← All guides
GDPR8 min read19 May 2026

Employee Privacy Notice: GDPR Article 13 Requirements for SaaS Founders

If you hire in the EU, GDPR Art. 13 requires you to give employees a privacy notice at the time of data collection. Here's exactly what it must contain and when you need it.

GDPR doesn't just protect your customers' data — it also protects your employees' data. If you hire staff, contractors, or even interns in the EU, GDPR Article 13 requires you to give them a privacy notice (sometimes called an 'employee privacy notice' or 'staff privacy notice') at the time you collect their personal data.

Most SaaS founders focus entirely on their customer-facing Privacy Policy and forget about their HR obligations entirely. This is a gap that DPAs (data protection authorities) are increasingly enforcement-focused on, particularly as EU employment regulators and DPAs begin to coordinate.

Why Article 13 applies to employees

GDPR Article 13 says: "Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information."

This isn't limited to customers. Any time you collect personal data directly from an identifiable person — including a job applicant filling out a form, a new hire completing onboarding, or an employee submitting an expense claim — you must provide the transparency information required by Art. 13.

Art. 14 covers data collected not directly from the data subject (e.g., a reference check, or processing a candidate's LinkedIn profile without contact). The required information is largely the same.

What an employee privacy notice must contain

Under GDPR Articles 13 and 12(1), your employee privacy notice must include:

Controller identity and contact details

The legal entity name, address, and contact details of the employer (data controller), plus DPO contact if you have one.

Purposes and legal basis for each processing activity

For each purpose, you must identify the lawful basis. Common HR processing activities and their bases:

  • Employment contract administration (payroll, benefits) — Art. 6(1)(b): necessary for the performance of the employment contract
  • Legal compliance (tax withholding, mandatory reporting) — Art. 6(1)(c): legal obligation
  • Performance management, monitoring — Art. 6(1)(f): legitimate interests (must pass the balancing test)
  • Health and safety records — Art. 9(2)(b): necessary for obligations in employment law
  • Background checks, criminal records — Art. 10 / Member State law (highly restricted; check local law)
  • Marketing / company blog appearances — Art. 6(1)(a): consent (must be freely given; cannot be a condition of employment)

Important: Consent is a very weak lawful basis for employee data because of the power imbalance between employer and employee. Where GDPR requires consent to be freely given, it is often difficult to argue an employee can freely withhold it. Use contract, legal obligation, or legitimate interests wherever possible.

Categories of personal data processed

List the categories: identification data (name, ID number), contact data, financial data (bank account, salary), health data (if applicable), performance data, device/system access logs, communications (if monitored), etc.

Special category data (health, biometrics, trade union membership, religious beliefs, political opinions, racial/ethnic origin, sexual orientation) requires an additional Art. 9 basis — most commonly Art. 9(2)(b) for employment law obligations.

Recipients and categories of recipients

Who you share employee data with: payroll processors, benefits providers, pension administrators, tax authorities, health insurers, background check providers, your HR software (e.g., BambooHR, Personio, HiBob), cloud storage providers, IT management tools.

International transfers

If any recipient is outside the EEA (e.g., a US-based HR SaaS you use), disclose the transfer mechanism: SCCs, DPF, adequacy decision, or binding corporate rules.

Retention periods

How long you keep each category of employment data. Common EU requirements:

  • Payroll records: 7–10 years (varies by Member State)
  • Employment contracts: duration of employment + 7 years
  • Application/recruitment records for unsuccessful candidates: 6–12 months (varies; check local law)
  • Health and safety records: varies (some Member States require very long retention)
  • Performance reviews: typically 5 years after end of employment

Employee data subject rights

You must inform employees of their rights: access, rectification, erasure, restriction, data portability, objection, and the right to lodge a complaint with the supervisory authority. Note any restrictions that apply (e.g., erasure requests may be limited during the legally required retention period).

Right to withdraw consent

Where processing is based on consent, the right to withdraw at any time and the fact that withdrawal does not affect the lawfulness of prior processing.

Whether provision is statutory or contractual

State whether providing personal data is a statutory/contractual requirement or a condition for entering into a contract, and the consequences of failure to provide it (e.g., cannot process payroll without bank account details).

Automated decision-making

If you use automated tools (AI-based performance scoring, automated shortlisting in recruitment) that make decisions with legal or significant effects, this must be disclosed under Art. 22.

When to provide it

Art. 13(1) is clear: at the time personal data is collected. In practice, this means:

  • Job applicants: at the point they submit their application (include a link to the notice on the application form or in the job posting)
  • New hires: at the point of onboarding, before or when you collect their employment data (include in the employment contract pack)
  • Existing employees if you introduce new processing: as soon as possible and before the new processing begins

Employment law interplay by country

GDPR sets the floor; Member States can and do impose additional requirements for employee data. Key examples:

  • Germany: Works councils must be consulted before introducing monitoring systems. § 26 BDSG provides a specific basis for employee data processing.
  • France: Employee representative bodies (CSE) have information and consultation rights. CNIL guidance on employee monitoring is strict.
  • Estonia: Employment Contracts Act § 14 governs employer data collection obligations. AKI (Estonian DPA) has published specific guidance for employers.
  • Netherlands: Works councils under the Works Councils Act must be consulted on data processing systems affecting employees.

Always check local employment law alongside GDPR when drafting your employee privacy notice, especially for monitoring (email/device monitoring) and health data.

What not to confuse with the employee privacy notice

  • Customer-facing Privacy Policy: completely separate document. Your Privacy Policy covers customers and website visitors, not employees.
  • DPA (Data Processing Agreement): a contract with your data processors (e.g., your HR software vendor). Required under GDPR Art. 28, but separate from the transparency notice you give employees.
  • Consent forms: only needed where consent is the lawful basis for specific processing activities (rare in employment context, as explained above).

Practical checklist for SaaS founders

  • ✅ Draft an employee privacy notice covering all processing activities in your employee lifecycle
  • ✅ Include it in your onboarding pack and have employees acknowledge receipt
  • ✅ Add a link to the notice on all recruitment application forms
  • ✅ Review and update it when you introduce new HR tools or processing activities
  • ✅ Ensure your HR SaaS providers have signed DPAs with you
  • ✅ Include employment data in your Data Retention Policy
  • ✅ If processing special category data, confirm you have an Art. 9 basis and check local employment law

Generate your core compliance documents

While ComplyKit doesn't currently generate employee privacy notices (a jurisdiction-specific, employment-law-dependent document best reviewed by an HR lawyer), you can use ComplyKit to generate the surrounding compliance infrastructure:

More guides