Employee PII: What HR Departments Need to Know About GDPR

Every HR department sits on a goldmine of personal data — and a minefield of compliance risk. From CVs and payroll records to health declarations and performance reviews, human resources teams process some of the most sensitive personally identifiable information (PII) in any organization. Yet a surprising number of companies still treat employee data with far less rigor than customer data.

That gap is increasingly expensive. In 2023 alone, European data protection authorities issued over €2.1 billion in GDPR fines, and workplace data violations accounted for a growing share of complaints filed with supervisory authorities. The German DPA fined H&M €35.3 million for systematic surveillance of employees, including logging details about their private lives, medical conditions, and family problems. The message is clear: employee PII is not a compliance afterthought — it is ground zero for enforcement.

If you are a CTO, DPO, or compliance officer, the question is not whether your HR systems contain PII. They do. The question is whether you know exactly where it lives, who can access it, how long you are keeping it, and whether you have a lawful basis for every processing activity. This article breaks down what you need to know — and what you need to do — right now.

What Counts as Employee PII Under GDPR?


GDPR defines personal data broadly under Article 4(1): any information relating to an identified or identifiable natural person. For HR, this scope is enormous. Employee PII includes the obvious — names, addresses, national ID numbers, bank details — but extends far beyond that.

Standard employee PII:

• Full name, date of birth, gender
• Home address, phone number, personal email
• National insurance / social security numbers
• Bank account and salary details
• Tax identification numbers
• Employment contract terms

Special category data (Article 9):

• Health records (sick notes, disability status, occupational health assessments)
• Trade union membership
• Racial or ethnic origin (often collected for diversity reporting)
• Biometric data (fingerprint scanners, facial recognition for access control)
• Religious beliefs (relevant for leave policies)

Special category data triggers stricter obligations under Article 9(2). Processing is prohibited unless you meet one of ten specific conditions — such as explicit consent or obligations under employment law. Many HR teams unknowingly process special category data without the correct legal basis, particularly around health information and diversity metrics.

The Six Lawful Bases — and Why HR Gets Them Wrong


A common mistake is defaulting to employee consent as the lawful basis for processing HR data. Under GDPR, consent must be freely given — and the power imbalance in an employment relationship makes genuine "free" consent extremely difficult to demonstrate.

The UK Information Commissioner's Office (ICO) and the Article 29 Working Party (now the EDPB) have both warned that employee consent is rarely appropriate. If an employee reasonably fears negative consequences for refusing, consent is not valid.

More appropriate lawful bases for HR processing:

| Lawful Basis | Example HR Use | |---|---| | Contract performance (Art. 6(1)(b)) | Processing payroll, issuing employment contracts | | Legal obligation (Art. 6(1)(c)) | Tax reporting, right-to-work checks, health & safety records | | Legitimate interest (Art. 6(1)(f)) | Performance management, internal investigations, IT security monitoring | | Consent (Art. 6(1)(a)) | Optional benefits enrollment, publishing employee photos on website |

For special category data, you will typically rely on Article 9(2)(b) — processing necessary for employment, social security, or social protection law — combined with appropriate domestic legislation. Document this clearly. Regulators will ask.

Where Employee PII Hides: The Shadow Data Problem


Most HR teams know about the PII in their HRIS (Human Resource Information System). The risk lies in what they do not know about. Employee PII proliferates across systems that nobody is tracking:

• Email inboxes — recruiters receive CVs containing addresses, phone numbers, dates of birth, sometimes photos and nationality
• Shared drives and cloud storage — managers save performance notes, disciplinary records, and medical certificates to Google Drive or SharePoint folders with broad access
• Spreadsheets — payroll exports, bonus calculations, and headcount reports circulate as Excel files with no access controls
• Chat platforms — Slack and Teams channels where managers discuss employee issues, share screenshots of HR records, or forward sensitive documents
• Legacy systems — old applicant tracking systems or decommissioned databases that still contain years of candidate data
• Local machines — hiring managers who download CV batches to their laptops

A 2024 study by Cyberhaven found that 35% of sensitive data employees upload to AI tools contains PII — much of it employee records being summarized or analyzed through ChatGPT and similar services.

Automated PII scanning is not optional here. You cannot protect data you have not found. Tools like PrivaSift can scan file systems, databases, and cloud storage to surface employee PII you did not know existed — mapping it before a regulator or a breach does.

