How can employers balance employees' right to be forgotten under the GDPR with the need to keep HR records?
Under the General Data Protection Regulation (2016/679 EU) (GDPR), employees have the right in certain circumstances to request that their employer erase personal data it holds about them. This is known as the right to be forgotten. However, the employer does not necessarily have to comply with the request by deleting the data in its entirety. Depending on the reasons and legal bases for processing the data, the employer may be required to erase some categories while it may have grounds for retaining others.
If an employee or former employee asks the employer to delete data relating to them, the employer should identify its legal bases for processing the data. The employer should ideally have a record of this from carrying out a data audit and/or from its record of processing activities.
Employers are not required to erase data if they have a legal obligation to retain it. For example, employers have a duty to retain records relating to payment of statutory sick pay and statutory maternity pay for at least three years following the end of the tax year in which they made the payment.
Where the legal basis for processing the data is the employer's legitimate interests, the employer must delete the information if requested by the employee or former employee, unless there are compelling legitimate grounds for the processing that override the employee's interests, or the data is necessary for the defence of legal claims. For example, if an employee requested that the employer delete data relating to disciplinary proceedings against them, the employer could refuse the request on the ground that the data would be required should the employee bring a tribunal claim relating to the disciplinary issue. The employer is likely to have compelling legitimate grounds for retaining much of the employee's data while the employment relationship continues.
The employer should delete any personal data relating to the employee or former employee that is no longer required for the purpose for which it was processed. Employers should do this in any event, as one of the principles of the GDPR is that personal data should be kept for no longer than is necessary.