISO 27001 certified. For HR leads at companies still running employee data in personal Drive folders, the compliance exposure is rarely obvious until it becomes urgent.

See how Taito.ai works, or request access and we can walk you through it in 30 minutes.