GDPR audits in HR departments

Krzysztof Grabowski,  Data Protection Officer Crowe 
Human Resources departments are usually the places where most of the personal data are processed. What HR documents are subject to GDPR audits?

The data delivered by job applicants are already collected during the recruitment process. When some of them become employees, their data will go into the internal records of the employer, public institutions, clients or service providers. After the end of the cooperation, the employees become the company's alumni, and their data are stored according to the statutory retention periods.

Recruitment process audit

During the recruitment process, the most important thing from the auditor's point of view is the compliance of personal data acquisition with the GDPR. During the audit, the following documents are checked:

  • Information obligation for the recruitment process
  • Consents to the processing of job applicants' data
  • Questionnaires for job applicants
  • Register of personal data processing activities
  • Risk Assessment Report (DPIA if necessary)
  • Data entrustment agreements (if other entities are involved in the process)
  • Data security policies and other related documents

See how we can help you:

GDPR Audit

What documents are audited in HR and payroll processes?

Human resources and payroll administration are the most extensive part of the audit, both from the point of view of duration and regularity of personal data processing. The number of activities and documents depends on the size of a company and the benefits to which employees are entitled. To verify the compliance of data processing with the GDPR, the following documents are required:

  • Information obligation for HR and payroll processes
  • Questionnaires for employees
  • Register of personal data processing activities
  • Authorisations to process personal data (including specific ones)
  • Risk Assessment Report (DPIA if necessary)
  • Data entrustment agreements (if other entities are involved)
  • Obligations to process data from the company social benefits fund (if any)
  • Obligations to process video surveillance data (if any)
  • Employment contract templates
  • Policies, procedures, job instructions for the processing of personal data in a company/ HR department
  • Trainings on personal data protection together with certificates confirming that they have been completed

How often should the GDPR audits be carried out in HR departments?

Over the last two years, we have observed a significant number of changes implemented in companies in connection with the entry into force of the GDPR. Nevertheless, there are still many areas that have not been adapted to current legal requirements. This is why an audit is recommended to be conducted at least once a year. The most effective way of verifying the compliance of procedures with the relevant regulations is to have an audit conducted by an independent company. The company will then gain a guarantee that all issues have been checked thoroughly.


Contact our expert

Personal data protection