Data protection in the employment relationship: a practical guide for SMEs
When addressing data protection in the employment relationship, from the moment a company collects a name, an email address, a telephone number or an IP address, it automatically falls within the scope of the General Data Protection Regulation (GDPR) and Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD). This marks the starting point of data protection obligations in the employment relationship. These obligations apply equally to large corporations and SMEs: any organisation that processes personal data relating to employees, job applicants or clients must comply with data protection legislation.
Any company, regardless of its sector, faces the responsibility of handling employee data with rigour and transparency. Managing personal information in the employment context is one of the most common and complex compliance challenges: from recruitment to the termination of the employment relationship, every data set (CVs, performance evaluations, working time records or health information) can generate legal risk if not handled correctly.
In practice, many SMEs have begun to incorporate artificial intelligence (AI) tools into recruitment processes, performance evaluations or incident management. While these technologies increase efficiency, they also give rise to specific legal risks: automated decision-making without human intervention, hidden biases or lack of transparency may lead to sanctions or claims. Decisions of the Spanish Data Protection Authority (AEPD), particularly in relation to sensitive data processing such as biometric data, show that automated systems that fail to comply with the principles of transparency, data minimisation, impact assessment and human oversight may result in significant fines.
Recruitment and hiring: limits and lawful bases
During recruitment processes, SMEs often collect excessive information, such as nationality, health status, beliefs or criminal records. This infringes the principles of data minimisation and purpose limitation (Articles 5 and 6 GDPR).
Common mistakes identified:
- Collecting full CVs without filtering out sensitive data.
- Requesting medical certificates before a job offer is formally made.
- Reviewing candidates’ social media profiles without transparency or documented purpose.
- Using AI algorithms to rank or prioritise candidates without explaining the applied logic, which may result in indirect discrimination.
Good practices in relation to data protection in the employment relationship: limit requested information to what is strictly necessary, document the lawful basis justifying each data category, and ensure that candidates are informed about how their data will be used, especially where automated systems or AI are involved.
Monitoring employee activity: supervision versus privacy
Working time recording, monitoring of corporate email accounts or video surveillance are common tools in SMEs. The introduction of AI for productivity analysis or anomaly detection significantly increases legal complexity. Many measures are implemented without assessing their impact on employee privacy, leading to internal complaints or inspections.
Common scenarios:
- Continuous GPS location tracking without consent or proportionality.
- Video surveillance covering areas not strictly necessary for security purposes.
- Monitoring corporate email using automated analysis to assess productivity, affecting employee privacy.
Recommendations: establish clear internal protocols, document the purpose of each monitoring measure and apply proportionality, security and data minimisation criteria (Articles 5.1 and 32 GDPR). Where AI is used, it is essential to assess system transparency and ensure human intervention in decisions directly affecting employees.
Performance evaluations, algorithms and automated decisions
An increasing number of SMEs use digital tools, including AI-based solutions, to assess performance, grant promotions or identify high-performing profiles. Where such tools produce significant decisions without human involvement, they may qualify as automated decision-making under Article 22 GDPR.
Common risks:
- Lack of transparency regarding evaluation criteria (Articles 12 and 13 GDPR).
- Algorithmic opacity preventing explanation of negative outcomes.
- Biases leading to indirect discrimination based on age, gender or career background (Article 5.1.a GDPR).
- Absence of internal review or challenge mechanisms.
Compliance keys: ensure human intervention in relevant decisions, document evaluation criteria, carry out data protection impact assessments where required (Article 35 GDPR), and allow employees to challenge and rectify outcomes. AI systems must be auditable and traceable to comply with the GDPR’s principle of accountability.
Processing of sensitive data: health, harassment and internal reporting
Special category data, such as health data, harassment complaints, internal whistleblowing reports or gender-based violence information, require enhanced safeguards (Article 9 GDPR). The use of AI to analyse risks or patterns in such data requires additional controls, as automated processing of sensitive data increases the likelihood of errors or data breaches.
Common mistakes:
- Storing medical reports in emails or shared folders without encryption.
- Unauthorised access to internal complaints by non-authorised staff.
- Lack of pseudonymisation or encryption (Articles 25 and 32 GDPR).
- Absence of access and processing traceability.
Claims handling and incident management
The management of complaints and internal whistleblowing systems is critical to preventing disputes and sanctions. Most incidents arise not from serious infringements, but from the absence of procedures and documentation.
Common issues in SMEs:
- Late responses to data subject rights requests (Articles 12 and 15–21 GDPR).
- Security breaches not identified or notified (Articles 33 and 34 GDPR).
- Lack of records of automated or AI-based decisions (Articles 5.2 and 22.1 and 4 GDPR).
- Poor management of reporting channels (Article 5.1.f GDPR).
Recommendations: implement an internal incident management protocol covering identification, containment, assessment, notification and follow-up, aligned with data protection by design (Article 25 GDPR). AI systems used to manage incidents must be audited to ensure traceability and prevent biased or unfair decisions.
Preventive strategies for SMEs: compliance and control
The true value of data protection in the employment relationship lies in anticipating risk. The GDPR requires proactive accountability and the ability to demonstrate that appropriate measures have been adopted.
Key elements of a preventive strategy:
- Clear, proportionate internal policies adapted to each stage of the employment lifecycle (Article 5.1 GDPR).
- Staff training and awareness, particularly in HR, management and IT, including the correct use of digital and AI tools (Article 32 GDPR).
- Periodic assessments and internal audits, including reviews of automated systems and AI impact assessments (Article 35 GDPR).
- Comprehensive documentation and traceability of all processing activities.
- Preparedness for claims, with fast and coordinated internal response mechanisms (Articles 12, 24 and 25 GDPR).
Conclusions on data protection in the employment relationship
Data protection in the employment relationship is neither optional nor merely a regulatory obligation: it is a strategic tool that protects the SME’s reputation, strengthens employee trust and prevents sanctions.
Our experience shows that the most serious incidents rarely arise from bad faith, but from the lack of adequate procedures, documentation and control. Integrating good practices at every stage of the employment relationship is therefore the best investment any SME can make.
Seeking professional advice and establishing clear protocols today helps avoid future claims, disputes and risks, ensuring a safe, transparent and legally compliant working environment.
Do you need advice? Access our area related to data protection in the employment relationship:
