Quick Answer
Employee payroll CSV files almost always contain GDPR personal data and frequently contain special category data. Consent is generally not a valid legal basis for processing employee data — the power imbalance between employer and employee means consent is not freely given under GDPR. The most common valid bases are legal obligation (processing required by employment law) and legitimate interests. A DPIA is typically required for large-scale employee data processing. Uploading payroll files to cloud tools without a DPA creates direct controller liability.
TL;DR: HR and payroll CSVs are high-risk under GDPR because they contain salary, health, and demographic data that may be special category data. Consent is usually invalid as a legal basis. DPIA is usually required. Controller liability follows if a processor you selected experiences a breach. Process locally or ensure full agreement stack (DPA, transfer mechanism) before any upload.
In 2022, McDonald's Poland was fined €3.9 million by the Polish DPA (UODO) following a breach that exposed employee data through a processor's misconfigured server (UODO decision DKN.5130.2155.2020). The controller — McDonald's — was liable. Not because McDonald's misconfigured the server. Because the controller is responsible for selecting processors that provide sufficient guarantees under GDPR Article 28(1), and for verifying that those guarantees are upheld.
The principle is foundational to GDPR's accountability model: selecting a processor transfers execution, not accountability. If your payroll CSV is uploaded to a tool whose server is misconfigured, the regulatory exposure sits with your organization.
This guide reflects GDPR Articles 6, 9, 28, 35, and 88; EDPB guidance on employee monitoring and consent; and data protection authority enforcement practice, March 2026. It is not legal advice.
Table of Contents
- What HR and Payroll CSVs Contain
- Legal Basis for Employee Data Processing
- Special Category Data in HR Files
- DPIA Requirements for HR Processing
- Controller Liability for Processor Breaches
- Compliance Workflow
- Client-Side Processing for HR Data
- Additional Resources
- FAQ
This guide is for: HR compliance officers, DPOs, payroll administrators, and data analysts responsible for processing employee data under GDPR.
What HR and Payroll CSVs Contain
Understanding what is in a typical HR or payroll CSV export determines which GDPR obligations apply. Most payroll and HR system exports include:
| Field Type | Examples | GDPR Classification |
|---|---|---|
| Basic identifiers | Name, employee ID, email | Personal data — Art. 4(1) |
| Financial data | Salary, bonus, deductions, bank account | Personal data — Art. 4(1) |
| Demographic data | Date of birth, gender, nationality | Personal data — Art. 4(1); may intersect with protected characteristics (e.g. gender identity) depending on context |
| Health-related | Sick leave, disability adjustments, medical deductions | Special category — Art. 9 |
| Union membership | Union dues, union affiliation | Special category — Art. 9 |
| Performance data | Performance ratings, disciplinary actions | Personal data; may require Art. 88 national law |
| Benefits data | Pension contributions, insurance selections | Personal data |
| Location data | Work location, home address | Personal data |
The special category risk: Many payroll files contain implicit health data — sick leave days, disability pay, medical deduction codes. These fields constitute special category data under GDPR Article 9 and carry heightened processing obligations. A payroll export that looks like financial data may contain health data through its benefits and leave codes.
Legal Basis for Employee Data Processing
GDPR Article 6 requires a valid legal basis for processing personal data. For employees, the common candidates and their limitations:
Legal obligation (Article 6(1)(c)): Processing required by employment law, tax law, or statutory HR obligations. This is the most solid basis for core payroll processing — paying employees and making required deductions is legally mandated. It does not cover all HR processing — only what the law specifically requires.
Performance of a contract (Article 6(1)(b)): Processing necessary to perform the employment contract. Calculating and paying salary clearly qualifies. Performance management, training records, and career development also qualify if they are part of the contractual employment relationship.
Legitimate interests (Article 6(1)(f)): Processing necessary for the organization's legitimate interests, provided the employee's interests and rights do not override them. This requires a Legitimate Interests Assessment (LIA). Applicable for some HR analytics, absence management, and workforce planning — but the balance test must be conducted and documented.
