The employment relationship generates, from the very first recruitment process to the last working day, a considerable volume of personal data. CVs, contracts, pay slips, sick-leave certificates, working-time records, CCTV footage, geolocation logs… All of this data belongs to natural persons and is therefore protected by Regulation (EU) 2016/679 (GDPR) and by Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD).
Understanding what data the company may process, on what legal basis and under what conditions is not merely a legal obligation: it is also a way of building trust with employees and avoiding the penalties set out in Article 83 of the GDPR. At Summum Consultoría we support companies in their GDPR compliance journey, with particular focus on the employment sphere, from our offices in Castilla y León and the Canary Islands.
The GDPR and the employment sphere: a specific framework
Article 88 of the GDPR is the key that opens employment-law space within the European regulation. This provision authorises Member States to lay down, by law or by collective agreement, more specific rules to ensure the protection of the rights and freedoms of employees in the employment context. Spain did so through Title X of the LOPDGDD, which regulates the rights and guarantees of workers regarding the use of digital devices (Articles 87 to 91), and through the Workers’ Statute (Estatuto de los Trabajadores), whose Article 20 recognises the employer’s right to adopt surveillance and control measures.
This special regime does not remove the general safeguards of the GDPR; it complements them. The company remains obliged to identify a legal basis for each processing activity, to inform workers, to respect their rights and to adopt appropriate technical and organisational measures.
Legal bases for processing employee data
Article 6 of the GDPR lists the lawfulness conditions for processing. In the employment context, the most relevant are:
- Performance of a contract (art. 6.1.b GDPR): covers processing operations necessary for managing the contractual relationship with the employee. Pay slips, Social Security registration, management of holidays and leave, and handling sick-leave certificates fall within this category.
- Compliance with a legal obligation (art. 6.1.c GDPR): covers processing that the law imposes on the employer regardless of their wishes. Working-time recording (mandatory under Article 34.9 of the Workers’ Statute), notification of contracts to the SEPE (Public Employment Service), income-tax withholdings and reporting to the Labour Inspectorate are clear examples.
- Legitimate interests (art. 6.1.f GDPR): may cover processing such as CCTV surveillance for security purposes or access control, provided these pass the proportionality test and the rights and interests of workers do not override them. A case-by-case balancing analysis is required.
- Consent (art. 6.1.a GDPR): this is the weakest basis in the employment sphere. The inherent imbalance of the employer–employee relationship means that consent is rarely freely given, as required by Article 7 of the GDPR. The AEPD (Spanish Data Protection Agency — Agencia Española de Protección de Datos) has warned on multiple occasions that consent is not a valid legal basis when a hierarchical dependency prevents it from being given freely.
What data the company may process: an overview by category
Not all data are subject to the same rules. The GDPR distinguishes between ordinary data and special categories of data (Article 9), which include health data, trade-union membership, racial or ethnic origin, religious beliefs and biometric data. Special categories require a specific basis under Article 9.2, in addition to the general basis under Article 6.
| Type of data | Usual legal basis | Purpose |
|---|---|---|
| Identification data (name, national ID, address) | Contract (art. 6.1.b) / Legal obligation (art. 6.1.c) | Social Security registration, employment contract, income tax |
| Banking details | Contract (art. 6.1.b) | Payment of salary |
| Working-time records | Legal obligation (art. 6.1.c) | Compliance with art. 34.9 of the Workers’ Statute |
| CCTV footage | Legitimate interest (art. 6.1.f) / Contract (art. 6.1.b) | Security, monitoring of contractual compliance |
| Geolocation | Legitimate interest (art. 6.1.f) / Contract (art. 6.1.b) | Activity monitoring, fleet management |
| Health data (sick leave, occupational health surveillance) | Art. 9.2.b GDPR (obligations in the field of employment) | Occupational risk prevention, management of temporary incapacity |
| Trade-union membership | Art. 9.2.b GDPR | Deduction of union dues from salary (where applicable) |
| CV and recruitment data | Consent (art. 6.1.a) / Contract (art. 6.1.b) | Recruitment process, future hiring |
Article 88 of the LOPDGDD: digital rights at work
Title X of the LOPDGDD develops the digital rights of workers. Although it is common to refer to them collectively, each article regulates a different situation:
- Article 87 LOPDGDD — Right to privacy and use of digital devices at work: employers may access content generated through the use of digital devices made available to employees, provided that usage rules have been established in advance and communicated to workers. Access must not be indiscriminate; it must be aimed at monitoring compliance with employment obligations.
