Employee PII: What HR Departments Need to Know About GDPR

The Hidden Compliance Risk Sitting in Your HR Systems


Every HR department is a data warehouse. From the moment a candidate submits a resume to the day an employee exits the organization, human resources collects, processes, and stores vast quantities of personally identifiable information — names, addresses, national ID numbers, bank details, health records, performance reviews, and disciplinary notes. Most of this data falls under the strictest categories of protection defined by GDPR.

Yet HR remains one of the most overlooked areas in enterprise data privacy programs. A 2025 survey by the IAPP found that 62% of organizations had not conducted a dedicated data protection impact assessment (DPIA) for their HR data processing activities. Meanwhile, European data protection authorities are increasingly targeting employment-related violations. In 2024 alone, HR-related GDPR fines exceeded €180 million across the EU, with penalties hitting companies ranging from multinational corporations to 50-person startups.

The risk is not hypothetical. If your organization employs people in the EU — or processes the data of EU residents in any capacity — your HR systems are a compliance liability until proven otherwise. The challenge is that employee PII is scattered across more systems than most teams realize: applicant tracking systems, payroll platforms, Slack messages, shared drives, legacy spreadsheets, and email inboxes. Understanding what data you hold, where it lives, and whether you have a lawful basis to process it is the first step toward compliance.

What Counts as Employee PII Under GDPR?


GDPR defines personal data broadly under Article 4(1): any information relating to an identified or identifiable natural person. For HR, this scope is enormous. Employee PII includes the obvious — names, email addresses, phone numbers — but also extends to data that many HR teams do not immediately recognize as regulated.

Standard employee PII:

• Full name, date of birth, home address
• National identification numbers (SSN, NIN, Personalausweisnummer)
• Bank account and payroll details
• Employment contract terms and salary information
• Emergency contact details
• Corporate email and device identifiers

Special category data (Article 9 — requires explicit consent or specific legal basis):

• Health and medical records (sick leave documentation, disability accommodations)
• Trade union membership
• Racial or ethnic origin (often collected for diversity reporting)
• Biometric data (fingerprint scanners for office access)
• Religious beliefs (relevant for leave scheduling)

Often overlooked employee PII:

• IP addresses from remote work VPN logs
• GPS data from company vehicles or mobile devices
• CCTV footage from office premises
• Performance review narratives containing subjective assessments
• Internal chat messages referencing personal circumstances

A practical test: if the data can be linked back to a specific employee, directly or indirectly, it is personal data under GDPR. Period.

The Six Lawful Bases for Processing HR Data


One of the most common HR compliance mistakes is relying on employee consent as the default legal basis for processing. Under GDPR, consent must be freely given — and the power imbalance inherent in an employment relationship makes genuine consent nearly impossible to establish. The European Data Protection Board (EDPB) has stated explicitly that employee consent is rarely appropriate as a primary lawful basis.

Instead, HR departments should map each processing activity to the correct legal basis:

| Processing Activity | Recommended Lawful Basis | GDPR Article | |---|---|---| | Payroll processing | Contractual necessity | Art. 6(1)(b) | | Tax withholding and reporting | Legal obligation | Art. 6(1)(c) | | Background checks (pre-hire) | Legitimate interest | Art. 6(1)(f) | | Health and safety records | Legal obligation | Art. 6(1)(c) | | Diversity monitoring | Explicit consent or substantial public interest | Art. 9(2)(a) or (g) | | Employee monitoring (email/web) | Legitimate interest (with DPIA) | Art. 6(1)(f) | | Providing references post-employment | Legitimate interest | Art. 6(1)(f) |

Action step: Create a Record of Processing Activities (ROPA) specifically for HR. Document every category of employee data you process, the lawful basis, retention period, and any third-party processors involved. Under Article 30, this is a legal requirement for organizations with more than 250 employees — but regulators recommend it for all organizations.

Where Employee PII Hides: The Discovery Problem


The biggest compliance gap in most organizations is not policy — it is visibility. HR data migrates, duplicates, and fragments across systems in ways that are difficult to track manually.

Consider a typical employee onboarding flow:

1. Candidate submits a resume via an ATS (Greenhouse, Workday, Lever) 2. Recruiter downloads the resume to a local machine and shares it via email 3. Hiring manager saves interview notes in a Google Doc 4. HR creates an employee record in the HRIS (BambooHR, Personio, SAP SuccessFactors) 5. Payroll details are entered into a finance system (Xero, ADP) 6. IT provisions accounts, generating logs with personal identifiers 7. The employee's passport scan is uploaded to a shared drive for right-to-work verification

That single employee's PII now exists in at least seven different systems, plus email threads, chat messages, and potentially local downloads. When that employee exercises their Article 15 right to a Subject Access Request (SAR), or their Article 17 right to erasure, can your HR team locate and act on every instance?

This is where automated PII detection becomes essential. Manual audits are too slow, too incomplete, and too expensive. A 2025 Ponemon Institute study found that organizations using automated data discovery tools responded to SARs 74% faster and reduced compliance costs by an average of $340,000 annually.