Consent (Article 6(1)(a)): Generally not appropriate for employee data under GDPR. The EDPB's guidelines on consent make clear that in an employment context, consent is unlikely to be freely given due to the power imbalance — employees may reasonably feel they must consent or risk negative consequences. The EDPB guidance on consent under Regulation 2016/679 (updated 2020) states this explicitly. Consent is not a reliable primary basis for standard HR processing.
Special category data (Article 9): Special category data requires a basis under both Article 6 AND Article 9. For health data in HR contexts, Article 9(2)(b) (processing for employment law obligations) and Article 9(2)(h) (medical treatment and occupational medicine) are typically applicable. Explicit consent under Article 9(2)(a) is available but carries the same power imbalance concern as Article 6 consent.
Special Category Data in HR Files
GDPR Article 9 defines special categories of personal data that carry heightened protection: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, and data concerning sex life or sexual orientation.
In HR CSV context:
| Data | Special Category Basis | Common Processing Justification |
|---|---|---|
| Sick leave records | Health — Art. 9(2)(b) | Employment law obligation (statutory sick pay, absence management) |
| Disability adjustments | Health — Art. 9(2)(b)/(h) | Employment law; occupational health |
| Union dues/membership | Trade union — Art. 9(2)(b) | Employment law obligation (dues deduction) |
| Medical deduction codes | Health — Art. 9(2)(b) | Payroll compliance |
| Pregnancy/maternity leave | Health — Art. 9(2)(b) | Statutory employment rights |
| Nationality/ethnic origin | Racial/ethnic — Art. 9(2)(b) | Right to work verification in some jurisdictions |
Practical implication: If your payroll CSV contains any of these fields, the data is subject to both the standard Article 6 requirements AND the Article 9 additional requirements. Any processor you use (including a cloud CSV tool) receives special category data the moment the file is uploaded — which means the DPA must specifically address special category data, and your Article 9 basis must be documented.
DPIA Requirements for HR Processing
GDPR Article 35 requires a Data Protection Impact Assessment for processing that is "likely to result in a high risk to the rights and freedoms of natural persons." The EDPB identifies several processing types that require a DPIA — including systematic processing of employees on a large scale, and processing of special category data on a large scale.
HR DPIA triggers:
- Large-scale processing of employee data (no fixed threshold — assess proportionality)
- Processing special category data (health, union membership) systematically
- Automated decision-making that affects employees (performance scoring, absence tracking)
- Monitoring of employees (email monitoring, location tracking, productivity metrics)
- Processing involving new technologies in the employment context
What the DPIA must contain (Article 35(7)):
- Description of the processing and its purposes
- Assessment of necessity and proportionality
- Assessment of risks to data subjects' rights and freedoms
- Measures to address risks, including safeguards and security measures
- Consultation with DPO where designated
Consulting the DPA: If the DPIA shows that residual risks are high after mitigation measures, the organization must consult the competent supervisory authority before beginning the processing (Article 36).
Controller Liability for Processor Breaches
GDPR Article 24 holds the controller responsible for compliance with GDPR. Article 28(1) requires the controller to use only processors that "provide sufficient guarantees to implement appropriate technical and organisational measures." Article 82 establishes joint and several liability between controllers and processors where both contributed to damage.
The McDonald's Poland precedent: The 2022 UODO fine of €3.9 million (UODO decision DKN.5130.2155.2020) was against the controller — McDonald's — for:
- Failing to conduct adequate due diligence on the processor's security controls
- Failing to verify that the processor's guarantees under Article 28(1) were actually implemented
- Not detecting the misconfiguration that exposed employee data
The controller was not accused of the technical failure. The controller was liable for selecting and failing to adequately monitor a processor that did not meet GDPR standards.
