In our last blog we gave an introduction to GDPR. In this blog we will look at the GDPR principles and new rights of data subjects.


GDPR sets out the principles which data controllers (the Company) and data processors (whoever processes HR data this could include processing in-house and/or externally e.g. a external payroll company) must comply with when processing personal data (Article 5). These principles form the core of the obligations of the data controller and will usually form the basis of any complaint that a data controller has not complied with its statutory duties.

In addition to these principles, GDPR confers new rights on data subjects (in HR terms these are your employees).

So let’s look at the principles:

Lawfulness, fairness and transparency. Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject (Article 5(1)(a)).

Purpose limitation.
Personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes. (Article 5(1)(b)).

Data minimisation.
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Article 5(1)(c)).

Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that data which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay (Article 5(1)(d)).

Storage limitation.
Personal data must not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed (Article 5(1)(e)).

Integrity and confidentiality. Personal data must be processed in a manner that ensures its appropriate security (Article 5(1)(f)).

And it is the data controller who is responsible for, and must be able to demonstrate, compliance (Article 5(2)).

The GDPR also confers new rights on data subjects…

The GDPR provides the following rights for individuals and in HR terms these relate to your employees.

  • The right to be informed – an employee has the right to know what personal data the company processes on them, how and on what basis.
  • The right of access – an employee has the right to access data held on them by way of a subject access request.
  • The right to rectification – an employee can ask you to rectify any incorrect data.
  • The right to erasure – an employee can ask you to erase personal data where the company is not entitled under the law to process it or it is no longer necessary to process it.
  • The right to restrict processing – this will generally happen when an employee has made a request to rectify or erase data.
  • The right to data portability – this would allow an employee to transfer their personal data to another data controller.
  • The right to object – employees can object to processing where, for example, data is used for direct marketing.
  • Rights in relation to automated decision making and profiling – employees have the right not to be subject to automated decisions e.g. if profiling is used in recruitment or other areas of the business.

Employees can also remove their consent if consent is used as a lawful ground to process data (we will look at this in more detail when we discuss the lawful basis / justification for keeping data).

In our next blog we will look at how you establish what data you currently have and how you can manage this.

If we can be of assistance please do not hesitate to contact us on 01702 216573 or email me at

Useful links

The information commissioner – Telephone number: 0303 123 1113

GDPR (Regulation 2016/679/EU)