GDPR Employee Data: What European Employers Must Know in 2026
A practical guide for EU employers on what employee data you can collect, the lawful bases for processing it, employee rights under Articles 15-20, and the most common compliance mistakes.
Most employers know they need to handle employee data carefully. Far fewer have actually worked through what that means in practice: which data is fine to collect, which requires explicit consent, how long you can keep it, and what happens when an employee asks to see everything you hold on them.
This is a practical guide, not a legal textbook. If you're running a small or mid-sized business in the EU, here's what you need to know.
What Employee Data Can You Collect?
The starting point is simple: collect only what you actually need. GDPR calls this data minimisation, and it applies just as much to employees as it does to customers.
For most employment relationships, you legitimately need:
- Personal identity data (name, address, date of birth, national ID number where required by law)
- Contact information (personal email, phone number)
- Bank account details for payroll
- Tax identification numbers
- Working hours and attendance records
- Performance reviews and disciplinary records
- Health and safety incident records
- Information required for statutory reporting (social insurance numbers, tax codes)
What you probably don't need: social media profiles, marital status (unless relevant to benefits), political opinions, or personal details beyond what the job requires.
Special Category Data
Some data gets stricter treatment under GDPR. Health data, trade union membership, biometric data, and data about criminal convictions all fall into a "special category" that requires an explicit legal basis to process.
For employers, the most common triggers are:
- Health data: needed for sick leave administration, workplace adjustments, or occupational health. You can process this under Article 9(2)(b), which covers employment law obligations.
- Biometric data: fingerprint scanners for access control, for example. You need explicit consent or a specific legal basis in national law.
- Criminal records: permitted in some EU countries for certain roles (childcare, finance), but heavily regulated. Check the rules in each country where you operate.
Lawful Bases for Processing Employee Data
GDPR gives you six lawful bases for processing personal data. For employee data, three are relevant in practice.
Contractual necessity
Processing is necessary to perform the employment contract. This covers payroll, scheduling, issuing payslips, and managing annual leave. You don't need to ask for consent here. The contract itself is the legal basis.
Legal obligation
Processing is required by law. Tax reporting, social insurance contributions, health and safety records, and mandatory workplace monitoring (in some industries) all fall here. Again, no consent needed.
Legitimate interests
You have a legitimate business reason that outweighs the employee's privacy interests. This one requires more care. GDPR says you need to balance your interests against the employee's rights, and document that balancing exercise.
Email monitoring is a common example. You might have a legitimate interest in preventing data leaks or ensuring professional communications. But you can't just read every email on a whim. The monitoring needs to be proportionate, limited in scope, and employees need to know it's happening.
What about consent?
Consent is the wrong basis for most employee data processing. The power imbalance between employer and employee means genuine, freely-given consent is difficult to demonstrate. If you rely on consent and an employee withdraws it, you lose the right to process that data.
Use consent only where no other basis applies and the processing is genuinely optional, such as publishing an employee's photo on the company website.
Employee Rights Under Articles 15-20
Your employees have real, enforceable rights over their personal data. You need a process for handling these requests, because under GDPR you have one month to respond.
Article 15: Right of access
Employees can ask for a copy of all personal data you hold on them and information about how you use it. This is called a Subject Access Request (SAR). You must provide a copy of the data, the purposes for which it's processed, who you share it with, and how long you keep it.
One month is not a lot of time if your data is scattered across spreadsheets, email threads, and multiple systems. This is one of the strongest arguments for keeping HR data in a single, structured system.
Article 16: Right to rectification
If data is inaccurate or incomplete, employees can ask you to correct it. Address changes, name changes after marriage, and correcting errors in performance records all fall here. This is usually straightforward.
Article 17: Right to erasure
The "right to be forgotten." Employees can ask you to delete their data in certain circumstances: the data is no longer necessary, they withdraw consent, or processing was unlawful.
The key caveat for employers: you don't have to delete data you're legally required to keep. Tax records, for example, need to be retained for years under national tax law. Statutory employment records have similar requirements. You can decline an erasure request if a legal obligation requires retention.
Article 18: Right to restriction
Employees can ask you to pause processing while a dispute is resolved, for example if they contest the accuracy of performance data. The data stays on your systems but can't be processed until the issue is sorted.
Article 19: Notification obligation
If you correct or delete data at an employee's request, you must tell anyone you've shared that data with. In practice, this means keeping a clear record of who you've shared data with and for what purpose.
Article 20: Data portability
Employees can ask for their data in a machine-readable format so they can take it elsewhere. This applies mainly to data they provided themselves (contact details, bank information) and data processed by automated means.
Retention Periods
"Keep it as long as you need it" is not a retention policy. You need defined periods for each category of data, and you need to actually delete data when those periods expire.
Some guidance on typical EU requirements (always verify for your specific jurisdiction):
| Data type | Typical retention period |
|---|---|
| Payroll records | 6-10 years (tax law varies by country) |
| Employment contracts | Duration of employment + 3-5 years |
| Pension scheme records | Up to 75 years in some countries |
| Disciplinary records | 1-3 years after resolution |
| Recruitment data (rejected applicants) | 2-6 months unless consent given for longer |
| Workplace accident records | 5-40 years depending on severity and country |
Set up a process to review and purge data on schedule. Keeping data "just in case" is a compliance risk, not a safety net.
Common Mistakes
Using consent as a catch-all
Consent sounds safe, but it's often the wrong basis for employment data. As noted above, freely-given consent in an employment relationship is hard to prove. Build your processing on contractual necessity and legal obligation wherever possible.
No documented retention policy
Data that lives forever is a liability. Build a retention schedule, get it signed off, and automate deletion where possible.
Ignoring data transfers to third parties
Every time you share employee data with a payroll processor, benefits provider, or background check service, you're transferring personal data. These transfers need to be governed by a data processing agreement (DPA). Many small businesses skip this step.
Scattered data
HR data spread across emails, spreadsheets, and local drives makes SARs a nightmare and increases the risk of breaches. Centralising employee data in a single system makes compliance significantly easier to manage.
No process for handling employee requests
If an employee sends a SAR on a Friday afternoon, who handles it? What systems do you check? How do you compile the response? Defining this process before you need it is far less stressful than scrambling to respond within a month.
One of the reasons we built PersoHR was to make this kind of compliance manageable for small teams. Employee data lives in one place, SARs can be compiled quickly, and retention periods are tracked automatically. It doesn't eliminate the legal complexity, but it removes the operational chaos that makes compliance hard in practice.
GDPR compliance isn't a one-time project. It's an ongoing part of how you run your business. The good news is that once the right processes and systems are in place, it becomes routine rather than stressful.