AI Regulatory Intelligence โ€” by YRproject

factual analysis · traceable to primary sources

Compliance platform Work with us LinkedIn NLยทENยทDE
Explainer

GDPR in the workplace: employee data and AI

Adopted 2026-06-21 ยท ≈ 2 min read ยท Dirk Baaijen

HR AI runs on employee data, and that sits under the GDPR. Consent is rarely a valid basis given the power imbalance; you often fall back on legitimate interest or a legal obligation. Special-category data, transparency, data minimisation and a DPIA decide whether it is allowed.

Short answer: Every HR AI system processes employee data, so the GDPR applies in full โ€” alongside the AI Act. The hardest point is the lawful basis: consent is rarely valid in an employment relationship, because an employee cannot freely refuse. You then fall back on legitimate interest, performance of the employment contract or a legal obligation โ€” each with its own limits.

The GDPR requires consent to be freely given. The authority relationship between employer and worker almost never allows that: anyone saying "no" to monitoring or an appraisal tool feels the pressure. Regulators therefore generally reject consent in the employment context. Legitimate interest can work, but requires a balancing test in which the worker's interest weighs heavily.

Special-category data: extra strict

AI that processes faces, voices or health touches special-category personal data (Art. 9 GDPR) with a strict prohibition regime. This overlaps with the emotion-recognition ban in the AI Act: what the AI Act prohibits is often already not allowed under the GDPR anyway.

The other core principles

  • Data minimisation: collect only what is needed; "because we can" is not a purpose.
  • Transparency: tell workers clearly which AI processes their data and why.
  • Automated decisions: for decisions with significant effects Article 22 applies, with a right to human intervention.
  • DPIA: for large-scale or intrusive processing a data protection impact assessment is mandatory โ€” combine it with the works-council process.

National room (Art. 88)

The GDPR leaves Member States and collective-agreement parties room for their own rules in the employment context. In the Netherlands this works through the role of the works council and supervision by the data protection authority. So don't rely only on the general GDPR text, but also on the national elaboration.

What to do

  • Determine the basis per system โ€” and be honest: is consent here really free?
  • Run a DPIA for monitoring, profiling or large-scale processing.
  • Minimise and inform โ€” less data, more explanation.
  • Align with the works council and, where the AI Act requires it, with worker representatives.

AI Act compliance and GDPR compliance are not interchangeable. A system can be neatly set up as high-risk and still founder on a missing lawful basis. The data is the foundation โ€” start there.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2016/679/oj
    Regulation (EU) 2016/679 (GDPR): lawful bases (Art. 6), special-category data (Art. 9), employment context (Art. 88), DPIA (Art. 35).
  2. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act): runs in parallel; AI Act compliance does not release you from GDPR duties.

Share on LinkedIn

Read next

A

GDPR Article 88 and employee data: what does it mean for AI at work?

GDPR Article 88 lets Member States set their own rules for processing in the employment context. The Netherlands has no specific Art. 88 law, so the general GDPR plus the Dutch Implementation Act apply. With the weak basis of consent, purpose limitation and the role of works councils.

U

AI sourcing: finding and scraping candidates without breaking the rules

AI tools that find candidates by scraping public profiles mainly engage the GDPR: even public data needs a basis, transparency and data minimisation. Untargeted scraping of facial images is even prohibited, and once the tool ranks candidates the high-risk regime is added.

A

DPIA for HR AI: when is it mandatory and how do you combine it with the FRIA?

A DPIA (Art. 35 GDPR) is mandatory for large-scale, systematic monitoring and for high-risk AI in HR. This article explains what it must contain and how to combine the DPIA with the FRIA (fundamental rights assessment, Art. 27 AI Act) into one process. With a practical step plan.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.