HR and GDPR: What may be processed under the employment contract?
Processing of personal data in HR is often based on the employment contract. Under the GDPR, however, not all personal data can be processed by reference to that contract. The legal basis in Article 6(1)(b) applies only to processing that is necessary to perform or enter into a contract. Each processing activity must therefore be directly linked to a specific contractual obligation. If the personal data are not necessary in that sense, “contract” cannot be used as the legal basis. This applies even where the processing is practically useful or intended to facilitate the employment relationship, including where it benefits both employer and employee. Employers should therefore carefully assess which personal data can in fact be processed on the basis of the employment contract and document the legal basis for each processing activity.
Under Article 6(1)(b) GDPR, personal data may be processed where this is necessary for the performance of a contract with the data subject. In an HR context, this typically allows processing of contact details, bank details for salary payments and information required to meet contractual terms of employment.
Where “contract” cannot be relied upon, consent may appear to be an alternative. Consent is generally unsuitable in the employer–employee relationship because there is rarely a balance of power that supports freely given, informed and uncoerced consent. There is a real risk that an employee may feel pressured to consent, which does not meet the GDPR standard for valid consent. Consent should therefore be used only in exceptional cases where genuine alternatives exist and where refusing consent will not adversely affect the employment.
Examples of processing that can rely on the employment contract
The following personal data can typically be processed under Article 6(1)(b) GDPR, as they are necessary to meet obligations under the employment contract or to enable the employee to perform their duties:
- Name, address and contact details to communicate on employment matters.
- Bank details for salary payments.
- Attendance records, presence records and working time records necessary to administer pay, leave and scheduling.
- Job related competencies and job related experience required for the role.
- Information required to administer contractual employment benefits.
By contrast, this legal basis does not extend to processing that is not directly connected to performing the employment contract, for example using personal data in marketing materials or for participation in voluntary occupational health services.
Where you keep attendance records, presence records or working time records, ensure that each dataset is demonstrably necessary to fulfil a specific contractual obligation (for example, calculating salary or overtime). The same discipline applies to job related competencies and job related experience: retain and process only what is necessary for the role as defined in the contract or to evidence qualifications essential to performance of duties.
Morling Consulting can map and document the legal basis for personal data processing across HR processes. We advise organisations across Europe. Contact our data protection lawyers for practical support with GDPR compliance.