Data Retention: The Policy Nobody Enforces


Article 5(1)(e) of GDPR requires that personal data be kept "no longer than is necessary for the purposes for which the personal data are processed." For HR, this means you need defined retention periods for every category of employee data — and you need to actually enforce them.

Recommended retention framework:

` Category Retention Period Legal Basis ───────────────────────────────────────────────────────────────────── Recruitment (unsuccessful) 6 months post-decision Legitimate interest (tribunal claims) Recruitment (successful) Duration of employment Contract performance Payroll records 6-7 years post-leaving Tax legislation (varies by jurisdiction) Health & safety records 40 years (UK) Legal obligation (RIDDOR) Disciplinary warnings 12-18 months Legitimate interest General personnel file 6 years post-leaving Limitation period for contract claims Right-to-work documents 2 years post-leaving Legal obligation (UK Immigration Act) CCTV footage 30 days (typical) Legitimate interest `

The most common violation is indefinite retention. HR systems are rarely configured to auto-delete, and manual purges do not happen because nobody owns the process. The Austrian DPA fined the Austrian Post €18 million partly for retaining data beyond necessary periods.

Practical steps:

1. Audit your HRIS retention settings — most platforms (Workday, BambooHR, Personio) support automated deletion rules 2. Scan shared drives and email archives for employee data that should have been deleted years ago 3. Assign a data owner for each retention category 4. Schedule quarterly retention reviews with HR and legal

Employee Rights: DSARs and the 30-Day Clock

Employees have the same data subject rights as customers under GDPR — and they use them. Subject Access Requests (DSARs) from current and former employees have surged, particularly during disputes, redundancy processes, and tribunal proceedings.

Under Article 15, you must respond within one calendar month. For HR, this is operationally complex because employee data is scattered across:

• The core HRIS
• Email correspondence mentioning the employee
• Meeting notes, Slack messages, and Teams chats
• Manager's local files and personal notes
• Third-party systems (benefits providers, occupational health, background check vendors)

A compliant DSAR response requires searching all of these. Missing a source does not just create legal risk — it undermines your credibility with the ICO or relevant supervisory authority if the employee escalates.

DSAR response checklist:

• [ ] Search HRIS for all records linked to the employee
• [ ] Search email systems (including archived mailboxes) for the employee's name and identifiers
• [ ] Search shared drives and cloud storage
• [ ] Check chat platforms for mentions
• [ ] Contact third-party processors for any data they hold
• [ ] Review and redact third-party personal data before disclosure
• [ ] Document your search methodology
• [ ] Respond within 30 days or request a permitted extension

Automating PII discovery across these sources dramatically reduces DSAR response time. Organizations using automated scanning tools report reducing DSAR fulfillment from weeks to hours.

Cross-Border Transfers: Remote Work Changed Everything

The shift to remote and hybrid work has created new GDPR headaches for HR. If you employ staff in the EU but process their data in the US, UK, India, or any country without an EU adequacy decision, you are making a restricted international transfer under Chapter V of GDPR.

Common scenarios HR teams overlook:

• Cloud HRIS hosted in the US — even if the vendor has EU data centers, check whether support staff access data from non-adequate countries
• Global payroll providers — processing payroll for EU employees through a provider with operations in India
• Background check vendors — running pre-employment checks through US-based services
• Intra-group transfers — sharing EU employee data with a US parent company for global reporting

Since the Schrems II ruling invalidated the EU-US Privacy Shield, transfers to the US require Standard Contractual Clauses (SCCs) with a Transfer Impact Assessment (TIA). The EU-US Data Privacy Framework (DPF), adopted in July 2023, provides a mechanism for certified US organizations, but it faces legal challenges and is not guaranteed to survive.

Action items:

1. Map all international transfers of HR data — including sub-processors 2. Verify the legal mechanism for each transfer (adequacy decision, SCCs, DPF certification) 3. Conduct Transfer Impact Assessments where required 4. Include transfer provisions in your Record of Processing Activities (ROPA)

Building a Compliant HR Data Program: A Technical Blueprint

Compliance is not a document — it is an architecture decision. Here is a practical framework for engineering teams working with HR data:

1. Data discovery and classification

Run automated PII scanning across all systems that touch employee data. Classify findings by sensitivity level and map to your ROPA.

`python

Example: scanning a directory for employee PII patterns

PrivaSift handles this automatically across files, DBs, and cloud storage

pii_categories = { "national_id": r"\b\d{3}-\d{2}-\d{4}\b", # US SSN "iban": r"\b[A-Z]{2}\d{2}[A-Z0-9]{11,30}\b", # IBAN "email": r"\b[\w.-]+@[\w.-]+\.\w{2,}\b", "phone_eu": r"\b\+?\d{1,3}[\s-]?\d{6,12}\b", "dob": r"\b\d{2}[/-]\d{2}[/-]\d{4}\b", }

In practice, use a purpose-built tool rather than regex —

false positive rates for hand-rolled patterns exceed 30%

`

2. Access control

Apply the principle of least privilege. Not every HR team member needs access to salary data. Not every manager needs to see medical records. Implement role-based access control (RBAC) in your HRIS and audit access logs quarterly.

3. Encryption and pseudonymization

Encrypt employee data at rest and in transit. Where possible, pseudonymize data used for analytics or reporting — for example, using employee IDs rather than names in performance dashboards.

4. Logging and audit trails

Maintain logs of who accessed employee records and when. This is essential for DSAR compliance and for demonstrating accountability under Article 5(2).

5. Automated retention enforcement

Configure your systems to flag or delete records that exceed their retention period. Manual processes fail at scale.

Frequently Asked Questions

Can we use employee consent as our lawful basis for processing HR data?

In most cases, no. The EDPB (formerly the Article 29 Working Party) has consistently held that the power imbalance in employment relationships means consent is rarely "freely given" as required by Article 7. Employees may feel pressured to agree, which invalidates consent. Use contract performance (Article 6(1)(b)) for data necessary to fulfill the employment contract, legal obligation (Article 6(1)(c)) for statutory requirements like tax reporting, and legitimate interest (Article 6(1)(f)) for purposes like performance management — after completing a Legitimate Interest Assessment. Reserve consent for genuinely optional activities where refusal has zero consequences, such as opting in to a company photo directory.

How long should we keep CVs and interview notes for unsuccessful candidates?

The standard recommendation in most EU jurisdictions is six months from the date you inform the candidate of your decision. This period allows you to defend against potential discrimination claims, which typically must be filed within three to six months depending on the jurisdiction. If you want to retain candidate data longer for future vacancies, you need a separate lawful basis — typically consent. Send a clear opt-in email, explain what data you will keep and for how long, and make it easy to withdraw. Delete immediately if the candidate does not respond or declines.

What happens if an employee files a DSAR during a disciplinary process?

You must still comply within 30 days. There is no exemption for ongoing disciplinary proceedings. However, Article 15(4) allows you to refuse or restrict access where disclosure would "adversely affect the rights and freedoms of others." This means you can redact information that identifies witnesses or other employees. You can also withhold data covered by legal professional privilege if legal proceedings are anticipated. Document your reasoning carefully — a blanket refusal will not survive regulatory scrutiny. Seek legal counsel before withholding any data.

Do we need a Data Protection Impact Assessment (DPIA) for our HR systems?

Article 35 requires a DPIA when processing is "likely to result in a high risk to the rights and freedoms of natural persons." HR processing frequently meets this threshold — particularly if you are conducting systematic monitoring of employees (e.g., email monitoring, GPS tracking, productivity software), processing special category data at scale (health records, diversity data), or implementing new technologies like AI-powered recruitment screening. The ICO's screening checklist and the EDPB's guidelines on DPIAs provide specific criteria to help you assess whether a DPIA is mandatory for your use case.

Are employee communications (email, Slack) in scope for GDPR?

Yes. Any communication that contains personal data relating to an identifiable employee is in scope. This includes emails about performance, Slack messages discussing a staff member's absence, and Teams chats referencing someone's health or personal circumstances. This is significant for DSARs — you must search communication platforms as part of your response. It also means that informal conversations in chat tools can create data protection obligations. Train managers to avoid sharing sensitive employee information in channels with broad access, and ensure your communication platforms are included in your data retention and DSAR policies.

Start Scanning for PII Today

PrivaSift automatically detects PII across your files, databases, and cloud storage — helping you stay GDPR and CCPA compliant without the manual work.

[Try PrivaSift Free →](https://privasift.com)