GDPR compliance has shifted from an "EU problem" to a core HR discipline for any company with European operations, EEA-based employees, or EU-resident job candidates. The regulation has been enforced at scale since 2018, and the 2026 fine environment shows no signs of easing. The biggest HR-related enforcement actions have involved candidate data retention, cross-border transfers to U.S. vendors without adequate safeguards, and employee monitoring that lacked proper legal basis. For U.S.-headquartered HR teams, compliance is mostly about getting the legal basis, data flow mapping, and vendor contracts right before the first European hire.
When GDPR Applies to U.S. HR Activity GDPR has extraterritorial reach under Article 3. It applies whenever an organization processes personal data of individuals located in the EEA, regardless of where the organization is headquartered. For HR, the common triggers are hiring EEA-resident candidates, employing EEA workers (including U.S. employees temporarily working in Europe), storing EEA candidate resumes in an ATS, and using EEA-based vendors or contractors whose data flows through the employer's systems.
The definition of personal data is broad: anything that identifies or can identify an individual, including IP addresses, device identifiers, and HR metadata.
What's the Lawful Basis for Processing HR Data? GDPR requires a lawful basis for processing personal data. For HR, the most common bases are the performance of the employment contract (for core HR activities like payroll , leave tracking, benefits), legitimate interest (for some workforce analytics), and legal obligation (for required government reporting). Consent is rarely a valid basis for employer-employee relationships because the power imbalance makes consent not truly voluntary.
Cross-Border Data Transfers Are the Biggest Risk Transferring EEA personal data to the U.S. (or anywhere outside the EEA) requires a valid transfer mechanism. The Schrems II decision in 2020 invalidated Privacy Shield. The 2023 EU-US Data Privacy Framework is currently valid but has been challenged in court. Standard Contractual Clauses (SCCs) remain the most widely used mechanism and require detailed data transfer impact assessments.
U.S. SaaS HR vendors (ATS, HRIS, performance tools) that host EEA data in U.S. data centers are the highest-risk touchpoint. Contracts need current SCCs, and the transfer impact assessment needs to be documented.
Data Subject Rights Employees Can Exercise GDPR gives employees and candidates specific rights: access their personal data, correct inaccuracies, delete data in limited circumstances, restrict processing, port data to another controller, and object to automated decision-making. HR systems need workflows to handle each request type within 30 days (extendable in limited circumstances).
The right to erasure has specific employment carve-outs. Employers can retain data necessary for ongoing legal obligations (tax records, litigation holds, regulatory reporting) even after an employee leaves. The EDPB guidelines are the authoritative source on scope.
Building a GDPR-Ready HR Operation Without Over-Engineering The practical operating model has four pieces. A data inventory mapping every HR system that touches EEA data. A privacy notice to EEA employees and candidates in clear language covering purpose, legal basis, retention, and rights. SCCs and transfer impact assessments with every U.S. vendor processing EEA data. And a response workflow for data subject requests with a 30-day target. Done well, the program adds meaningful process overhead but doesn't materially slow hiring or HR operations. Done poorly, it creates months-long enforcement cases with seven-figure fines. For broader context, see employee benefits , onboarding , and exit interview data retention rules, which are common touchpoints for data-subject requests.
.svg)
.svg)