- Article 88 LOPDGDD — Right to digital disconnection: workers have the right not to respond to digital communications outside their working hours. The company must draw up an internal policy defining how this right is exercised. Collective bargaining may specify its application.
- Article 89 LOPDGDD — CCTV surveillance in the workplace: employers may process images for the purpose of employment monitoring, but must inform workers in advance, expressly, clearly and unambiguously. The AEPD has clarified that the standard “video-monitored area” notice satisfies the basic information duty (layer 1), provided that a second, fully detailed layer is accessible.
- Article 90 LOPDGDD — Geolocation: the employer may process geolocation data to monitor worker activity, but must inform workers expressly, clearly and unambiguously of the existence and characteristics of the system. This is a critical point that, if poorly managed, generates labour disputes and regulatory proceedings. You can find more information in our guide on working-time records and geolocation under the GDPR.
- Article 91 LOPDGDD — Digital rights in collective bargaining: collective agreements may include additional provisions to guarantee the exercise of digital rights, while at all times respecting the minimum guarantees of the LOPDGDD.
Payroll, Social Security and tax obligations
Payroll management concentrates some of the most sensitive data-processing activities of the employment cycle: bank account number, tax address, salary amount, professional category, income-tax withholdings and Social Security contributions. The legal basis is twofold: performance of the employment contract (art. 6.1.b GDPR) and compliance with legal tax and Social Security obligations (art. 6.1.c GDPR).
When the company outsources payroll management to an external firm or a payroll platform, that provider acts as a data processor within the meaning of Article 28 of the GDPR. It is mandatory to enter into a data processing agreement that includes, among other clauses, processing instructions, required security measures and the procedure for notifying security breaches. The absence of this agreement is one of the most frequent deficiencies we identify in GDPR compliance audits.
Health data and occupational risk prevention
Health data constitute a special category under Article 9 of the GDPR. In the employment context, the company accesses this type of information mainly through two channels:
- Temporary incapacity (sick leave): the sick-leave certificate issued by the doctor contains the diagnosis. Since 1 April 2023, following the entry into force of Royal Decree 1060/2022, the worker no longer delivers the sick-leave certificate to the employer: the INSS (National Social Security Institute — Instituto Nacional de la Seguridad Social) communicates it directly to the company through the RED system. The employer receives only the contingency code (common or occupational) and the estimated duration, not the diagnosis. Processing the diagnosis without a specific legal basis would violate Article 9 of the GDPR.
- Health surveillance: medical check-ups carried out under Law 31/1995 on Occupational Risk Prevention generate health data. The employer may only be informed of the conclusion (fit, fit with restrictions, unfit); access to the worker’s medical history is reserved for the occupational health service.
Recruitment: the life cycle of candidate data
The recruitment process is the first stage at which the company collects data from people who are not yet employees. The candidate provides their CV — containing identification data, qualifications, experience and sometimes a photograph — on the basis of their consent (art. 6.1.a GDPR) or in the context of pre-contractual negotiations (art. 6.1.b GDPR).
Two critical points in this phase:
- Retention of data: if the candidate is not selected, their data must not be retained indefinitely. Common practice is to keep them for a maximum of one year for future vacancies, provided the candidate has been informed of this possibility and a legal basis exists. Once that period expires, the data must be erased.
- Prohibited data in recruitment: asking a candidate about their health status, pregnancy, trade-union membership or religious beliefs without a justified reason constitutes processing of special categories without a legal basis and may also amount to discrimination in access to employment.
The duty to inform employees
Articles 13 and 14 of the GDPR require the controller to inform data subjects at the time their data are collected. In the employment context, this translates into the obligation to provide workers, no later than when the employment contract is signed, with an information notice stating:
- The identity and contact details of the controller (the company) and, where applicable, the Data Protection Officer (DPO).
- The purposes of processing and the legal basis for each of them.
- The recipients or categories of recipients of the data (payroll firm, mutual insurance company, Social Security, Tax Agency, bank).
- The retention period for each category of data.
- The worker’s rights: access, rectification, erasure, restriction, portability and objection.
This information cannot be reduced to a generic reference to the corporate website’s privacy policy. It must be specific to the employment context and written in plain language, free of jargon. You can find more information on data subjects’ rights under the GDPR and how to facilitate their exercise in the workplace.
