Part of our Compliance & Regulation series
Read the complete guideEmployee Data Privacy Management: Balancing HR Needs with Privacy Rights
Employee data is the most sensitive category of personal data that most companies process. It includes financial information (salary, bank details), government identifiers (SSN, tax IDs), health data (sick leave, disability accommodations), and behavioral data (performance reviews, disciplinary records). Yet HR departments routinely collect and store far more employee data than necessary, often with inadequate protections.
This guide covers the legal requirements, practical frameworks, and technical implementations for managing employee data privacy across the entire employment lifecycle.
Key Takeaways
- Consent is rarely the appropriate legal basis for employee data processing --- the power imbalance makes consent non-free
- Employee monitoring must be proportionate, transparent, and have a lawful basis
- Cross-border transfer of employee data (e.g., to group headquarters) requires specific transfer mechanisms
- Data retention for HR data varies from 1 year (recruitment rejects) to 30+ years (pension records) depending on type
Legal Bases for Processing Employee Data
GDPR Legal Bases (Article 6)
| Legal Basis | When to Use | Examples |
|---|---|---|
| Contract performance (Art. 6(1)(b)) | Necessary to fulfill the employment contract | Salary processing, work schedule, benefits administration |
| Legal obligation (Art. 6(1)(c)) | Required by law | Tax reporting, social security contributions, workplace safety records |
| Legitimate interest (Art. 6(1)(f)) | Business need balanced against employee rights | IT security monitoring, fraud prevention, organizational planning |
| Consent (Art. 6(1)(a)) | Genuinely optional activities | Employee directory photo, social events, non-mandatory surveys |
| Vital interests (Art. 6(1)(d)) | Life-threatening situations | Emergency medical information |
Important: Consent should be the last resort for employee data. The employer-employee power imbalance means consent may not be "freely given" as required by GDPR. Use contract performance or legal obligation where possible.
Special Categories (Article 9)
Health data, biometric data, trade union membership, and other special categories require an additional legal basis:
| Special Category Data | Legal Basis | Common HR Scenario |
|---|---|---|
| Health data | Employment law obligation or explicit consent | Sick leave, disability accommodations, occupational health |
| Biometric data | Explicit consent or substantial public interest | Fingerprint access, facial recognition attendance |
| Trade union membership | Employment law, explicit consent | Union dues deduction, collective bargaining |
| Criminal records | Legal obligation | Background checks (where legally permitted) |
| Religious belief | Explicit consent | Dietary requirements, religious holidays |
Employee Data Through the Lifecycle
Recruitment
| Data Collected | Retention | Notes |
|---|---|---|
| CV / resume | 6-12 months after rejection | Shorter retention is safer |
| Interview notes | 6-12 months after rejection | Keep only job-relevant notes |
| Reference check results | 6 months after decision | Delete promptly |
| Assessment / test results | 6-12 months after rejection | Inform candidates beforehand |
| Background check | 6 months after decision, or not at all | Strict purpose limitation |
Candidates must be informed: Before data collection, provide a privacy notice covering what data is collected, why, how long it is kept, and their rights. Rejected candidates' data should be deleted within 6-12 months unless the candidate consents to being kept in a talent pool.
