GDPR is 8 years old and still widely under-applied in HR. Many companies keep their processing register up to date on the marketing or IT side but forget HR data — health, compensation, contracts, evaluations, applications, expenses — is the most sensitive they handle. Regulator fines on HR-related breaches tripled between 2022 and 2025.
HRIS GDPR compliance rests on 5 pillars: (1) clear legal basis for each processing, (2) signed DPA + sub-processor registry, (3) controlled hosting and framed transfers, (4) retention periods differentiated by data type, (5) data subject rights operationalized. Beyond GDPR, account for Swiss nLPD, Brazilian LGPD, and equivalent laws per country.
01HR data = sensitive data
GDPR distinguishes “regular” data (name, business email) from “special categories” (health, opinions, biometrics). But in practice, nearly all HR data is legally sensitive or risky:
- Civil status + national ID number (highly sensitive identifier).
- Salary and bonuses (financial data, very limited disclosure).
- Sick leave, accidents, medical certificates (health data — special category).
- Performance reviews, ratings (sensitive opinion data).
- Applications and rejected CVs (strict retention limits).
- Expenses with restaurant, hotel, travel details.
A non-compliant HRIS exposes both employer and vendor under shared responsibility (GDPR Art. 28).
02Pick the right legal basis per processing
- Contract performance: payroll, contract, leave, expenses — most common.
- Legal obligation: payroll filings, mandatory declarations, certificates.
- Legitimate interest: company directory, some HR analytics.
- Consent: NEVER use for payroll or contract — the subordination relationship invalidates consent.
03Sub-processing & DPA: the key contract
Your HRIS vendor is a processor under GDPR. You must have:
- A signed DPA (Data Processing Agreement) annexed to the main contract.
- The vendor’s public sub-processor registry (who are hosting providers, sub-contractors, payroll partners?).
- A notification clause for sub-processor changes (30-day minimum).
- Commitments on breach notification within 72 hours.
Illizeo’s sub-processor registry is public and shows what to demand.
Illizeo Security: GDPR + EU hosting
Security policy, hosting, access control, annual audits. All documented publicly.
04Hosting & international transfers
Since Schrems II (2020) and the Data Privacy Framework (2023), US transfers must rely on enhanced SCCs or DPF. Verify:
- Where main servers AND backups are hosted (often forgotten).
- Which countries access the data (support sub-processors in India, Morocco, etc.).
- Which SCCs are in place per transfer outside EU.
- Whether the vendor offers EU-sovereign or Swiss hosting on demand.
05Retention periods differentiated by data type
| Data type | During employment | After separation |
|---|---|---|
| Payslip | For the relationship | 50 years (employer) / unlimited (employee) |
| Employment contract | For the relationship | 5 years after end |
| Expense reports | 10 years (accounting) | 10 years |
| Rejected application | — | 2 years max |
| Annual reviews | Justified duration | 5 years max recommended |
| Sick leave | 1 year after end of leave | Anonymized |
A good HRIS automates these purges and anonymization based on rules you configure.
06Beyond GDPR: nLPD, LGPD, PIPEDA…
GDPR inspires but doesn’t replace local laws:
- Switzerland: nLPD (revised 2023), similar but distinct.
- UK: UK-GDPR post-Brexit, alignment maintained but transfers to frame.
- Brazil: LGPD, modeled on GDPR with ANPD as authority.
- Canada: PIPEDA (federal) + Law 25 (Quebec, hardened 2023).
- Singapore: PDPA with mandatory notification register.
- US: state patchwork (CCPA California, NYDFS New York, etc.).
07Audit readiness
A regulator, client or internal audit may come knocking. Prepare:
- Up-to-date HR processing register (Art. 30).
- Internal policies (acceptable use, retention, data subject rights).
- Signed DPAs with all sub-processors.
- Past incident records and corrective actions.
- HR team GDPR training records.
08HRIS compliance checklist — 12 points
- Signed DPA with vendor, accessible.
- Sub-processor registry consulted and current.
- Hosting location known (headquarters + backups).
- SCCs or DPF in place for extra-EU transfers.
- Security certifications current.
- Retention periods configured per data type and per country.
- Subject access request procedure operational (< 30 days).
- Automatic anonymization of expired data.
- Logs of access to sensitive data traced.
- MFA mandatory for admin profiles.
- Breach notification policy aligned with 72-hour rule.
- Annual HR team GDPR training documented.
Free compliance audit
30 min with a consultant to assess your current HRIS compliance and prioritize corrective actions.
FAQ
Is a US-based HRIS vendor a deal-breaker?
No, but watched. As long as they operate under DPF or with enhanced SCCs and document transfers precisely, it’s compliant. Ask for their data flow map. When in doubt, prefer an EU or Swiss vendor — simplifies risk analysis.
Do we need a DPO to use an HRIS?
Not necessarily. DPOs are mandatory for large-scale processing, public sector, or systematic monitoring. For an SME under 250 employees without special processing, an internal GDPR lead is enough, with occasional external support.
How long to retain sick leave records?
1 year after end of leave, then anonymized. Raw duration (days) can be kept longer for stats, but without medical detail.
What to do in case of HR data breach?
Regulator notification within 72 h if risk to individuals, individual notification if high risk. Document the incident in a dedicated register. The DPA with the vendor must specify who notifies what.
Can an employee demand deletion of all their data?
No. The right to erasure doesn’t apply to data necessary for contract execution (payroll, contract, expenses) or legal obligation. It does apply to non-essential data: profile photo, evaluation data beyond legal limits, rejected applications, etc.