Formal obligations of the employer
Beyond the duty to inform, the company must fulfil a set of documentary and organisational obligations:
- Record of processing activities (RoPA): Article 30 of the GDPR requires controllers to maintain a written record of all processing activities carried out under their responsibility. In the HR sphere, the RoPA must include at least payroll, contract management, recruitment, time-and-attendance monitoring, CCTV surveillance and occupational health surveillance.
- Data processing agreements: every external party that processes data on behalf of the company (payroll firm, temporary employment agency, time-tracking platform, external occupational health service) must sign the corresponding data processing agreement in accordance with Article 28 of the GDPR.
- Security measures: the integrity and confidentiality principle in Article 5.1.f of the GDPR requires the implementation of appropriate technical and organisational measures to protect employee data against unauthorised access, loss or alteration. In practice: access controls to HR systems, encryption of mobile devices, clean-desk policy and robust password management.
- Internal policy on devices and digital disconnection: expressly required by Articles 87 and 88 of the LOPDGDD. It must set out the conditions of use of corporate devices and the arrangements for exercising the right to disconnect.
- Data Protection Impact Assessment (DPIA): when processing is likely to result in a high risk to the rights and freedoms of workers — for example, the use of large-scale CCTV systems, continuous monitoring of computer activity or large-scale processing of health data — Article 35 of the GDPR requires a DPIA to be carried out before processing begins.
Sanctions: the framework of Article 83 of the GDPR
Failure to comply with data-protection obligations in the employment sphere may give rise to sanctions under Article 83 of the GDPR. The regime provides for two tiers:
- Serious infringements (art. 83.4 GDPR): fines of up to EUR 10,000,000 or, in the case of a company, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. These include, among others, failure to comply with the obligations of the controller and the processor (Articles 8, 11, 25 to 39, 42 and 43 of the GDPR).
- Very serious infringements (art. 83.5 GDPR): fines of up to EUR 20,000,000 or 4% of the total worldwide annual turnover, whichever is higher. These apply to breaches of the basic principles of processing (Articles 5, 6, 7 and 9), of data subjects’ rights (Articles 12 to 22) and of rules on international data transfers.
The LOPDGDD (LO 3/2018) also classifies specific infringements as minor, serious or very serious (Articles 72 to 74 of the LOPDGDD), maintaining coherence with the GDPR framework. At Summum Consultoría we support companies in complying with data-protection regulations, identifying employee data processing operations that require priority attention and helping to implement appropriate technical and organisational measures.
Frequently Asked Questions
Can the company review an employee’s corporate email?
Yes, under certain conditions. Article 87 of the LOPDGDD allows the employer to access content generated through the use of digital devices made available to employees, provided that usage rules have been established in advance and communicated to workers. Access must be aimed at monitoring compliance with employment obligations and must not be indiscriminate or disproportionate. Without prior notification, accessing corporate email may violate the worker’s right to privacy and expose the company to liability.
Is the employee’s consent required to publish their photograph on the company website?
Publishing an employee’s photograph on the corporate website or social media cannot be justified on the basis of contract performance or a legal obligation. The appropriate legal basis is the worker’s express consent under Article 6.1.a of the GDPR. Given the inherent imbalance of the employment relationship, that consent must be freely given, specific and informed, and the worker must be able to withdraw it without any adverse consequences for their employment situation. It is advisable to document consent in writing.
How long may the company retain data about a former employee?
The storage-limitation principle in Article 5.1.e of the GDPR requires that data not be kept longer than necessary. In the employment context, retention periods are determined by statutory limitation periods: four years for employment and Social Security obligations (General Social Security Act), five years for tax purposes, and up to ten years in certain anti-money-laundering scenarios. Once those periods expire, data must be erased or blocked so that they are only available to public authorities, judges or courts.
Does the company need a Data Protection Officer (DPO) to manage employee data?
A DPO is mandatory in the cases set out in Article 37 of the GDPR: public authorities and bodies, organisations that carry out large-scale processing of special categories of data, and organisations whose core activities require large-scale systematic monitoring of data subjects. In the private sector, many SMEs are not required to designate a DPO solely because they have employees. However, when a company processes health data of workers on a large scale — for example, medical services or mutual insurance companies — or conducts systematic and continuous monitoring of its employees, the obligation may arise. In any case, it is good practice to designate an internal data protection point of contact, even when formally not required to do so.