4.1 Processing Employee Data
Key Takeaways
- Consent is rarely a valid lawful basis in employment because the power imbalance means consent is not freely given under GDPR Recital 43 and Article 4(11)
- Most workplace processing relies on Article 6(1)(b) contract necessity, Article 6(1)(c) legal obligation, or Article 6(1)(f) legitimate interests rather than consent
- Special category employee data such as health or trade union membership generally requires an Article 9(2)(b) employment-law condition backed by Union or Member State law
- Article 88 GDPR lets Member States set more specific employment rules, so practices lawful in one EU country may be unlawful in another
- In several Member States works councils hold co-determination rights and must be consulted or must approve employee monitoring before it begins
Why Employment Data Is a Distinct CIPP/E Topic
The General Data Protection Regulation (GDPR) applies to all personal data, but the employment relationship raises problems that do not appear in a typical customer scenario. Employers hold a structural power advantage, process large volumes of sensitive information from recruitment through to exit, and operate under a patchwork of national labour laws that the GDPR itself preserves. The Certified Information Privacy Professional/Europe (CIPP/E) exam tests this area heavily because real-world HR compliance is where lawful basis, special category rules, and national divergence collide in a single fact pattern.
The CIPP/E expects you to reason about which lawful basis under Article 6 fits a workplace purpose, when special category protections under Article 9 apply, how the principles in Article 5(1) (especially data minimisation and storage limitation) constrain HR retention, and how Member State rules and works councils limit what an employer may do. A useful mental map of the employee data lifecycle:
| Stage | Typical data | Common lawful basis |
|---|---|---|
| Recruitment | CVs, references, right-to-work checks | 6(1)(b) pre-contract / 6(1)(c) legal obligation |
| Onboarding | Bank details, tax ID, emergency contacts | 6(1)(b) contract / 6(1)(c) |
| Ongoing employment | Payroll, performance, leave | 6(1)(b), 6(1)(c), limited 6(1)(f) |
| Occupational health | Sickness, fitness-to-work | 9(2)(b) + Member State law |
| Exit | References, final pay, litigation holds | 6(1)(c), 6(1)(f), 9(2)(f) |
A recurring trap: candidates default to consent for almost everything. In employment, consent is usually the wrong answer.
Why Consent Usually Fails at Work
Under GDPR Article 4(11), consent must be freely given, specific, informed, and unambiguous. Recital 43 states that consent is presumed not freely given where there is a clear imbalance between the data subject and the controller. An employee who fears career consequences, a poor reference, or being passed over for promotion cannot freely refuse, so the European Data Protection Board (EDPB) treats employer-sought consent as invalid for most routine processing (see EDPB Guidelines 05/2020 on consent and the former Article 29 Working Party Opinion 2/2017 on data processing at work).
Consent can still work in genuinely optional scenarios where refusal carries no detriment — for example an opt-in photo for a voluntary internal directory, or joining a non-essential wellness app. The test is whether the employee can say no with no negative consequence.
Bases That Usually Apply Instead
- Article 6(1)(b) contract necessity — paying salary, administering the employment contract, managing leave and benefits the contract provides.
- Article 6(1)(c) legal obligation — tax withholding, social security, health-and-safety records, statutory pay reporting.
- Article 6(1)(f) legitimate interests — narrow uses such as network security, fraud prevention, or limited monitoring, subject to a documented balancing test weighing the employer's interest against employee rights and reasonable expectations.
Worked Example
An employer wants to install GPS trackers in company vehicles. Wrong reasoning: "We will ask drivers to consent." Right reasoning: consent fails the power-imbalance test; the employer should rely on legitimate interests (route optimisation, asset security) with a balancing test, switch off tracking outside working hours, give clear notice under Articles 13-14, and check whether national law or a works council imposes extra limits. Disabling tracking during breaks is a textbook proportionality measure the exam rewards.
Special Category Employee Data
Much HR data is special category data under Article 9(1) — health records, sick-leave diagnoses, trade union membership, biometric data used for identification (such as fingerprint clocking-in), or data revealing racial or ethnic origin, religion, or sexual orientation. Processing is prohibited unless an Article 9(2) condition applies.
