GDPR and Employee Leave Data: What HR Teams Must Get Right

Every time an employee submits a leave request, your organisation processes personal data. When that request is for sick leave, you may be handling special category data that reveals information about someone’s health. And if you are using cloud-based HR software, you might be transferring that data across borders.

Most HR teams understand GDPR in broad strokes but struggle with the specific implications for leave management. This guide breaks down exactly what GDPR requires when it comes to employee leave data — from lawful bases for processing to retention periods, employee rights, and cross-border transfers. It finishes with a practical compliance checklist you can implement immediately.

Why Leave Data Is Personal Data

Under the GDPR (General Data Protection Regulation — Regulation (EU) 2016/679), personal data is any information relating to an identified or identifiable natural person. Employee leave data clearly falls within this definition.

Leave records typically include:

• The employee’s name and identifier — obviously personal data
• Leave dates and durations — linked to an identifiable individual
• Leave type (annual leave, sick leave, maternity, compassionate leave) — this can reveal sensitive information
• Leave approval status and approver — processing records involving identified individuals
• Leave balances and accruals — derived from personal employment data
• Reasons for leave (where recorded) — potentially highly sensitive
• Medical certificates or fit notes — explicitly health data

This data is personal data regardless of how it is stored — whether in a sophisticated HR system, a shared spreadsheet, a Slack channel, or a paper diary in the office.

Special Category Data: The Sick Leave Problem

This is where leave management intersects with the most sensitive tier of GDPR protection. Article 9 of the GDPR identifies “special categories” of personal data that require additional safeguards. These include data revealing:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic or biometric data
• Health data
• Sex life or sexual orientation

How Leave Data Becomes Special Category Data

Sick leave records — even basic ones — can constitute health data. The CJEU has taken a broad interpretation: in Case C-184/20 (Vyriausioji tarnybinės etikos komisija), the court confirmed that information from which health status can be inferred constitutes health data, even if it does not explicitly state a diagnosis.

Consider these examples:

• Recording that an employee is on “sick leave” reveals they have a health condition
• Recording “hospital appointment” as a leave reason reveals health-related information
• Patterns of absence (e.g., regular Monday absences) could imply health issues
• Maternity leave reveals pregnancy status — also health data
• Mental health days or stress-related absences are explicitly health data

Processing Special Category Data Lawfully

To process special category leave data, you need both a lawful basis under Article 6 and an additional condition under Article 9. The most relevant Article 9 conditions for HR teams are:

• Article 9(2)(b): Processing is necessary for carrying out obligations in the field of employment law (e.g., statutory sick pay administration, health and safety obligations). This is the most commonly relied-upon condition for sick leave processing.
• Article 9(2)(h): Processing is necessary for the assessment of the working capacity of the employee (with appropriate safeguards and by or under the responsibility of a professional subject to secrecy obligations).

Explicit consent (Article 9(2)(a)) is generally not appropriate for employee leave data because of the inherent power imbalance in the employment relationship. The UK Information Commissioner’s Office (ICO) and the European Data Protection Board (EDPB) have both warned that employee consent is rarely freely given due to this imbalance.

Lawful Bases for Processing Leave Data

Under Article 6 of the GDPR, every instance of data processing requires a lawful basis. For employee leave data, the relevant bases are:

Article 6(1)(b): Contract Performance

Processing leave data is generally necessary to perform the employment contract. You need to know when employees are on leave to manage rotas, workload, and pay.

Use this for: Recording annual leave requests, calculating leave balances, processing holiday pay, managing leave approval workflows.

Article 6(1)(c): Legal Obligation

Certain leave data processing is required by law — for example, maintaining records for Working Time Regulations compliance, calculating statutory sick pay, or administering statutory maternity pay.

Use this for: SSP calculations, statutory leave record-keeping, reporting obligations.

Article 6(1)(f): Legitimate Interests

Where processing is not strictly necessary for contract performance or legal compliance, legitimate interests may apply. This requires a balancing test between the employer’s interests and the employee’s privacy rights.

Use this for: Absence management analytics, workforce planning, identifying patterns that may indicate wellbeing issues (with appropriate safeguards).

Important: If you rely on legitimate interests, you must conduct and document a Legitimate Interest Assessment (LIA), weighing your business need against the privacy impact on employees. This assessment should be reviewed periodically.

