Vertical guide · HR and employment

GDPR for HR and employers in the EU

Updated April 2026EU GDPR 2016/679EDPB aligned

Every employer in the EU processes employee personal data subject to GDPR. From recruitment through to post-employment records, the full framework applies — lawful basis, transparency, data subject rights, security, breach notification, and accountability. Member states have adopted national implementing laws that supplement EU GDPR specifically in the employment context, and these vary significantly between jurisdictions.

How to read this guide. This guide explains requirements and expectations derived from EU GDPR 2016/679 and EDPB published guidance. Where we write “EU GDPR requires” we cite the regulation. Where we write “EDPB guidance indicates” we cite regulatory guidance, which is not identical to a statutory obligation. Application of GDPR obligations may vary depending on member state law and supervisory authority interpretation — consult a qualified data protection practitioner familiar with the relevant jurisdiction.

Processing employee data

The most common lawful bases for employee data are contract (Article 6(1)(b)) and legal obligation (Article 6(1)(c)) — employment law, tax law, and social security obligations across member states. Consent is rarely appropriate in the employment context — the EDPB has noted that the power imbalance between employer and employee means consent is unlikely to be freely given. Member states including Germany, France, and the Netherlands have specific national employment data protection rules supplementing EU GDPR under Article 88.

Source: EU GDPR Articles 6, 9, 88; EDPB Guidelines on processing in employment; national Article 88 implementing laws

Health and absence data

Health data is special category data under Article 9. Processing employee sickness records, occupational health data, and medical certificates requires both an Article 6 basis and an Article 9(2) condition. Article 9(2)(b) — employment, social security, and social protection obligations — is typically the most relevant, where supported by member state law. Both conditions must be documented in the ROPA.

Workplace monitoring

Monitoring employee communications and locations involves processing personal data and must have a documented lawful basis — typically legitimate interests, subject to member state works council and co-determination requirements (particularly in Germany, Austria, and the Netherlands). Employees must generally be informed that monitoring is taking place. The German BDSG and equivalent national laws impose significant additional requirements on employee monitoring that go beyond the EU GDPR baseline.

Employee privacy notice

A customer-facing privacy notice does not cover employee data. A separate employee privacy notice must address all employment processing activities and be provided before or at the start of employment. Many member states (France, Germany) have specific requirements for how and when employee notices must be provided, including works council consultation where applicable.

Employee access requests

Employees have the same right of access as any data subject. Employment contexts frequently produce complex SARs covering performance reviews, disciplinary records, and management communications. Member state law may provide specific exemptions — for example, German works council records may have special status under national law. The one-month response deadline applies. A dated log of every employee SAR and its outcome is essential.

Record this. Keep the employee privacy notice dated and version-controlled. Log every employee access request with response date and outcome. In jurisdictions with works council requirements, document consultation on monitoring and data processing policies. The evidence record must hold up to scrutiny from both the national DPA and employment tribunal proceedings.

Note: EU GDPR applies directly across all 27 member states, but national law overlays — particularly on employment data, special category processing, and AML retention — vary materially between jurisdictions. Confirm requirements with a practitioner familiar with the relevant member state law.

Not legal advice. This guide is derived from EU GDPR (Regulation (EU) 2016/679), EDPB published guidelines, and national supervisory authority guidance as at April 2026. Obligations are subject to change. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.