GDPR for HR data: 7 things your workforce software must do
Names, addresses, hours, leave, performance, sometimes biometrics - workforce systems hold sensitive personal data. Here's what GDPR actually requires of your tooling.
- hours24 team
GDPR (Regulation 2016/679) treats employee data with the same rigour as customer data - sometimes more, because of the imbalance of power between employer and employee. Workforce systems hold names, addresses, contracts, hours, leave, performance, location data, and (if you use biometric clocks) special-category data. Here's the 7-point checklist your tooling needs to meet.
1. Lawful basis: usually 'contract' or 'legal obligation'
Processing employee work hours is generally based on the employment contract (Art. 6(1)(b)) and on legal obligations under labour law (Art. 6(1)(c)). Consent is rarely the right basis at work - the power imbalance makes it hard to argue it's freely given.
2. Special categories: biometrics need extra care
Fingerprint, facial recognition, iris scans - these are special-category data under Art. 9. You need an extra legal ground (typically Art. 9(2)(b): employment law obligations). In several EU countries the Data Protection Authority recommends offering employees a non-biometric alternative (PIN, card).
3. Data minimisation: collect only what you use
If you don't need GPS location to run payroll, don't collect it. If you don't need photo proof, don't store it. Art. 5(1)(c) - minimisation is not a 'nice to have'.
4. Retention limits, not 'forever'
Estonian work-time records are retained 10 years after employment ends. Performance review notes might be kept much shorter. Your system needs configurable retention per data type - not a single 'delete everything in N years' switch.
5. Subject access requests: 30 days
An employee asks: 'give me everything you have about me'. You have 30 days to provide it in a portable format (Art. 15, 20). Your workforce system should produce this as an export, not a hand-assembled folder.
6. Breach notification: 72 hours
If a breach risks rights or freedoms, you notify the supervisory authority (in Estonia: AKI) within 72 hours. Your vendor's contracts should commit to telling YOU fast enough to meet that clock.
7. DPA: get one with your vendor
Art. 28 requires a Data Processing Agreement between you (controller) and the SaaS vendor (processor). It's not optional. Check that your tool's DPA covers sub-processors, location of processing, and audit rights.
Source: GDPR full text (EUR-Lex)
Want to see what the AI assistant would do for your team?