Onboarding
| Data Collected | Purpose | Legal Basis |
|---|---|---|
| Full name, address, DOB | Employment contract | Contract |
| Tax ID / SSN | Tax reporting | Legal obligation |
| Bank details | Salary payment | Contract |
| Emergency contacts | Workplace safety | Legitimate interest |
| Photo (optional) | Employee directory | Consent |
| Equipment serial numbers | Asset tracking | Legitimate interest |
| Work eligibility documents | Immigration compliance | Legal obligation |
During Employment
| Processing Activity | Legal Basis | Transparency Required |
|---|---|---|
| Payroll processing | Contract | Standard |
| Performance reviews | Legitimate interest | High (inform of criteria) |
| IT system monitoring | Legitimate interest | High (monitoring policy required) |
| Email monitoring | Legitimate interest (limited) | Very high (specific policy required) |
| CCTV | Legitimate interest | High (signage + policy) |
| GPS tracking | Legitimate interest (if proportionate) | Very high |
| Time and attendance | Contract + legal obligation | Standard |
| Training records | Contract + legitimate interest | Standard |
| Disciplinary records | Legitimate interest + legal obligation | High |
Offboarding
| Action | Timeline | Notes |
|---|---|---|
| Revoke all system access | Day of departure | IT checklist |
| Return company equipment | Day of departure | Asset recovery |
| Archive employment records | Day of departure | Move to restricted access |
| Delete non-essential data | 30 days | Photos, personal files, dietary preferences |
| Retain legally required data | Per retention schedule | Tax records, pension, employment contracts |
| Respond to reference requests | Ongoing (limited data) | Dates of employment, position held |
Employee Monitoring
Proportionality Framework
Any employee monitoring must pass the proportionality test:
- Legitimate aim: What is the specific purpose? (Security, productivity, legal compliance)
- Necessity: Is monitoring the least intrusive way to achieve the aim?
- Proportionality: Does the business need outweigh the privacy impact?
- Transparency: Are employees clearly informed about what is monitored?
Monitoring Comparison by Jurisdiction
| Monitoring Type | EU (GDPR) | US | UK | France (CNIL) | Germany |
|---|---|---|---|---|---|
| Email content monitoring | Restricted (proportionate only) | Generally allowed (with notice) | Restricted | Very restricted (private emails protected) | Very restricted (works council consent) |
| Web browsing monitoring | Allowed with notice and purpose | Allowed (with notice) | Allowed with notice | Allowed for professional use only | Restricted |
| CCTV in workplace | Allowed (not in private areas) | Allowed (state laws vary) | ICO guidance applies | Not in break rooms | Works council consent required |
| GPS vehicle tracking | Allowed during work hours only | Generally allowed | Allowed during work hours | Work hours only, employee informed | Very restricted |
| Keystroke logging | Generally disproportionate | Allowed (with notice) | Generally disproportionate | Disproportionate | Disproportionate |
| Screen recording | Restricted (time-limited, purpose-specific) | Allowed (with notice) | Restricted | Very restricted | Very restricted |
Cross-Border Employee Data Transfers
Common Scenarios
| Scenario | Transfer Mechanism Required |
|---|---|
| EU subsidiary to US headquarters (payroll) | Standard Contractual Clauses (SCCs) + Transfer Impact Assessment |
| UK subsidiary to EU parent | UK adequacy decision (mutual) |
| EU to India (IT support) | SCCs + supplementary measures |
| Multi-country HR system (Odoo, Workday) | SCCs with data processor + DPA |
Implementation
For global companies using a centralized HR system:
- Map data flows: Document which employee data moves between which countries
- Assess adequacy: Check if the receiving country has an EU adequacy decision
- Implement SCCs: Sign Standard Contractual Clauses between the data exporter and importer
- Transfer Impact Assessment: Evaluate whether the receiving country's laws undermine SCC protections
- Supplementary measures: Add encryption, pseudonymization, or access restrictions as needed
See our cross-border data transfer guide for detailed transfer mechanism guidance.
HR Data Retention Schedule
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Employment contract | Duration + 6 years (statute of limitations) | Legal obligation |
| Payroll records | 7-10 years post-employment (varies by country) | Tax law |
| Tax forms (W-2, P60) | 7 years (US), 6 years (UK) | Tax law |
| Pension records | Until 6 years after final pension payment | Legal obligation |
| Performance reviews | Duration of employment + 2 years | Legitimate interest |
| Disciplinary records | Duration + 1-3 years (varies) | Legitimate interest |
| Sick leave records | Duration + 3 years | Legal obligation |
| Training records | Duration + 2-3 years | Legitimate interest |
| Recruitment data (rejected) | 6-12 months | Consent or legitimate interest |
| CCTV footage | 30 days (max 90 in most jurisdictions) | Legitimate interest |
| Access logs | 1-3 years | Security + legitimate interest |
| Works council minutes | 10 years | Legal obligation |
Frequently Asked Questions
Can we use consent as the basis for processing employee data?
