GDPR in human resources: what employee data you may process

·

The employment relationship generates, from the very first recruitment process to the last working day, a considerable volume of personal data. CVs, contracts, pay slips, sick-leave certificates, working-time records, CCTV footage, geolocation logs… All of this data belongs to natural persons and is therefore protected by Regulation (EU) 2016/679 (GDPR) and by Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD).

Understanding what data the company may process, on what legal basis and under what conditions is not merely a legal obligation: it is also a way of building trust with employees and avoiding the penalties set out in Article 83 of the GDPR. At Summum Consultoría we support companies in their GDPR compliance journey, with particular focus on the employment sphere, from our offices in Castilla y León and the Canary Islands.

The GDPR and the employment sphere: a specific framework

Article 88 of the GDPR is the key that opens employment-law space within the European regulation. This provision authorises Member States to lay down, by law or by collective agreement, more specific rules to ensure the protection of the rights and freedoms of employees in the employment context. Spain did so through Title X of the LOPDGDD, which regulates the rights and guarantees of workers regarding the use of digital devices (Articles 87 to 91), and through the Workers’ Statute (Estatuto de los Trabajadores), whose Article 20 recognises the employer’s right to adopt surveillance and control measures.

This special regime does not remove the general safeguards of the GDPR; it complements them. The company remains obliged to identify a legal basis for each processing activity, to inform workers, to respect their rights and to adopt appropriate technical and organisational measures.

Legal bases for processing employee data

Article 6 of the GDPR lists the lawfulness conditions for processing. In the employment context, the most relevant are:

What data the company may process: an overview by category

Not all data are subject to the same rules. The GDPR distinguishes between ordinary data and special categories of data (Article 9), which include health data, trade-union membership, racial or ethnic origin, religious beliefs and biometric data. Special categories require a specific basis under Article 9.2, in addition to the general basis under Article 6.

Type of data Usual legal basis Purpose
Identification data (name, national ID, address) Contract (art. 6.1.b) / Legal obligation (art. 6.1.c) Social Security registration, employment contract, income tax
Banking details Contract (art. 6.1.b) Payment of salary
Working-time records Legal obligation (art. 6.1.c) Compliance with art. 34.9 of the Workers’ Statute
CCTV footage Legitimate interest (art. 6.1.f) / Contract (art. 6.1.b) Security, monitoring of contractual compliance
Geolocation Legitimate interest (art. 6.1.f) / Contract (art. 6.1.b) Activity monitoring, fleet management
Health data (sick leave, occupational health surveillance) Art. 9.2.b GDPR (obligations in the field of employment) Occupational risk prevention, management of temporary incapacity
Trade-union membership Art. 9.2.b GDPR Deduction of union dues from salary (where applicable)
CV and recruitment data Consent (art. 6.1.a) / Contract (art. 6.1.b) Recruitment process, future hiring

Article 88 of the LOPDGDD: digital rights at work

Title X of the LOPDGDD develops the digital rights of workers. Although it is common to refer to them collectively, each article regulates a different situation:

Payroll, Social Security and tax obligations

Payroll management concentrates some of the most sensitive data-processing activities of the employment cycle: bank account number, tax address, salary amount, professional category, income-tax withholdings and Social Security contributions. The legal basis is twofold: performance of the employment contract (art. 6.1.b GDPR) and compliance with legal tax and Social Security obligations (art. 6.1.c GDPR).

When the company outsources payroll management to an external firm or a payroll platform, that provider acts as a data processor within the meaning of Article 28 of the GDPR. It is mandatory to enter into a data processing agreement that includes, among other clauses, processing instructions, required security measures and the procedure for notifying security breaches. The absence of this agreement is one of the most frequent deficiencies we identify in GDPR compliance audits.

Health data and occupational risk prevention

Health data constitute a special category under Article 9 of the GDPR. In the employment context, the company accesses this type of information mainly through two channels:

Recruitment: the life cycle of candidate data

The recruitment process is the first stage at which the company collects data from people who are not yet employees. The candidate provides their CV — containing identification data, qualifications, experience and sometimes a photograph — on the basis of their consent (art. 6.1.a GDPR) or in the context of pre-contractual negotiations (art. 6.1.b GDPR).

Two critical points in this phase:

The duty to inform employees

Articles 13 and 14 of the GDPR require the controller to inform data subjects at the time their data are collected. In the employment context, this translates into the obligation to provide workers, no later than when the employment contract is signed, with an information notice stating:

This information cannot be reduced to a generic reference to the corporate website’s privacy policy. It must be specific to the employment context and written in plain language, free of jargon. You can find more information on data subjects’ rights under the GDPR and how to facilitate their exercise in the workplace.

Formal obligations of the employer

Beyond the duty to inform, the company must fulfil a set of documentary and organisational obligations:

Sanctions: the framework of Article 83 of the GDPR

Failure to comply with data-protection obligations in the employment sphere may give rise to sanctions under Article 83 of the GDPR. The regime provides for two tiers:

The LOPDGDD (LO 3/2018) also classifies specific infringements as minor, serious or very serious (Articles 72 to 74 of the LOPDGDD), maintaining coherence with the GDPR framework. At Summum Consultoría we support companies in complying with data-protection regulations, identifying employee data processing operations that require priority attention and helping to implement appropriate technical and organisational measures.

Frequently Asked Questions

Can the company review an employee’s corporate email?

Yes, under certain conditions. Article 87 of the LOPDGDD allows the employer to access content generated through the use of digital devices made available to employees, provided that usage rules have been established in advance and communicated to workers. Access must be aimed at monitoring compliance with employment obligations and must not be indiscriminate or disproportionate. Without prior notification, accessing corporate email may violate the worker’s right to privacy and expose the company to liability.

Is the employee’s consent required to publish their photograph on the company website?

Publishing an employee’s photograph on the corporate website or social media cannot be justified on the basis of contract performance or a legal obligation. The appropriate legal basis is the worker’s express consent under Article 6.1.a of the GDPR. Given the inherent imbalance of the employment relationship, that consent must be freely given, specific and informed, and the worker must be able to withdraw it without any adverse consequences for their employment situation. It is advisable to document consent in writing.

How long may the company retain data about a former employee?

The storage-limitation principle in Article 5.1.e of the GDPR requires that data not be kept longer than necessary. In the employment context, retention periods are determined by statutory limitation periods: four years for employment and Social Security obligations (General Social Security Act), five years for tax purposes, and up to ten years in certain anti-money-laundering scenarios. Once those periods expire, data must be erased or blocked so that they are only available to public authorities, judges or courts.

Does the company need a Data Protection Officer (DPO) to manage employee data?

A DPO is mandatory in the cases set out in Article 37 of the GDPR: public authorities and bodies, organisations that carry out large-scale processing of special categories of data, and organisations whose core activities require large-scale systematic monitoring of data subjects. In the private sector, many SMEs are not required to designate a DPO solely because they have employees. However, when a company processes health data of workers on a large scale — for example, medical services or mutual insurance companies — or conducts systematic and continuous monitoring of its employees, the obligation may arise. In any case, it is good practice to designate an internal data protection point of contact, even when formally not required to do so.