A typical PII scan across HR systems might surface results like:

` Scan Results — HR File Share (/hr/employee-records/) ================================================ Files scanned: 12,847 Files with PII: 9,231 (71.8%) PII instances: 147,392

Breakdown by PII type: Full names: 34,219 (23.2%) Email addresses: 28,104 (19.1%) National ID numbers: 12,887 (8.7%) Phone numbers: 11,432 (7.8%) Bank account numbers: 8,291 (5.6%) Health information: 3,104 (2.1%) Passport numbers: 1,872 (1.3%) Biometric identifiers: 483 (0.3%) Other PII: 47,000 (31.9%)

HIGH RISK: 1,872 passport scans found in shared directory with no access restrictions. `

Results like these are not unusual. They are the norm. The question is whether you discover them before a regulator or a breach does.

Retention Policies: When Holding Data Becomes a Violation

GDPR's storage limitation principle (Article 5(1)(e)) requires that personal data be kept only for as long as necessary for its original purpose. For HR departments, this creates a web of overlapping retention requirements.

Common retention periods (vary by jurisdiction):

• Recruitment data for unsuccessful candidates: 6 months post-decision (some jurisdictions allow up to 2 years with consent)
• Employee contracts and basic employment records: Duration of employment + 6–7 years (tax and legal obligations)
• Payroll and tax records: 6–10 years depending on national tax law
• Health and safety incident records: 3–40 years depending on incident type and jurisdiction
• Right-to-work verification documents: Duration of employment + 2 years (UK); varies across EU
• CCTV footage: Typically 30 days maximum unless related to an incident

The critical mistake: Most HR departments default to keeping everything indefinitely. This is a direct GDPR violation. In 2023, Deutsche Wohnen SE was fined €14.5 million specifically because it retained tenant data (analogous to employee records) beyond the necessary retention period, with no mechanism for periodic review or deletion.

Implementation checklist:

1. Map every category of HR data to a specific retention period with legal justification 2. Implement automated deletion or anonymization workflows triggered by retention expiry 3. Create exception processes for litigation holds or regulatory investigations 4. Audit quarterly to ensure retention policies are being enforced in practice 5. Document everything — regulators will ask for evidence of active retention management

Cross-Border Transfers: Remote Work Complicates Everything

The rise of distributed and remote workforces has turned employee data transfers into a compliance minefield. If your company is headquartered in Germany but has remote employees in the US, India, or Brazil, every payroll run, every performance review sync, and every benefits administration action is a cross-border data transfer.

Post-Schrems II, transferring employee data outside the EEA requires one of the following mechanisms:

• Adequacy decision: The destination country has been deemed adequate by the European Commission (currently includes the UK, Japan, South Korea, and the US under the EU-US Data Privacy Framework)
• Standard Contractual Clauses (SCCs): Updated June 2021 versions must be used, with a Transfer Impact Assessment (TIA)
• Binding Corporate Rules (BCRs): For intra-group transfers in multinational companies — expensive to implement but durable
• Derogations under Article 49: Narrow exceptions for occasional, necessary transfers (not suitable for systematic HR data flows)

Practical example: If you use a US-based HRIS like Workday or BambooHR to manage EU employee data, you need to verify that the provider is certified under the EU-US Data Privacy Framework, or that you have SCCs in place. If you use a payroll provider that subprocesses data through servers in India, you need SCCs with that subprocessor as well, plus a documented TIA.

Key risk area: Shadow IT in HR. If a hiring manager uses a personal Dropbox account to share candidate resumes with a colleague in another country, that is an unprotected cross-border transfer of personal data — and a GDPR violation.

Employee Rights: Responding to DSARs Without Panic

Under GDPR, employees have the same data subject rights as any other individual. In practice, these rights are most commonly exercised during or after employment disputes. HR teams must be prepared to respond within the mandatory one-month deadline (Article 12(3)).

The rights your employees can exercise:

• Right of access (Art. 15): Employees can request a copy of all personal data you hold about them, plus details about how it is processed
• Right to rectification (Art. 16): Correction of inaccurate data — common for address changes or name changes
• Right to erasure (Art. 17): Deletion of data where no overriding legal basis exists for retention
• Right to data portability (Art. 20): Employees can request their data in a machine-readable format
• Right to object (Art. 21): Particularly relevant for employee monitoring activities based on legitimate interest

Handling a DSAR step by step:

` Step 1: Verify the requester's identity → Do NOT accept verbal requests without verification → Use existing authentication (employee portal, corporate email)

Step 2: Log the request with timestamp → The 30-day clock starts on receipt, not acknowledgment

Step 3: Scope the search → All systems: HRIS, email, file shares, chat platforms, backup systems, paper files → Include data held by processors (payroll providers, benefits administrators, recruitment platforms)

Step 4: Review and redact → Remove third-party personal data (e.g., names of other employees mentioned in performance reviews) → Apply exemptions where applicable (legal privilege, trade secrets)

Step 5: Compile and deliver → Provide in a commonly used electronic format → Include processing purposes, categories, recipients, retention periods, and the source of the data

Step 6: Document the response → Retain evidence of compliance for accountability purposes `

Critical tip: The most common DSAR trigger in HR is a disciplinary action or termination. Prepare templates and processes before you need them — not during a tense employee relations situation.