Additional enforcement examples relevant to HR data:
H&M Germany — €35.3 million fine (Hamburg DPA, 2020): H&M collected and stored extensive personal data about employees' private lives — including family situations, religious beliefs, and health conditions — through detailed notes taken after return-from-leave conversations. Managers maintained records of personal employee circumstances and used them for performance management decisions. The Hamburg DPA found this violated GDPR Article 5 (data minimization, purpose limitation), Article 9 (special category data without valid basis), and Article 6 (no lawful basis for the breadth of processing). This is the largest GDPR fine issued specifically for employee data mishandling.
Clearview AI — multiple DPA actions (2022–2023): While not an employment case, this series of enforcement actions established that bulk data collection about individuals — even using publicly available sources — requires a lawful basis and appropriate technical measures. The principle applies to HR data: collecting more employee data than necessary, or retaining it longer than required, creates regulatory exposure independent of any breach.
What these cases tell HR data teams: The enforcement pattern is consistent — excessive collection, inadequate purpose limitation, and failure to verify processor guarantees are the three most common triggers for HR-related GDPR enforcement. Every payroll CSV export should be the minimum necessary for the stated purpose, processed only through tools with verified security controls.
What this means for HR CSV processing: Every time a payroll file is uploaded to an external tool, you are relying on that tool's security controls to protect the data. If the vendor's security fails, you are jointly liable as the controller. The due diligence required by Article 28(1) — verifying sufficient guarantees — is your responsibility before the first upload.
Compliance Workflow
Work through this checklist sequentially. Each step is mapped to a specific GDPR article to support accountability documentation under Article 5(2).
| Step | Action | Article |
|---|---|---|
| 1 | Document legal basis for each processing purpose in the payroll workflow | Art. 6, Art. 9 |
| 2 | Identify all special category data fields in your CSV exports | Art. 9(1) |
| 3 | Conduct DPIA if processing triggers (large scale, special category, automated decisions) | Art. 35 |
| 4 | Restrict CSV exports to minimum necessary fields for each task | Art. 5(1)(c) |
| 5 | Apply pseudonymization to employee IDs before sharing | Art. 5(1)(e) |
| 6 | Execute DPA with any external tool that receives the CSV | Art. 28 |
| 7 | Verify processor security guarantees — do not rely on marketing claims | Art. 28(1) |
| 8 | Consider client-side processing for analysis tasks to avoid upload exposure | — |
| 9 | Document all steps for Art. 5(2) accountability demonstration | Art. 5(2) |
Client-Side Processing for HR Data
HR and payroll CSVs are among the highest-risk files for upload to cloud-based tools precisely because they combine high sensitivity (special category data) with high regulatory exposure (DPIA obligations, controller liability).
A client-side tool processes the file locally — no upload to any server occurs during the processing step. For HR use cases:
- Cleaning and formatting payroll exports: Remove columns, standardize formats, validate data types — all without the file leaving the local machine.
- Pseudonymization before sharing: Replace employee IDs and names with research IDs locally before exporting a de-identified version for analysts.
- Cross-referencing HR data: Join or compare files containing employee data without either file being uploaded.
Many SaaS tools retain uploaded files temporarily — retention policies vary by vendor. For payroll files containing special category data, each day of vendor retention is additional exposure. Client-side processing eliminates retention risk for the processing step entirely.
See our GDPR Article 28 guide for the full DPA framework and our GDPR compliant CSV processing guide for the broader compliance workflow.
GDPR Article 88: National Employment Law Variations
GDPR Article 88 permits member states to enact more specific rules for processing in the employment context. This means the GDPR baseline is a floor, not a ceiling — national employment law may impose stricter requirements on HR data processing.
