GDPR Article 5 establishes seven binding principles for HR data processing — from lawful collection through secure storage and final deletion. Violations expose employers to fines up to €20 million or 4% of global annual turnover. This breakdown ranks all seven principles by where HR operations fail most often and what corrective action each requires.

GDPR Article 5 is not a compliance checklist. It is the legal spine of every HR data processing decision your organization makes — from the moment a candidate submits a résumé to the day you archive a departing employee’s final payroll record. Get it wrong, and penalties reach €20 million or 4% of global annual turnover under Article 83(5). Get it right, and you have a defensible, audit-ready framework that protects both the organization and the workforce it serves.

The seven principles below are ranked by where HR teams most commonly fail in practice. If you are also navigating AI-driven hiring tools or automated monitoring systems, the EEOC AI compliance requirements for HR and EU AI Act requirements for HR leaders carry obligations that layer directly on top of Article 5. For broader data governance context, see our analysis of global AI regulations reshaping HR compliance.

1. Accountability — The Principle That Makes All Others Enforceable

Accountability under Article 5(2) shifts the burden of proof entirely onto the employer. You must not only comply with the first six principles — you must demonstrate compliance at any point a supervisory authority asks. This is why it ranks first: a failure here undermines every other principle. Without documented evidence, a regulator treats your compliance as unproven.

What accountability requires in HR

• Records of Processing Activities (RoPA): Article 30 requires documented RoPA for organizations above 250 employees and for any organization processing sensitive data. HR data almost always qualifies as sensitive under GDPR definitions.
• Data Protection Impact Assessments (DPIAs): Required for high-risk processing — AI-driven hiring tools, biometric time tracking, and large-scale employee monitoring all trigger this requirement under Article 35.
• Staff training logs: Regulators treat untrained staff as an accountability failure. Training completion records must be retained and producible on demand.
• Policy version control: Privacy notices, data processing agreements, and internal data governance policies must carry version dates and change logs. A policy without a version date is a policy you cannot defend.
• Vendor agreements: Data Processing Agreements (DPAs) with every HR software vendor — your ATS, HRIS, payroll platform, and benefits portal — are a baseline accountability requirement, not optional extras.
• Designated accountability owner: Even organizations without a mandatory Data Protection Officer benefit from a named internal accountability owner whose role is documented in the RoPA.

2. Storage Limitation — The Principle HR Operations Violates Most Often

Personal data must be kept in a form that permits identification of data subjects for no longer than necessary for the processing purpose. There is no GDPR-defined universal retention period. HR must establish its own schedules, anchored to legal obligations and documented in writing. Storage limitation violations accumulate quietly — discovered only when an audit or subject access request surfaces data that has sat in an ATS or HRIS for years with no defensible justification.

What compliant retention management requires

• Define retention triggers, not just periods: “Keep for seven years” is incomplete. The schedule must specify what event starts the clock — date of termination, date of last transaction, date of failed application, date of contract end.
• Implement technical deletion workflows: A written policy that no system enforces is a violation waiting to be discovered. ATS platforms, HRIS systems, and payroll software must have automated or calendar-triggered deletion workflows, not manual reminders.
• Distinguish data categories: Payroll records carry a six-year legal retention obligation in many jurisdictions. Unsuccessful candidate data has no legal obligation beyond six to twelve months from rejection in most EU member states. Each category needs its own documented schedule.
• Use anonymization strategically: Where aggregated workforce analytics have ongoing value, truly anonymous data — not pseudonymized — falls outside GDPR scope entirely. This distinction matters for workforce planning dashboards and DEI reporting.
• Audit current backlogs first: Most HR teams discover, during a first-pass audit, data held years beyond any defensible retention period. The fix requires pairing a documented HRIS data validation framework with technical enforcement in every system that touches employee data.

For teams managing inherited HR operations where historical data practices are unknown, the HR triage risk mapping process provides a structured method for identifying and prioritizing these backlogs before they become enforcement exposure.