Real-World Fines: What Happens When HR Gets It Wrong

Enforcement actions provide the clearest picture of what regulators prioritize. Here are notable HR-related GDPR penalties:

• H&M (2020) — €35.3 million: Managers at the Hamburg service center conducted extensive surveillance of employees, recording details about their health, family problems, and religious beliefs after return-to-work interviews. Data was stored on a network drive accessible to over 50 managers. The Hamburg DPA called it a "grave disregard for employee data protection."

• Clearview AI (2022) — €20 million (multiple DPAs): While primarily a facial recognition case, the ruling directly addressed biometric data processing without lawful basis — directly relevant to any HR department using biometric time clocks or access systems.

• BNPP Personal Finance Spain (2021) — €600,000: Fined for processing employee health data without a proper legal basis and sharing it with unauthorized third parties.

• Österreichische Post (2019) — €18 million: Although a customer data case, the Austrian DPA's reasoning about profiling and data minimization applies equally to employee data analytics and workforce planning tools.

The pattern is clear: regulators punish excessive collection, insufficient legal basis, poor access controls, and lack of transparency with employees about how their data is used.

FAQ: Employee PII and GDPR Compliance

Can we require employees to consent to data processing as a condition of employment?

No. GDPR requires that consent be freely given, and the inherent power imbalance in employment relationships means consent is almost never considered "free" in the employment context. The Article 29 Working Party (now EDPB) has been explicit about this. Instead, rely on contractual necessity (Art. 6(1)(b)) for data processing directly related to the employment relationship, legal obligation (Art. 6(1)(c)) for tax and regulatory requirements, and legitimate interest (Art. 6(1)(f)) for other justified processing — but only after conducting a balancing test. Consent should be reserved for truly optional activities, such as opting into a company newsletter or participating in non-mandatory diversity surveys, where refusal carries no consequences.

How should we handle employee PII during mergers and acquisitions?

M&A transactions are a high-risk moment for employee data. During due diligence, share only anonymized or aggregated workforce data — not individual employee records. Post-acquisition, the new entity needs its own lawful basis for processing; it cannot simply inherit the previous employer's. Employees must be informed under Article 13/14 about the new data controller, the purposes of processing, and any changes to how their data will be handled. If the transaction involves transferring data outside the EEA, appropriate transfer mechanisms must be in place before the data moves. Plan for a 90-day data migration window where both entities maintain parallel compliance obligations.

Do GDPR employee data rules apply to contractors and freelancers?

Yes, but with nuance. GDPR protects all natural persons, regardless of employment status. If you process personal data about contractors, freelancers, temporary workers, or even job applicants, the full scope of GDPR applies. The lawful basis may differ — contractor relationships are more likely to rely on contractual necessity and legitimate interest than on the employment-specific legal obligations that apply to full employees. However, the same principles of data minimization, purpose limitation, storage limitation, and transparency apply. Do not assume that because someone is not on your payroll, their data is outside GDPR scope.

What is the recommended approach to employee monitoring under GDPR?

Employee monitoring — including email surveillance, web browsing tracking, keystroke logging, and video surveillance — is one of the highest-risk areas in HR data protection. Article 6(1)(f) legitimate interest is the most common legal basis, but it requires a documented Legitimate Interest Assessment (LIA) demonstrating that the monitoring is necessary, proportionate, and that the employer's interest outweighs the employee's reasonable expectation of privacy. A DPIA under Article 35 is almost certainly required. Employees must be informed about monitoring in advance (transparency principle), and covert monitoring is only justifiable in exceptional circumstances, such as investigating suspected criminal activity, and even then only for a limited duration. Several EU member states have additional national laws restricting employee monitoring — Germany's BDSG §26 and France's CNIL guidelines impose stricter requirements than the baseline GDPR text.

How long after an employee leaves should we retain their data?

There is no single answer — retention periods must be mapped to specific legal obligations and legitimate business needs for each category of data. As a general framework: basic employment records (name, dates of employment, role) should be retained for the statutory limitation period for employment claims (typically 3–6 years, depending on jurisdiction). Payroll and tax records are subject to national tax retention requirements, often 6–10 years. Health and safety records may need to be retained for up to 40 years for certain workplace exposure incidents. However, ancillary data — interview notes, informal performance feedback, internal chat messages — should be deleted promptly after the employment relationship ends unless there is a specific, documented reason to retain it. The key principle: do not retain by default. Retain by justification.

Start Scanning for PII Today

PrivaSift automatically detects PII across your files, databases, and cloud storage — helping you stay GDPR and CCPA compliant without the manual work.

[Try PrivaSift Free →](https://privasift.com)