What About Consent?

As noted above, consent is generally not the appropriate lawful basis for processing employee leave data. The ICO’s employment guidance makes clear that because employees cannot freely refuse consent without fear of detriment, consent given in the employment context is unlikely to be considered “freely given” as required by Article 7.

Relying on consent also creates a practical problem: if an employee withdraws consent, you may be unable to process their leave data at all — an outcome that is incompatible with running a business.

Data Minimisation: Collecting Only What You Need

Article 5(1)(c) requires that personal data be “adequate, relevant and limited to what is necessary” for the purposes of processing. This principle has direct implications for how you manage leave data.

What You Should Collect

• Leave type (annual leave, sick leave, etc.)
• Start and end dates
• Full day or half day
• Approval status
• Leave balance information

What You Probably Should Not Collect

• Specific medical diagnoses (unless genuinely necessary for occupational health assessment or specific legal requirements)
• Detailed reasons for annual leave (it is none of the employer’s business where someone goes on holiday)
• Information about who the employee is visiting during compassionate leave
• Detailed descriptions of symptoms during sick leave

Practical Application

Many HR systems and leave request forms ask for a “reason” field. Consider whether this is truly necessary:

• For annual leave: No reason should be required. Employees have a right to take their statutory entitlement.
• For sick leave: A general category (e.g., “short-term illness”) is usually sufficient for management purposes. Detailed medical information should only be collected when necessary for SSP, occupational health referrals, or reasonable adjustments.
• For compassionate leave: A general indication (e.g., “bereavement” or “family emergency”) is usually sufficient without requiring details of the specific circumstances.

If your current leave management process collects more information than necessary, you should review and simplify it.

Retention Periods: How Long Can You Keep Leave Data?

Article 5(1)(e) requires that personal data be kept “for no longer than is necessary for the purposes for which the personal data are processed.” The GDPR does not specify exact retention periods — organisations must determine these based on their specific needs and legal obligations.

Recommended Retention Periods for Leave Data

Data Type	Recommended Retention	Rationale
Annual leave records	2 years after the leave year	Covers the limitation period for most employment claims in the UK
Sick leave records	3 years after the period of absence	Covers potential personal injury limitation periods
Maternity/paternity records	3 years after the end of the tax year to which they relate	HMRC requirements for statutory payment records
Working time records	2 years from creation	Working Time Regulations requirement
Leave records of former employees	6 years after termination	Covers the limitation period for breach of contract claims

Important Considerations

• These are guidelines, not absolute rules. Your Data Protection Officer (DPO) or legal adviser should confirm appropriate periods for your organisation.
• Discrimination claims in the UK can be brought within 3 months of the act (extendable by ACAS early conciliation), but patterns of discrimination may be evidenced by historical records. Some organisations retain data longer on this basis.
• Leave records that form part of a dispute or legal claim should be retained until the matter is resolved, regardless of standard retention periods (litigation hold).
• When the retention period expires, data should be securely deleted or anonymised — not just archived.

Employee Rights and Leave Data

The GDPR grants employees (as data subjects) several rights that directly affect leave data management.

Right of Access (Article 15)

Employees have the right to request a copy of all personal data you hold about them, including leave records. You must respond within one calendar month (extendable by two months for complex requests).

In practice, this means you should be able to extract a complete leave history for any employee on request. If your leave data is scattered across spreadsheets, emails, and paper forms, fulfilling a Subject Access Request (SAR) becomes time-consuming and error-prone.

Right to Rectification (Article 16)

If leave records are inaccurate — for example, a sick day recorded as annual leave, or incorrect dates — the employee has the right to have this corrected without undue delay.

Right to Erasure (Article 17)

The right to erasure (“right to be forgotten”) applies when data is no longer necessary for its original purpose, when consent is withdrawn (where consent was the lawful basis), or when data has been unlawfully processed. However, this right does not apply where processing is necessary for:

• Compliance with a legal obligation
• Establishment, exercise, or defence of legal claims

This means you can generally retain leave records for legitimate business and legal purposes even if an employee requests deletion, but you should delete data that is genuinely no longer needed.