In employment the key gateway is Article 9(2)(b), which permits processing necessary to carry out obligations and exercise rights in the field of employment, social security, and social protection law, but only so far as authorised by Union or Member State law providing for appropriate safeguards. This is why occupational-health processing, statutory sick pay, and disability-accommodation records must be tied to a specific national legal provision, never justified on consent alone.
Other workplace-relevant conditions include 9(2)(c) vital interests, 9(2)(f) legal claims, and 9(2)(h) for occupational medicine carried out by or under a health professional bound by confidentiality.
| Special category data at work | Usual Article 9(2) condition |
|---|---|
| Sick-leave / fitness-to-work | 9(2)(b) + Member State law; 9(2)(h) occupational medicine |
| Trade union membership (payroll deduction) | 9(2)(b) + national labour law |
| Disability accommodation | 9(2)(b) employment law |
| Biometric clock-in | 9(2)(b) only if national law allows; often disproportionate |
| Defending an employment tribunal claim | 9(2)(f) legal claims |
Note the distinction the exam loves: criminal conviction data is not Article 9 special category data — it is governed separately by Article 10, which requires the processing to be under the control of official authority or authorised by Union/Member State law. Background criminal checks on staff therefore turn on Article 10 plus national law, not Article 9.
Monitoring at Work and Proportionality
Workplace monitoring — email review, internet logging, GPS tracking, keystroke or productivity surveillance, CCTV of staff areas — must satisfy the Article 5(1) principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, storage limitation) and clear a proportionality test drawn from EDPB guidance and the European Court of Human Rights. The leading case is Barbulescu v Romania (ECtHR, Grand Chamber, 2017), which set factors for assessing monitoring of an employee's communications.
The Barbulescu Proportionality Factors
- Was the employee notified in advance of monitoring and its nature?
- What was the extent of monitoring and degree of intrusion?
- Did the employer give legitimate reasons to justify it?
- Could a less intrusive method achieve the same aim?
- What were the consequences for the employee, and were safeguards in place?
Applied to GDPR, proportionate monitoring should: identify a legitimate aim and confirm less intrusive means cannot achieve it; give clear, advance transparency under Articles 13 and 14 (covert monitoring is lawful only in narrow, suspected-serious-wrongdoing situations); limit scope, retention, and access to what the aim requires; and run a Data Protection Impact Assessment (DPIA) under Article 35 for systematic large-scale monitoring.
Common trap: continuous, blanket surveillance of all staff almost always fails proportionality even where a real business interest exists. The exam often presents a "we monitor every keystroke to boost productivity" scenario — the correct answer flags disproportionality, a missing DPIA, and inadequate transparency, not merely the wrong lawful basis.
Article 88 and Works Councils
Article 88 GDPR expressly allows Member States to adopt more specific rules to ensure protection of rights in the employment context, including by law or by collective agreement, covering recruitment, contract performance, management, monitoring, equality, and termination. Such rules must include suitable measures to safeguard human dignity, legitimate interests, and fundamental rights. As a result, identical HR processing can be lawful in one country and unlawful in another, and the exam frequently tests this divergence with cross-border employer scenarios.
The Works Council Layer
In several Member States — Germany being the classic example through its works constitution framework (Betriebsverfassungsgesetz) — a works council (Betriebsrat) holds co-determination rights. Employers may need to consult or obtain works council agreement before introducing employee monitoring, time-tracking, or new HR/IT systems. A correct answer to a German-monitoring scenario therefore involves the works council, not just a GDPR lawful basis.
| Country | Distinctive employment-data feature |
|---|---|
| Germany | Works council co-determination on monitoring/IT systems |
| France | Strong limits on workplace surveillance; CNIL guidance; CSE consultation |
| Netherlands | Works council (OR) consent for monitoring under the WOR |
| EU-wide baseline | Article 88 permits but does not require national rules |
Exam shortcut: if a fact pattern names a specific EU country and asks what an employer "must do first" before rolling out monitoring, look for the national/works-council step, then the GDPR basis, then proportionality and a DPIA. Choosing only the GDPR lawful basis while ignoring the national consultation requirement is the designed wrong answer.
A French employer wants to roll out a system that continuously logs every website each employee visits, and plans to justify it by asking staff to sign a consent form. Why is this approach most likely non-compliant?
Which provision most directly explains why employee-data rules can differ between EU Member States?