Skip to content
Playbook
IntermediateHRPeopleOps

GDPR for HR: the 12 obligations that actually touch your week

Forget the 99 articles. There are 12 GDPR obligations that show up in normal HR work — DSARs, lawful basis, retention, transfers, breach reporting — and most…

12 min read
On this page
60-Second Summary
  • Lawful basis for employee data is almost never 'consent' — it's contract, legal obligation, or legitimate interest.
  • DSAR clock is one month, extendable by two. The clock starts the day the request arrives, not the day you log it.
  • Retention schedules per data class — and you must be able to prove deletion, not just claim it.
  • Cross-border transfers post-Schrems II require SCCs plus a transfer impact assessment.

The DPO sees GDPR as architecture. HR sees it as a series of weekly choices: should I keep this CV, can I move payroll to a US vendor, what do I send the ex-employee who asked for 'everything you have on me'. These are the 12 that matter.

The 12 obligations

#ObligationWhat HR does about it
1Lawful basis per processing activityMaintain ROPA — record of processing activities — by data class
2Privacy notice to candidates + employeesRefresh on hire, on system change, annually
3Data minimisationDon't collect what you can't justify; review every form field
4Purpose limitationDon't reuse employee data for new purposes without notice
5Retention schedulePer data class; auto-deletion where possible
6DSAR response (1 month)Documented intake + redaction process
7Right to rectificationUser-editable profile + audit log
8Right to erasure (limited for employees)Carve-outs for legal + tax retention
9Breach notification (72h)Defined trigger + escalation tree
10DPIA for high-risk processingTrigger list: monitoring, profiling, large-scale special category
11Cross-border transfersSCCs + TIA for every non-adequate jurisdiction
12Vendor contracts (Art. 28)DPA on every HR system, sub-processor approval

Handling a DSAR

  1. Day 0: request arrives. Log it. Acknowledge in writing within 5 days.
  2. Day 0-7: identity verification (proportionate, not invasive).
  3. Day 7-21: collect from every system — HRIS, payroll, ATS, performance tool, email mentions, manager notes.
  4. Day 21-28: redact third-party data, legal-privileged content, ongoing investigation material.
  5. Day 28-30: deliver in a portable format. Log what was disclosed and what was withheld and why.

Retention you can defend

The defensible answer to 'how long do you keep CVs' is never 'forever'. Map every data type to a retention basis (tax: 7 years; unsuccessful candidate: 6-12 months; employee file: per local law plus statute of limitations). Auto-delete where possible — manual processes drift.

Breach: the 72-hour clock

Trigger

The 72 hours start when HR becomes aware of the breach — not when the security team finishes investigating. The clock for notifying the supervisory authority cannot be paused to make the report look better.

Written by Pawan Joshi.Sources cited inline.
First published 16 Jun 2026See site changelog →