3. Data Minimisation — The Discipline of Collecting Only What You Can Justify

Data must be adequate, relevant, and limited to what is necessary for the stated processing purpose. In HR, minimisation failures almost never start as intentional overreach. They accumulate through years of unchallenged form additions — a field added for a one-time project that never gets removed, a vendor integration that pulls more data than the use case requires, an onboarding packet that requests documents no downstream process ever uses.

What data minimisation requires in practice

• Field-level purpose mapping: Every data field on every HR form — application, onboarding, performance review, exit survey — must map to a specific, documented processing purpose. Fields that cannot be justified must be removed, not archived.
• Challenge “nice to have” data: Date of birth is required for age discrimination monitoring in some jurisdictions; in others, it is not. National ID numbers may be required for payroll; they are not required for screening. Each field demands a purpose test, not an assumption.
• Use system migrations as minimisation opportunities: HRIS replacements and ATS upgrades are the best moment to eliminate legacy data fields that have never had a documented purpose. Migrating bad data discipline into a new system compounds the problem.
• Audit third-party tools specifically: Benefits enrollment platforms, learning management systems, and employee assistance program portals each collect their own data sets. HR must audit these tools for minimisation compliance, not only the core HRIS.
• Document the justification for every retained field: The documentation does not need to be complex — a simple field-to-purpose mapping spreadsheet tied to the RoPA is sufficient and producible for a supervisory authority review.

4. Purpose Limitation — The Principle That Governs What You Do With Data After Collection

Personal data collected for a specified, explicit, and legitimate purpose must not be processed in a manner incompatible with that purpose. In HR, purpose limitation failures typically occur when data collected for one legitimate reason is repurposed for a secondary use without establishing a new legal basis or conducting a compatibility assessment.

Where purpose limitation breaks down in HR

• Candidate data repurposed for internal analytics: Application data collected under a recruitment lawful basis cannot be fed into a workforce planning algorithm without a compatibility assessment. The original purpose was hiring decisions for a specific role — not workforce trend modeling.
• Performance data used for restructuring: Performance review data collected for development purposes carries a specific processing purpose. Using it as the primary basis for a redundancy selection process requires a documented compatibility assessment and, in many cases, a new legal basis.
• Health data collected for one purpose applied to another: Occupational health data collected for a specific workplace adjustment request cannot be shared with a line manager for general performance management. The original purpose controls the permissible scope.
• Consent obtained for one processing purpose does not extend to others: Where consent is the lawful basis, repurposing requires fresh consent. This is why consent is often the wrong lawful basis for employment data — the power imbalance between employer and employee makes freely given consent difficult to establish.
• Document compatibility assessments: Where a secondary use is arguably compatible with the original purpose, Article 6(4) requires a documented assessment across five factors: link between purposes, context of collection, nature of data, consequences of further processing, and existence of safeguards.

5. Integrity and Confidentiality — The Security Principle

Personal data must be processed in a manner that ensures appropriate security — including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage — using appropriate technical and organizational measures. This is GDPR’s security principle, and it applies to every system, process, and person that handles HR data.

Technical and organizational measures HR must implement

• Role-based access controls: Access to employee data must be limited to those whose role requires it. A recruiter has no legitimate need to access payroll data. A payroll administrator has no legitimate need to access medical records. Access controls must be documented and reviewed periodically.
• Encryption in transit and at rest: Unencrypted email transfers of employee data — including offer letters, salary information, and personal records — violate this principle. All HR data in transit must be encrypted. Storage encryption is a baseline expectation for any system holding personal data.
• Vendor security assessments: The DPA with each HR software vendor must include specific security commitments. A DPA that contains no security specifications is not a compliant DPA.
• Breach detection and response capability: Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a breach. That timeline is impossible to meet without documented detection and escalation procedures.
• Physical security: Paper-based HR records — I-9 forms, signed offer letters, medical certificates — require locked storage with documented access controls. Physical security is as much a GDPR obligation as technical security.

