GDPR for HR Teams: A Practical Compliance Map for 2026
An employee record is the single largest GDPR exposure most SMBs run. Here's the lawful-basis map, retention defaults, and the five places HR teams trip up.
For most small and mid-sized employers, the HR system holds the largest concentration of personal data the company touches — payroll bank details, ID numbers, performance reviews, sick notes, emergency contacts. Under the EU General Data Protection Regulation (Regulation 2016/679), every one of those data points needs a documented lawful basis, a retention period, and a controller-processor relationship if a vendor touches it.
Three years of advisory calls land us at the same five issues showing up over and over.
1. The "we use consent" mistake
Roughly half of HR managers we speak with assume they can rely on employee consent under GDPR Article 6. The European Data Protection Board has been unambiguous: consent is generally not a valid basis in the employment context because the employee cannot freely refuse without consequence. Use "contract" (Article 6(1)(b)), "legal obligation" (6(1)(c)), or "legitimate interest" (6(1)(f)) instead. See the full mapping in our GDPR for HR glossary entry.
2. Retention periods that do not exist
GDPR Article 5(1)(e) requires personal data to be kept "no longer than necessary." Most HR systems we audit either keep everything forever or delete nothing because nobody assigned a retention period. The fix is a written retention schedule — payroll records typically 7-10 years for tax law, unsuccessful applicant CVs 6-12 months, performance data tied to disciplinary cases longer, exit-interview notes shorter.
3. The DPA gap with vendors
Every external system that processes employee data — payroll provider, benefits platform, applicant tracking system, scheduling tool — needs a Data Processing Agreement under GDPR Article 28. We publish ours openly at hoursquare.com/dpa so HR teams do not have to chase it.
4. Cross-border transfers post-Schrems II
If your HR vendor stores data outside the EEA — most US-headquartered SaaS does — you need Standard Contractual Clauses plus a Transfer Impact Assessment. The European Commission's 2021 SCCs are the modern form; the older 2010 set is no longer valid for new contracts.
5. Subject access requests under 30 days
An employee has the right under Article 15 to a full copy of every personal data point you hold on them within one month. Few HR systems make this easy. If you cannot export an individual's full data shadow today in under an hour, close that process gap before the first request lands.
For the underlying rules in plain English, the EU's gdpr.eu hub remains the cleanest reference. For our own data handling, see our Privacy Policy and Data Policy.