HR software processes some of the most sensitive employee data: performance reviews, salary information, health and absence records, disciplinary history, and in some systems, psychological assessments or biometric clock-in data. GDPR compliance for HR platforms is demanding because employment data sits at the intersection of privacy rights, employment law, and special category data rules.
This article covers what GDPR requires from HR SaaS companies and employers using people analytics tools.
The Dual Compliance Challenge: Vendor and Employer
HR SaaS vendors are data processors under GDPR. They process employee data on behalf of their customers (employers). Their obligations:
- Article 28 DPA with every employer customer
- Implement security appropriate to the sensitivity of HR data
- Do not use employer data for their own purposes
- Support employers in responding to employee DSARs
- Report breaches to employers promptly
Employers (the controller) must comply with the full GDPR framework for employee data:
- Lawful basis for all HR processing
- Transparent privacy information to employees
- Data minimisation — collect only what is necessary for HR purposes
- Appropriate retention periods
- DPIA for high-risk processing (performance monitoring, biometric data)
- Respond to employee DSARs
This article addresses both groups.
Lawful Bases for HR Processing
Employment data processing requires a careful basis assessment. Different HR activities may require different bases:
| HR processing activity | Lawful basis |
|---|---|
| Payroll and statutory employment records | Contract performance (6(1)(b)) + legal obligation (6(1)(c)) |
| Recruitment and selection | Contract (pre-contractual), legitimate interest |
| Performance management | Contract performance, legitimate interest |
| Absence and sickness management | Legal obligation (statutory sick pay) + legitimate interest |
| Employee monitoring and productivity tracking | Legitimate interest (subject to balancing) |
| Background checks | Legitimate interest, legal obligation (depending on sector) |
| Benefits and pension administration | Contract performance, legal obligation |
| Biometric access control | Explicit consent (special category) |
| Mental health and EAP data | Explicit consent (special category) |
Employers often default to consent for all HR processing — this is wrong. Consent is not freely given in an employment relationship because of the power imbalance. The ICO and other supervisory authorities take the view that employee consent is rarely a valid basis for standard employment processing. Use contract performance or legitimate interest.
Employee Monitoring: The Hardest Area
Employee monitoring (email surveillance, screen recording, location tracking, productivity scoring) is one of the most contested areas of HR GDPR compliance.
Requirements for lawful employee monitoring:
- Necessity: The monitoring must be necessary for a legitimate business purpose — not just desirable
- Proportionality: The least intrusive method that achieves the purpose
- Transparency: Employees must be informed about the monitoring, what is recorded, and how it is used — before monitoring begins
- DPIA: Large-scale or systematic monitoring requires a DPIA
- No covert monitoring except in exceptional circumstances — and even then, with legal advice
People analytics tools that score employees on engagement, productivity, or retention risk must disclose this to employees. The EU AI Act additionally requires disclosure when AI tools make or support employment-related decisions.
Special Category Data in HR
HR systems frequently touch special category data:
Health and disability data: Sickness absence records, fit notes, occupational health reports. Requires explicit consent or legal obligation basis. Must be strictly limited — HR should not have visibility of diagnosis, only fit-for-work status.
Biometric data: Fingerprint or face recognition for timekeeping or building access. Explicit consent required. DPIA mandatory.
Trade union membership: Processing trade union data requires explicit consent or labour law justification. This includes data inferring union membership.
Religious or philosophical beliefs: Relevant for dietary requirements, prayer time accommodations, public holidays. Minimum data collection, explicit consent.
Data Subject Access Requests from Employees
Employee DSARs are common and often contentious. An employee leaving under difficult circumstances, or investigating a grievance, may submit a DSAR to see all personal data held about them.
Requirements:
- Respond within 30 days
- The response must cover all personal data in all systems — HR platform, email archives, performance records, disciplinary files, salary history
- Relevant HR SaaS vendors must support data export to facilitate DSAR responses
Common failures:
- Missing data from email systems and informal communications
- Redacting too heavily — legitimate redaction of third-party data must be defensible
- Missing the 30-day deadline
- Refusing or delaying DSARs from employees who are in dispute with the employer
Retention Periods for HR Data
HR data has specific regulatory retention drivers:
| Data type | Retention driver | Typical retention period |
|---|---|---|
| Employment records | Employment law, statutory claims limitation | 6 years after employment ends |
| Payroll and tax records | Tax law | 6 years |
| Sickness and absence records | Statutory limitation | 6 years |
| Disciplinary records | Internal policy, employment tribunal limitation | 3–5 years |
| Recruitment applications (unsuccessful) | Discrimination claim limitation | 1 year maximum |
| Biometric data | Minimum necessary | Delete promptly on contract end |
HR SaaS platforms must support configurable retention policies. Storing ex-employee data indefinitely because there is no automated deletion is a common compliance failure.