Only for truly optional activities where the employee has a genuine free choice without any negative consequences for refusing. Examples: optional company newsletter subscription, using an employee photo on the company website, participating in non-mandatory employee surveys. For payroll, performance management, or any data processing essential to the employment relationship, use contract performance or legal obligation instead.
Can we monitor employee emails?
In most EU jurisdictions, you can monitor business email accounts to a limited extent if: (1) employees are clearly informed about the monitoring, (2) the monitoring is proportionate to a legitimate aim, (3) personal use of business email is either prohibited (making all email business) or personal emails are excluded from monitoring, (4) monitoring is systematic rather than targeted at individuals without cause. France and Germany are the most restrictive.
How do we handle employee data in Odoo HR?
Odoo HR modules collect extensive employee data. Implement: (1) access groups that restrict HR data to authorized personnel, (2) field-level access control for sensitive fields (salary, SSN), (3) automated archival rules for ex-employee data, (4) data export functionality for employee data subject requests, (5) audit logging on sensitive field changes. ECOSIRE provides Odoo HR implementation with privacy controls built in.
What happens if an employee exercises their right to erasure?
The right to erasure (GDPR Article 17) does not override legal retention obligations. You can refuse erasure if you are required by law to retain the data (tax records, pension records). You must delete data for which there is no legal or legitimate basis for retention (old performance reviews of former employees beyond the retention period, recruitment data for rejected candidates, photos of former employees on the intranet).
What Comes Next
Employee data privacy is one component of your governance program. Combine it with data retention policies for automated enforcement, GDPR DPO implementation for governance structure, and cross-border data transfers for international workforce data.
Contact ECOSIRE for HR data privacy consulting and Odoo HR implementation with privacy controls.
Published by ECOSIRE -- helping businesses protect employee data with respect and compliance.
Written by
ECOSIRE Research and Development Team
Building enterprise-grade digital products at ECOSIRE. Sharing insights on Odoo integrations, e-commerce automation, and AI-powered business solutions.
Related Articles
AI for HR and Recruitment Screening: Faster Hiring Without Bias
Deploy AI in HR for resume screening, candidate matching, interview scheduling, and employee analytics while maintaining fairness and compliance.
Cookie Consent Implementation Guide: Legally Compliant Consent Management
Implement cookie consent that complies with GDPR, ePrivacy, CCPA, and global regulations. Covers consent banners, cookie categorization, and CMP integration.
Cross-Border Data Transfer Regulations: Navigating International Data Flows
Navigate cross-border data transfer regulations with SCCs, adequacy decisions, BCRs, and transfer impact assessments for GDPR, UK, and APAC compliance.
More from Compliance & Regulation
Audit Preparation Checklist: How Your ERP Makes Audits 60 Percent Faster
Complete audit preparation checklist using ERP systems. Reduce audit time by 60 percent with proper documentation, controls, and automated evidence gathering.
Cookie Consent Implementation Guide: Legally Compliant Consent Management
Implement cookie consent that complies with GDPR, ePrivacy, CCPA, and global regulations. Covers consent banners, cookie categorization, and CMP integration.
Cross-Border Data Transfer Regulations: Navigating International Data Flows
Navigate cross-border data transfer regulations with SCCs, adequacy decisions, BCRs, and transfer impact assessments for GDPR, UK, and APAC compliance.
Cybersecurity Regulatory Requirements by Region: A Compliance Map for Global Businesses
Navigate cybersecurity regulations across US, EU, UK, APAC, and Middle East. Covers NIS2, DORA, SEC rules, critical infrastructure requirements, and compliance timelines.
Data Governance and Compliance: The Complete Guide for Technology Companies
Complete data governance guide covering compliance frameworks, data classification, retention policies, privacy regulations, and implementation roadmaps for tech companies.
Data Retention Policies and Automation: Keep What You Need, Delete What You Must
Build data retention policies with legal requirements, retention schedules, automated enforcement, and compliance verification for GDPR, SOX, and HIPAA.