Teams managing automated HR workflows should note that California AI procurement compliance requirements for HR add state-level security obligations that layer on top of GDPR for multinational employers.

6. Accuracy — The Principle That Prevents Operational and Legal Harm Simultaneously

Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that inaccurate data — having regard to the purposes for which it is processed — is erased or rectified without delay. In HR, accuracy failures cause both compliance violations and direct operational harm.

Where accuracy failures cost HR operations most

• Payroll data: The $27K overpayment case illustrates what a single inaccurate salary entry produces — a $103,000 annual salary transcribed as $130,000, an employee who received the overpayment and resigned, and a recovery process that cost more than the error itself. Accuracy in payroll data is simultaneously a GDPR obligation and a direct financial control.
• Benefits eligibility records: Inaccurate benefits eligibility data produces both regulatory exposure and real harm to employees — coverage denied when owed, premiums charged for lapsed coverage, and carrier feeds that compound errors over time. The benefits carrier feed reconciliation process addresses this operationally.
• Employment status records: Inaccurate records of employment status — particularly for terminated employees — create access control failures (former employees retaining system access) and payroll continuation errors.
• Right to rectification requests: Data subjects have the right under Article 16 to have inaccurate data corrected. HR must have a documented process for receiving, verifying, and actioning these requests within one month.
• Self-service update workflows: HRIS systems with employee self-service portals reduce accuracy failures by shifting routine updates — address changes, emergency contacts, bank account details — to the data subject directly, with HR validation as a control step rather than a manual data entry step.

7. Lawfulness, Fairness, and Transparency — The Foundation Everyone Assumes Is Covered

Processing must be lawful (based on one of the six Article 6 lawful bases), fair (not used in ways that are harmful, discriminatory, unexpected, or misleading to data subjects), and transparent (data subjects must be informed about what is collected, why, how long it is kept, and what rights they have). Despite ranking seventh by HR failure frequency, this principle carries the highest reputational risk when it fails visibly.

Lawful basis selection for HR processing

HR processing typically relies on three Article 6 lawful bases:

• Article 6(1)(b) — Contract: Processing necessary for the performance of or entry into an employment contract. Covers payroll, benefits administration, performance management directly tied to contractual obligations.
• Article 6(1)(c) — Legal obligation: Processing required by law — tax reporting, right-to-work verification, health and safety obligations. This is the most defensible basis because the legal obligation is externally defined.
• Article 6(1)(f) — Legitimate interests: Available where the employer’s interests are not overridden by the rights and interests of the data subject. Requires a documented legitimate interests assessment (LIA). Cannot be used for special category data.

Transparency requirements for HR

• Privacy notices at collection: Candidates and employees must receive a privacy notice at the point data is collected — before submitting an application, at the start of onboarding, and when new processing is introduced. A notice buried in an employee handbook delivered months after data collection does not satisfy this requirement.
• Clear language: Privacy notices must be written in plain language accessible to the intended audience. Legal boilerplate that cannot be understood by a non-lawyer does not satisfy the transparency standard.
• Informed employees on monitoring: Any form of employee monitoring — email monitoring, productivity tracking, location tracking — requires advance disclosure. Covert monitoring is a transparency failure regardless of the legitimate interest basis claimed.
• Automated decision-making disclosure: Where HR uses AI tools that make or substantially influence decisions about individuals — screening algorithms, performance scoring systems — Article 22 requires disclosure and, in many cases, the right to human review.

How These 7 Principles Connect to Operational HR Risk

GDPR Article 5 compliance does not exist in a separate compliance function. Every principle maps to an operational HR risk that exists independently of regulatory exposure:

• Accountability failures are also documentation failures that surface in employment tribunal proceedings.
• Storage limitation failures are also data quality failures that corrupt workforce analytics.
• Data minimisation failures are also system complexity failures that slow HRIS migrations.
• Accuracy failures are also payroll and benefits errors with direct financial consequences — as the $27K overpayment case study demonstrates.
• Integrity failures are also security failures that expose the organization to breach liability under Articles 33 and 34.

