Employee personal data is one of the most extensive areas of GDPR in practice — and at the same time one of the most frequently overlooked during implementation. Organisations focus on customer data and forget that the employer-employee relationship generates a broad and sensitive scope of processing: from recruitment, through employment, to years after the termination of the contract.

What Employee Data Can You Process — and on What Legal Basis

The scope of data that an employer may request from an employee derives primarily from the Labour Code (Article 22¹), not from the GDPR. The GDPR governs the principles of processing — the Labour Code governs what the employer may collect.

Data that an employer may request from a candidate: name and surname, date of birth, contact details, education, employment history.

Data that an employer may request from an employee (additionally): home address, national identification number (PESEL), other data where a statutory obligation to provide it exists.

Special categories of data — processing of health data, trade union membership, criminal convictions is permitted only where a statutory provision expressly allows it (e.g. occupational health examinations, certificate of no criminal record for specified positions) or where the employee has given a voluntary and explicit consent — though employee consent given to an employer rarely meets the voluntariness criterion due to the power imbalance between the parties.

Legal bases for processing employee data:

• Contract performance (Article 6(1)(b) GDPR) — data necessary for the employment relationship
• Legal obligation (Article 6(1)(c) GDPR) — data required by the Labour Code, tax regulations, social security
• Legitimate interest (Article 6(1)(f) GDPR) — e.g. monitoring in justified cases
• Consent (Article 6(1)(a) GDPR) — only for data beyond the mandatory scope, and only where consent is genuinely voluntary

Personnel Files — Structure and Content

The Regulation of the Minister of Family, Labour and Social Policy of 2018 sets out the structure of an employee’s personnel file. The file consists of four parts:

Part A — documents collected in connection with the recruitment process (CV, questionnaire, references from previous employers, documents confirming qualifications).

Part B — documents relating to the establishment of the employment relationship and the course of employment (employment contract, job description, documents confirming familiarisation with internal rules and health and safety regulations, payroll records, authorisations, documents relating to leave).

Part C — documents relating to termination or expiry of the employment relationship (notice, agreement, employment certificate).

Part D — copies of notices of disciplinary penalties and other documents relating to disciplinary liability.

The employer is required to maintain personnel files in paper or electronic form — both forms are legally equivalent. Since 2023, personnel files include a fifth section — Part E — containing documents related to sobriety checks and tests for psychoactive substances.

How Long to Retain Employee Data

This is one of the most frequently misunderstood areas. The retention period for employment documentation depends on when the employment relationship was established:

Employees hired from 1 January 2019 — personnel files and payroll documentation: 10 years from the end of the calendar year in which the employment relationship ended.

Employees hired between 1999 and 2018 — in principle 50 years, unless the employer submitted a ZUS RIA information report — in which case the period is reduced to 10 years.

Employees hired before 1 January 1999 — 50 years.

The retention period is calculated from the end of the calendar year in which the contract was terminated — not from the date of termination.

Other employment documents:

• Payroll lists, wage records — same as personnel files (10 or 50 years)
• ZUS documentation — 5 years
• Tax documentation (PIT-11) — 5 years
• Health and safety documentation — 10 years from the end of employment
• Monitoring recordings — maximum 3 months, unless they constitute evidence in proceedings

What to Do with Data After Contract Termination

This is the area most frequently neglected by organisations. Once the retention period has expired, data must be deleted or anonymised — it cannot be stored indefinitely “just in case”.

The practical problem: many companies have no employee data retention policy in place. Former employees’ files sit in cabinets or on servers for years — because no one monitors the deadlines. This is a violation of the storage limitation principle (Article 5(1)(e) GDPR).

What to do: for each category of employment documentation, define a retention period in the record of processing activities and assign responsibility for enforcing it. Implement a periodic review and deletion schedule — ideally annual, at the beginning of each calendar year.

Employee Monitoring and GDPR

An employer may use monitoring — but only in strictly defined circumstances and subject to rigorous requirements. We cover this in detail in the article on employee monitoring and GDPR. Key principles here:

Monitoring is permissible where it is necessary for a specific purpose (security, work organisation, property protection) and proportionate — meaning the scope of monitoring does not exceed what is necessary. Employees must be informed of the monitoring before it is introduced. Recordings must be stored for a maximum of 3 months.

Email monitoring, computer activity tracking, and GPS in company vehicles — each of these requires a separate analysis of necessity, proportionality, and the appropriate legal basis.

Most Common Mistakes in Processing Employee Data

Collecting excessive data at the recruitment stage. An employer may not request a photograph, information about health status, pregnancy, family plans, or trade union membership from a candidate. Data that is not necessary to assess qualifications should not be collected.

No information notice at the time of hiring. An employee must receive information about the processing of their data (controller, purposes, legal bases, retention periods, rights) — no later than at the time of data collection.

Retaining former employee data without monitoring deadlines. Absence of an implemented retention policy is one of the most frequently identified issues during inspections in the HR sector.

Sharing employee data without a legal basis. Payroll records, HR data, and absence information may not be shared with other departments or external parties without a clear legal basis.

No data processing agreements with the accounting firm and HR system. An accounting firm that processes payroll, a cloud-based HR system — these are processors who must have a signed data processing agreement.

Summary

Employee personal data is an extensive area of processing that begins at recruitment and continues for years after the employment relationship ends. Key principles: collect only data that is necessary and required by law; inform employees about the processing of their data; comply with retention periods and implement a deletion schedule; use monitoring only where necessary and proportionate; conclude data processing agreements with accounting firms and HR system providers.

FAQ