Five-country Article 88 summary for HR data teams:
| Country | Key Art. 88 Provisions | Implications for HR CSV Processing |
|---|---|---|
| Germany | Bundesdatenschutzgesetz (BDSG) §26 — processing for employment purposes requires necessity for hiring, execution, or termination of contract; works council co-determination rights on monitoring | Works council must be consulted before implementing new HR data processing systems; data for monitoring productivity or attendance faces elevated scrutiny |
| France | Loi Informatique et Libertés — CNIL requires data protection notice to employees; union representative consultation for certain monitoring; strict limits on biometric data | Any CSV-based attendance or performance tracking may require CNIL notification; biometric identifiers in any HR CSV face near-prohibition |
| Spain | LOPDGDD Art. 87–91 — specific protections for device monitoring, GPS, and whistleblowing; employee right to privacy on company devices | Spain's AEPD has issued significant fines for excessive employee monitoring; HR exports from monitoring tools require documented necessity assessment |
| Netherlands | Implementation via Uitvoeringswet AVG — works council approval required for most employee monitoring; Data Protection Impact Assessment mandatory for systematic attendance monitoring | Dutch DPA (AP) prioritises employment context enforcement; any automated performance scoring in HR CSV is high-risk |
| Ireland | Data Protection Act 2018 — employment purposes narrowly defined; no additional explicit Art. 88 provisions beyond GDPR | Irish DPC applies GDPR baseline strictly; consent issues particularly acute given tech sector workforce expectations |
Practical implication: If your organization has employees in Germany, France, Spain, or the Netherlands, verify with local counsel whether your HR CSV processing workflows comply with national Art. 88 implementations before any system changes.
DPIA Mini-Template for HR CSV Workflows
Use this as a starting framework. A full DPIA requires DPO sign-off and may require supervisory authority consultation. This template covers the data team's contribution.
HR DATA DPIA WORKSHEET — CSV PROCESSING WORKFLOWS
Organization: _______________ Date: _______________
DPO Review: _______________ Status: Draft / Final
1. PROCESSING DESCRIPTION
Processing activity: [e.g., payroll export cleaning, performance data analysis]
CSV data categories: [fields present — salary, leave, health codes, etc.]
Special categories present? Yes / No
If yes, categories: [health / union membership / other]
Volume: [approx. number of employee records]
Frequency: [daily / weekly / monthly / ad hoc]
Processing tool: [tool name + client-side or server-side?]
2. NECESSITY AND PROPORTIONALITY
Legal basis (Art. 6): [legal obligation / legitimate interests / contract]
If special category (Art. 9): [employment law obligation / other basis]
Data minimized to minimum necessary? Yes / No
Retention period: [specify]
Is there a less privacy-invasive way to achieve the same purpose? [yes/no + reason]
3. RISK ASSESSMENT
Risk 1: [e.g., unauthorized access to salary data]
Likelihood: Low / Medium / High
Severity: Low / Medium / High
Mitigation: [e.g., access restricted to payroll team, pseudonymization applied]
Residual risk: Low / Medium / High
Risk 2: [e.g., processor breach if server-side tool used]
Likelihood: Low / Medium / High
Severity: Low / Medium / High
Mitigation: [e.g., use client-side tool; no upload required]
Residual risk: Low / Medium / High
4. MEASURES IN PLACE
☐ DPA signed with all processors receiving HR data
☐ Special category basis documented
☐ Employee notice provided (Art. 13/14)
☐ Minimum necessary principle applied to CSV exports
☐ Pseudonymization applied before any sharing
☐ Access controls limiting who can export HR CSVs
5. CONCLUSION
Residual risk acceptable? Yes / No
DPO recommendation: [proceed / modify / consult supervisory authority]
Supervisory authority consultation required? Yes / No
Additional Resources
GDPR Official Text:
- GDPR Article 9 — Special Categories — Special category processing requirements
- GDPR Article 35 — DPIA — When a DPIA is required
- GDPR Article 88 — Employment Context — National law provisions for employee data
EDPB Guidance:
- EDPB Guidelines on Consent in Employment — Why employee consent is problematic
- EDPB Guidelines on DPIAs — When a DPIA is required
National Authority Guidance:
- ICO Employee Monitoring Guidance — UK DPA on employment consent
- CNIL Employee Data Guidance — French DPA on HR data processing