The application of the EU General Data Protection Regulation to employee data — covering collection, storage, access, processing, and disposal of all personal information held about employees, candidates, and former employees.

Does my small business need to comply with GDPR?

Yes, if you process data of EU residents — regardless of where you are based or how small you are. GDPR doesn't scale exceptions for company size. A 5-person Berlin startup is subject to the same rules as a 50,000-person enterprise.

What is a Data Protection Impact Assessment (DPIA)?

A required structured analysis for high-risk processing — systematic monitoring, large-scale sensitive data processing, automated decision-making with significant effects. Most HR teams need DPIAs for employee monitoring tools, biometric attendance, and AI-driven performance evaluation.

Can I use consent as my legal basis for HR data?

Rarely. GDPR requires consent to be "freely given," and the employment power imbalance often invalidates consent. Use contract, legal obligation, or legitimate interest as your basis. Reserve consent for genuinely optional processing.

How long can I keep former employee data?

Set retention periods per data type, justified by legal obligation or legitimate interest. Common patterns: 6-7 years for tax records, 3 years for general employment records post-departure, 6 months for unsuccessful candidate CVs (longer with consent). Document the schedule and automate deletion where possible.

HR GLOSSARY · Employment law

GDPR for HR

Also known as: General Data Protection Regulation, EU GDPR employment, GDPR Article 88

GDPR (General Data Protection Regulation, EU 2016/679, in force May 2018) regulates the processing of personal data of EU residents — including employee data. For HR specifically: every piece of employee information is "personal data," processing requires a lawful basis, employees have rights of access/rectification/erasure, and violations can trigger fines up to €20 million or 4% of global annual turnover (whichever higher).

GDPR was the first major comprehensive privacy law of the modern era and has set the global template (California CCPA, UK GDPR, Brazil LGPD, and Georgia's own Law on Personal Data Protection all draw heavily from it). For HR teams, GDPR reshaped how employee data is collected, stored, accessed, and disposed of. The compliance challenge for SMBs: GDPR doesn't scale exceptions for small companies — a 5-person Berlin startup is subject to the same rules as a 50,000-person enterprise.

Lawful basis for processing HR data

GDPR Article 6 requires a lawful basis for any data processing. In HR, the common bases are: contract (processing necessary to perform the employment contract — most common), legal obligation (statutory requirement, e.g., tax reporting), legitimate interest (with balancing test — e.g., performance monitoring), and explicit consent (rare in HR because consent is often not "freely given" given the power imbalance). Sensitive data — health, biometric, union membership — requires Article 9 conditions; most often explicit consent or specific legal authorization.

Employee rights under GDPR

Right of access — employee can request copy of all personal data held about them
Right to rectification — correct inaccurate data
Right to erasure ("right to be forgotten") — limited in HR by retention requirements
Right to restriction — pause processing while disputes are resolved
Right to data portability — receive structured data to take to another controller
Right to object — to processing based on legitimate interest, including marketing
Right not to be subject to solely automated decision-making with significant effects

HR-specific compliance essentials

Privacy notice for employees — what data is collected, why, how long retained, who it's shared with
Data Processing Records (Article 30) — document every type of HR processing
Data Protection Impact Assessment (DPIA) — required for high-risk processing (e.g., systematic monitoring, large-scale processing of sensitive data)
Retention schedule — defined retention periods for each data type, automated deletion where possible
Vendor/processor agreements (Article 28) — written contracts with every system that touches employee data
Breach notification — 72 hours to supervisory authority if a breach is likely to risk rights and freedoms

Frequently asked questions

What is GDPR for HR?: The application of the EU General Data Protection Regulation to employee data — covering collection, storage, access, processing, and disposal of all personal information held about employees, candidates, and former employees.
Does my small business need to comply with GDPR?: Yes, if you process data of EU residents — regardless of where you are based or how small you are. GDPR doesn't scale exceptions for company size. A 5-person Berlin startup is subject to the same rules as a 50,000-person enterprise.
What is a Data Protection Impact Assessment (DPIA)?: A required structured analysis for high-risk processing — systematic monitoring, large-scale sensitive data processing, automated decision-making with significant effects. Most HR teams need DPIAs for employee monitoring tools, biometric attendance, and AI-driven performance evaluation.
Can I use consent as my legal basis for HR data?: Rarely. GDPR requires consent to be "freely given," and the employment power imbalance often invalidates consent. Use contract, legal obligation, or legitimate interest as your basis. Reserve consent for genuinely optional processing.
How long can I keep former employee data?: Set retention periods per data type, justified by legal obligation or legitimate interest. Common patterns: 6-7 years for tax records, 3 years for general employment records post-departure, 6 months for unsuccessful candidate CVs (longer with consent). Document the schedule and automate deletion where possible.

IN GEORGIA

Georgia's Law on Personal Data Protection (originally 2011, amended 2023 to align with GDPR principles) is the Georgian equivalent. Many of GDPR's structural elements appear in Georgian law: lawful basis requirement, data subject rights, breach notification obligations. Differences exist on penalties (Georgian penalties are lower than GDPR) and on specifics around international transfers. For Georgian HR teams: Georgian law applies to local employees; GDPR additionally applies if you have any EU employees, EU contractors, or process data of EU residents. The practical guidance: build to GDPR standards even for Georgian-only operations — it's the stricter benchmark and prepares you for cross-border expansion.

RELATED TERMS

HOURSQUARE

Need an HR system that handles this automatically? HourSquare's beta is free for everyone through 2026.

Get started free →