For HR teams operating with limited capacity, the HR of One survival FAQ addresses how to prioritize compliance work when resource constraints are real. The 11 warning signs your inherited HR operation is bleeding money also covers data governance failures as a direct financial risk, not only a compliance risk.

Frequently Asked Questions: GDPR Article 5 for HR

What is the most commonly violated GDPR Article 5 principle in HR?

Storage limitation is the most commonly violated principle in HR operations. Most organizations have clear data collection practices but no technical enforcement of deletion schedules. Data accumulated in ATS platforms, HRIS systems, and payroll archives for years beyond any defensible retention period is the dominant finding in HR data audits.

Does GDPR Article 5 apply to job applicants as well as employees?

Yes. GDPR Article 5 applies to all natural persons whose data is processed by the organization. Candidates, contractors, former employees, and current employees are all covered. Unsuccessful candidate data is a specific storage limitation risk — there is no legal basis for retaining application data indefinitely once the recruitment process concludes.

What is the accountability principle under GDPR Article 5(2)?

Article 5(2) requires the data controller — the employer — to be responsible for compliance with all Article 5(1) principles and to be able to demonstrate that compliance. The burden of proof sits with the employer, not the supervisory authority. This makes documentation the foundation of accountability: if you cannot produce evidence of compliance, the regulator treats you as non-compliant.

How often should HR review its GDPR Article 5 compliance?

At minimum, HR should review Article 5 compliance annually and whenever a new processing activity is introduced — including new HR software, new monitoring tools, or new uses of existing data. Privacy notices, RoPA entries, DPIAs, and retention schedules are all living documents that require version-controlled updates, not one-time completion.

Does using AI in HR recruitment trigger additional GDPR obligations beyond Article 5?

Yes. AI-assisted recruitment tools trigger Article 35 DPIA requirements (high-risk processing), Article 22 obligations for automated decision-making, and the EU AI Act’s requirements for high-risk AI systems in employment contexts. GDPR Article 5 compliance is the baseline — AI deployment in HR adds obligations on top of it. See our breakdown of EU AI Act strategic compliance for HR and recruiting automation for the full picture.

What is the difference between data minimisation and purpose limitation?

Data minimisation governs what you collect — only data adequate, relevant, and necessary for the stated purpose. Purpose limitation governs what you do with data after collection — it cannot be used for a purpose incompatible with the purpose for which it was collected. Both principles must be satisfied independently. Collecting only the right data does not permit repurposing that data without a compatible purpose or new legal basis.

Additional Reading

• 9 EEOC AI Compliance Requirements HR Teams Must Meet in 2026
• 11 EU AI Act Requirements Every HR Leader Must Know in 2026
• EU AI Act: Strategic Compliance for HR and Recruiting Automation
• Global AI Regulations: Reshaping HR Compliance & Strategy
• California AI Procurement Compliance: Action Steps for HR and Recruiting
• The $27K Overpayment: How One HRIS Data Entry Mistake Cost a Manufacturer a Year of Salary
• HRIS Required Fields vs Manual Data Validation: Which Is Safer for Small HR Teams?
• How to Reconcile a Broken Benefits Carrier Feed: Step by Step
• What Is HR Triage Risk Mapping? How HR Leaders Prioritize Inherited Messes
• 11 Warning Signs Your Inherited HR Operation Is Bleeding Money
• HR of One Survival FAQ: Inherited Operations Questions Answered
• Drowning in Admin: How Solo and Small HR Teams Can Fix Broken HR Operations Without Burning Out
• 9 HRIS Configuration Defaults Every Small HR Team Should Change
• How to Audit Inherited I-9 Records Without Creating New Violations
• What Is a Minimum Viable HR Process? A Plain-Language Definition