Is an employee privacy policy mandatory?

Yes. The GDPR requires you to inform every data subject about how you process their personal data. Employees are data subjects, so you must inform them just as you do customers. A dedicated employee privacy policy is the standard way to do this.

Can I use consent as a legal basis for processing employee data?

In most cases, no. Consent in an employment relationship is rarely considered 'freely given' due to the power imbalance. Preferably use performance of the employment contract, legal obligation, or legitimate interest as your legal basis.

Do I need a separate policy for temporary workers and freelancers?

Temporary workers fall under the policy of the staffing agency. For freelancers who process personal data on your behalf, you need a processing agreement. If you process freelancers' data yourself (e.g., invoicing details), you must inform them.

Employee Privacy Policy - What Must You Tell Your Staff? (GDPR)

Q: When should I hand over the employee privacy policy?

At the start of employment, as an appendix to the employment contract. This way the employee knows from day one which data you process. If the policy changes later, you must inform employees again.

As an employer, you process a lot of personal data about your staff. The GDPR requires you to inform employees about what you process and why. This article explains what an employee privacy policy must contain and when to hand it over.

Why a separate employee privacy policy?

Most businesses have a privacy policy on their website, aimed at customers and visitors. But as an employer you also process a large amount of personal data about your own staff, and the GDPR requires you to inform them just as thoroughly.

It is worth recognising that the personal data you gather on staff is often far more detailed and sensitive than what you collect on customers. Think of salary information, family composition, pension details, performance reviews, medical absences, disciplinary records, and biometric data like fingerprints for access control. This makes the employee privacy policy not just a compliance formality, but a genuinely important document for your team.

An employee privacy policy (also called an internal privacy policy) is the document that does this. It is entirely separate from your website privacy policy and focuses specifically on processing related to the employment relationship.

When to hand it over

The right moment is at the start of employment. Include the employee privacy policy as an appendix to the employment contract. This way the employee knows from day one which data you process, why, and what rights they have.

If you update the policy later, for example because you introduce CCTV or start using a new HR system, you must inform all employees of the change.

What must it include?

An employee privacy policy contains broadly the same sections as a website privacy policy, but tailored to the employment relationship.

1. Who is the data controller?

Your company name, address, and contact details. If you have a Data Protection Officer (DPO), include their contact information as well.

2. What data do you process?

Be specific. As an employer you typically process:

Identification data: name, address, date of birth, national ID number
Payroll: bank details, pay slips, tax information
HR files: employment contract, evaluations, training records, warnings
Sick leave: absence reports, duration of absence (note: you may not record medical details)
Access control and badges: who enters or leaves the building and when
CCTV: if you have cameras in the workplace
GPS tracking: if you track the location of company vehicles
IT usage: log data, email usage, internet usage (if you monitor this)

3. Why do you process the data?

State the purpose per data category. Examples:

Payroll: performance of the employment contract and legal obligations
CCTV: security of property and employee safety
GPS tracking: route planning and efficiency management
Badges: access control and compliance with working time regulations

4. What is the legal basis?

The most common legal bases for employee data:

Performance of the employment contract (payroll, contract management)
Legal obligation (tax filings, social security)
Legitimate interest (CCTV, IT security)

Consent is almost never suitable in an employment context, because an employee cannot truly refuse “freely.”

List all parties with access:

Payroll provider or social secretariat
Occupational health service
Insurer
IT vendors with access to HR systems
Government authorities (tax authority, social security)

6. Retention periods

Describe per data type how long you keep it:

Payroll data: legal retention obligation of 7 years
Employee file: up to 5 years after end of employment
CCTV footage: maximum 1 month (unless an incident occurred)
GPS data: a few weeks, depending on the purpose

7. Employee rights

Employees have the same rights as other data subjects: access, rectification, erasure, restriction, portability, and objection. State how they can exercise these rights and who to contact.

How GDPRWise handles this for you

When you work through the employee dossier in GDPRWise, you’re asked about your HR processes, CCTV, GPS tracking, and IT policies. Based on your answers, GDPRWise automatically generates an employee privacy policy that you can include as an appendix to the employment contract.

Does your situation change? Update your answers and the document is automatically refreshed.

auto_awesome Auto-generate your employee privacy policy

GDPRWise asks targeted questions about your HR processing activities and automatically generates an employee privacy policy. Ready to include as an appendix to the employment contract.

Start your free scan