What is GDPR Article 5 and why does it matter for HR?

GDPR Article 5 defines the seven core principles that must govern all personal data processing. For HR, it functions as the compliance backbone — every policy, system, and workflow handling employee or candidate data must conform to these principles or the organization faces fines of up to €20 million or 4% of global annual turnover.

What are the penalties for violating GDPR Article 5?

Violations of the core principles in Article 5 fall into the highest penalty tier under GDPR Article 83(5): fines of up to €20 million or 4% of total worldwide annual turnover, whichever is higher.

blog-headers-business-automation-4Spot-Consulting-26.png

Post: GDPR Article 5 for HR: 7 Principles of Data Processing

By Jeff ArnoldPublished On: August 11, 2025

GDPR Article 5 for HR: 7 Principles of Data Processing

Q: What does purpose limitation mean in HR data practices?

Purpose limitation means data collected for a specific reason cannot be redirected to an incompatible use without a new lawful basis and fresh transparency obligations. HR teams must document the purpose at the point of collection.

GDPR Article 5 is not a compliance checklist. It is the legal spine of every HR data processing decision your organization makes — from the moment a candidate submits a resume to the day you archive a departing employee’s final payroll record. Get it wrong, and the penalties reach €20 million or 4% of global annual turnover under Article 83(5). Get it right, and you have a defensible, audit-ready framework that protects both the organization and the workforce it serves.

This satellite drills into the operational specifics of all seven principles. For the broader HR data security and privacy compliance framework — including AI governance, breach response, and vendor risk — see the parent pillar. What follows is a principle-by-principle breakdown ranked by where HR teams most commonly fail in practice.

1. Accountability — The Principle That Makes All Others Enforceable

Accountability under Article 5(2) shifts the burden of proof entirely onto the employer. You must not only comply with the first six principles — you must be able to demonstrate compliance at any point a supervisory authority asks.

Records of Processing Activities (RoPA): Article 30 requires documented RoPA for organizations above 250 employees and for any organization processing sensitive data. HR data almost always qualifies.
Data Protection Impact Assessments (DPIAs): Required for high-risk processing — AI-driven hiring tools, biometric time tracking, and large-scale employee monitoring all trigger this requirement.
Staff training logs: Regulators treat untrained staff as an accountability failure. Training completion records must be retained and producible.
Policy version control: Privacy notices, data processing agreements, and internal data governance policies must carry version dates and change logs.
Vendor agreements: Data Processing Agreements (DPAs) with every HR software vendor are a baseline accountability requirement — not optional.

Verdict: Accountability is ranked first because a failure here undermines every other principle. Without documented evidence, a regulator treats your compliance as unproven. Gartner research consistently identifies accountability documentation gaps as a top driver of regulatory enforcement exposure.

2. Storage Limitation — The Principle HR Operations Violates Most Often

Personal data must be kept in a form that permits identification of data subjects for no longer than necessary for the processing purpose. There is no GDPR-defined universal retention period — HR must establish its own schedules, anchored to legal obligations and documented in writing.

Define retention triggers, not just periods: “Keep for 7 years” is incomplete. The schedule must specify what event starts the clock — date of termination, date of last transaction, date of failed application.
Implement technical deletion workflows: A written policy that no system enforces is a violation waiting to be discovered. ATS platforms, HRIS systems, and payroll software must have automated or calendar-triggered deletion workflows.
Distinguish data categories: Payroll records may have a 6-year legal retention obligation in some jurisdictions; unsuccessful candidate data typically has no legal obligation beyond 6–12 months from rejection.
Anonymization as an alternative: Where aggregated workforce analytics have ongoing value, anonymized data (not pseudonymized — truly anonymous) falls outside GDPR scope. See our comparison of anonymization vs. pseudonymization in HR analytics for the technical distinction.
Audit current backlogs: Most HR teams discover, during a first-pass audit, data held years beyond any defensible retention period. APQC benchmarking research confirms that data governance audits routinely surface significant volumes of data with no documented retention justification.

Verdict: Storage limitation violations accumulate quietly. The fix requires pairing a documented HR data retention policy with technical enforcement in every system that touches employee data.

3. Data Minimisation — The Discipline of Collecting Only What You Can Justify

Data must be adequate, relevant, and limited to what is necessary for the stated processing purpose. In HR, minimisation failures almost never start as intentional overreach — they accumulate through years of unchallenged form additions.

Field-level purpose mapping: Every data field on every HR form — application, onboarding, performance review, exit survey — must map to a specific, documented processing purpose. Fields that cannot be justified must be removed.
Challenge “nice to have” data: Date of birth is required for age discrimination monitoring in some jurisdictions; in others, it is not. National ID numbers may be required for payroll; they are not required for screening. Each field demands a purpose test, not an assumption.
Reduce scope during system migrations: HRIS replacements and ATS upgrades are the best opportunity to eliminate legacy data fields that have never had a documented purpose.
Watch for secondary collection creep: Benefits enrollment platforms, learning management systems, and employee assistance program portals each collect their own data sets. HR must audit third-party tools for minimisation compliance, not just the core HRIS.

Verdict: McKinsey Global Institute research on data-driven enterprise transformation consistently identifies data quality and minimisation discipline as foundational prerequisites for reliable analytics. Collecting less, more purposefully, produces better outcomes than maximalist data hoarding.

4. Purpose Limitation — No Repurposing Without a New Legal Basis

Data collected for a specific, documented purpose cannot be repurposed for an incompatible use without a new lawful basis and fresh transparency obligations to the data subject.

Recruitment data stays in recruitment: A candidate’s resume, assessment scores, and interview notes collected under a legitimate interest or contract performance basis for hiring cannot be folded into a general talent pool for future roles without explicit consent or a clearly compatible purpose — and that compatibility test is assessed from the data subject’s perspective.
Performance data has limits: Aggregated performance records processed for annual review purposes cannot be redirected to train an internal AI model without a separate legal basis and DPIA.
Document purpose at point of collection: The RoPA and privacy notices must capture the specific purpose at the moment data is collected. Retroactive purpose definitions do not satisfy this principle.
Compatible purposes are permitted — with conditions: GDPR allows processing for compatible purposes, but HR must apply the compatibility test: the link between original and new purpose, context, nature of data, consequences, and safeguards. When in doubt, err toward a new legal basis.

Verdict: Purpose limitation is particularly critical when deploying AI-driven HR tools. Any model trained on employee or candidate data must have its training purpose documented and assessed for compatibility with the original collection purpose. This is an area where ethical AI implementation in HR intersects directly with Article 5 obligations.

5. Integrity and Confidentiality — Security Is a Legal Requirement, Not a Best Practice

The security principle requires appropriate technical and organizational measures to protect personal data against unauthorized access, accidental loss, destruction, or damage. “Appropriate” is assessed relative to the sensitivity of the data, the state of available technology, and the cost of implementation.

Access controls are mandatory: Not every HR staff member needs access to every employee record. Role-based access control (RBAC) limiting data visibility to job necessity is a baseline requirement.
Encryption at rest and in transit: Employee records transmitted between HR systems or stored in cloud platforms must be encrypted. Unencrypted email transmission of payroll or health data is an integrity and confidentiality violation.
Vendor liability flows back to the controller: If your payroll processor or ATS vendor suffers a breach, the employer — as data controller — retains legal responsibility. Data Processing Agreements must specify security obligations, audit rights, and breach notification timelines. See our guide to HR data security practices for vendor due diligence specifics.
Incident response plans: GDPR Article 33 requires breach notification to supervisory authorities within 72 hours of discovery. HR must have a documented, tested response plan — not a draft policy — before a breach occurs.
Insider threat controls: Most HR data breaches involve internal actors — departing employees, misconfigured permissions, or shared credentials. Technical controls must address internal risk, not just external attack.

Verdict: Forrester research on data security consistently identifies under-configured access controls as the most common organizational vulnerability. HR systems hold some of the most sensitive data in any enterprise — salary, health information, performance records, disciplinary history — and must be treated accordingly.

6. Accuracy — Wrong Data Is Non-Compliant Data

Personal data must be factually accurate and, where necessary, kept up to date. Inaccurate data must be erased or corrected without delay. The accuracy principle also underpins the right to rectification under GDPR Article 16.

Proactive data quality workflows: HR cannot wait for employees to flag errors. Periodic data verification — confirming contact details, job titles, reporting lines, and salary records — must be built into HR operations as a scheduled process.
Right to rectification procedures: Employees have a legal right to have inaccurate personal data corrected. HR must have a documented process for receiving, assessing, and acting on rectification requests within one month. For the full procedural breakdown, see our guide to the GDPR right to rectification in HR.
System synchronization gaps create accuracy risks: When an employee’s job title is updated in the HRIS but not propagated to the ATS, benefits platform, or directory system, all out-of-sync records create accuracy violations.
Third-party data accuracy: Reference check data, background screening results, and credit check outputs sourced from third parties must also meet accuracy standards. If a third party provides incorrect data, the employer is responsible for verifying and correcting it.
AI model inputs are subject to accuracy obligations: HR analytics tools and AI-driven performance scoring systems that operate on inaccurate underlying data produce inaccurate outputs — and the employer is accountable for both the input data quality and the resulting decisions.

Verdict: SHRM research on HR data governance consistently identifies data accuracy as a prerequisite for defensible workforce decision-making. Inaccurate records don’t just create GDPR exposure — they drive flawed compensation decisions, discriminatory patterns in promotion data, and payroll errors. The accuracy principle protects both the individual and the organization.

7. Lawfulness, Fairness, and Transparency — The Foundation Every Other Principle Rests On

Article 5(1)(a) establishes that data must be processed lawfully, fairly, and transparently in relation to the data subject. This is foundational — without a lawful basis, no other principle can save a processing activity.

Lawfulness

Processing must rest on one of the six legal bases in Article 6. For HR, the most operationally relevant are:

Contract performance (Article 6(1)(b)): Processing necessary to fulfill the employment contract — payroll, benefits administration, performance management.
Legal obligation (Article 6(1)(c)): Processing required by employment law, tax law, or health and safety regulation.
Legitimate interests (Article 6(1)(f)): Processing where the employer’s interest is proportionate and does not override the employee’s fundamental rights. This basis requires a Legitimate Interests Assessment (LIA) and is not a catch-all.
Consent (Article 6(1)(a)): Valid in HR only for genuinely voluntary, non-conditional processing — employee surveys, optional wellness programs. Regulators including the EDPB consistently find that employment-context consent fails the freely given standard due to inherent power imbalance.

Fairness

Fairness prohibits processing that has unjustified, disproportionate, or deceptive impacts on employees. This includes algorithmic decision-making that produces discriminatory outcomes even when no discriminatory intent exists. HR’s obligation to audit AI tools for bias connects directly to the fairness principle — see our strategies for fixing AI bias in HR.

Transparency

Employees and candidates must receive clear, accessible information about what data is collected, why, how long it is kept, and what rights they hold. This obligation is fulfilled through privacy notices — but only when those notices are genuinely intelligible. A 12-page legal document linked from a career portal footer does not meet the transparency standard in practice, even if it technically exists. Harvard Business Review research on data trust consistently finds that transparency in data practices measurably improves employee trust and cooperation with HR processes.

Verdict: Lawfulness, fairness, and transparency ranked last here not because they matter least — they matter enormously — but because they are the principle most HR teams have at least partially addressed. The real compliance exposure lies in the operational enforcement of the other six principles, particularly accountability and storage limitation.

Putting All Seven Principles Into Practice

GDPR Article 5 compliance is not a one-time project. It is an ongoing operational discipline that requires structural controls at every stage of the employee data lifecycle. The organizations that pass regulatory scrutiny are those that have closed the gap between written policy and system-level enforcement — through documented records of processing activities, automated deletion workflows, role-based access controls, and proactive data quality processes.

For HR teams building or auditing their compliance programs, the recommended sequence mirrors the accountability chain in Article 5(2): document first, then enforce technically, then verify through HR data audits for compliance. Deloitte research on GDPR program maturity consistently identifies this documentation-before-technology sequence as the differentiator between organizations that sustain compliance and those that scramble after enforcement actions.

For HR leaders building the broader culture of privacy that makes these principles stick at the operational level, the strategies in our guide to building a data privacy culture in HR provide the workforce enablement layer that structural controls alone cannot deliver. And when evaluating or replacing HR technology vendors, ensure their technical and contractual commitments satisfy all seven Article 5 principles before signing — our framework for vetting HR software vendors for data security provides the due diligence structure.