Right to Restriction (Article 18)

Employees can request that you stop processing their leave data (while retaining it) in certain circumstances — for example, while the accuracy of the data is being verified.

Data Portability (Article 20)

Where processing is based on consent or contract and carried out by automated means, employees have the right to receive their data in a commonly used, machine-readable format. This is particularly relevant if an employee is moving to a new employer and wants their leave history.

Cross-Border Data Transfers

If you use cloud-based leave management software, there is a good chance your data is stored or processed outside the UK or EU. This engages the GDPR’s rules on international data transfers (Chapter V).

The Key Principle

Personal data can only be transferred outside the UK/EEA to countries that provide an “adequate” level of data protection, or where appropriate safeguards are in place.

UK Adequacy Decisions

The UK (through the ICO and the Secretary of State) has issued adequacy regulations for transfers to the EEA and several other countries. The EU has granted the UK a data adequacy decision, most recently extended. This means data can flow freely between the UK and EEA without additional safeguards — for now.

Transfers to the United States

Following the invalidation of the Privacy Shield in Schrems II (2020), the EU-US Data Privacy Framework was adopted in July 2023, and the UK Extension to the EU-US Data Privacy Framework followed in October 2023. These provide a lawful basis for transfers to US companies that have self-certified under the framework.

If your leave management software provider is based in the US, check whether they are certified under the Data Privacy Framework. If not, Standard Contractual Clauses (SCCs) must be in place, along with a Transfer Impact Assessment (TIA).

Practical Due Diligence for Cloud Software

When selecting or reviewing leave management software, verify:

1. Where data is stored — data centre locations matter
2. Whether the provider has sub-processors and where they are located
3. What transfer mechanisms are in place (adequacy decisions, SCCs, Data Privacy Framework certification)
4. Whether the provider offers EU/UK-only data residency options
5. The provider’s data processing agreement (DPA) — this is legally required under Article 28

Practical GDPR Compliance Checklist for Leave Management

Use this checklist to audit your current leave management practices:

Lawful Basis and Documentation

• Identify and document the lawful basis for processing each type of leave data (Article 6)
• For sick leave and other health-related data, identify and document the additional Article 9 condition
• Conduct and document a Legitimate Interest Assessment if relying on Article 6(1)(f)
• Include leave data processing in your Records of Processing Activities (ROPA) — required under Article 30

Privacy Information

• Include leave data processing in your employee privacy notice
• Explain what leave data you collect, why, the lawful basis, retention periods, and employee rights
• Provide the privacy notice to employees before or at the time of data collection (i.e., during onboarding)

Data Minimisation

• Review leave request forms and remove unnecessary fields (e.g., detailed reasons for annual leave)
• Limit collection of medical information to what is genuinely necessary
• Restrict access to leave data to those who need it (HR, direct managers for their reports)

Retention and Deletion

• Define and document retention periods for each type of leave data
• Implement automated deletion or review dates
• Securely delete leave data for former employees once the retention period expires

Security

• Ensure leave data is stored securely (encryption at rest and in transit)
• Implement role-based access controls — not everyone in HR needs to see sick leave details
• Keep sick leave data separate from general annual leave data where possible
• Log access to leave records for audit purposes

Employee Rights

• Have a process for handling Subject Access Requests that includes leave data
• Ensure you can extract a complete leave history for any employee within 30 days
• Have a process for correcting inaccurate leave records promptly

Third-Party Software

• Ensure a Data Processing Agreement (DPA) is in place with your leave management software provider
• Verify data residency and transfer mechanisms
• Assess the provider’s security certifications (SOC 2, ISO 27001, etc.)
• Review sub-processors and their locations

Training

• Train HR staff on GDPR requirements specific to leave data
• Train managers on what information they should and should not ask for when employees request leave
• Document training and refresh annually

How Leave Balance Supports Your GDPR Compliance

GDPR compliance is not just about policies — it is about the tools and systems you use to manage data. Leave Balance is built with data protection at its core:

• Data minimisation by design — our leave request forms collect only what is needed, with no mandatory “reason” fields for annual leave
• Role-based access controls — managers see only their team’s leave data; HR admins have configurable access levels
• Secure cloud infrastructure with encryption at rest and in transit
• Data Processing Agreement available for all customers
• Easy data export to support Subject Access Requests — extract a complete leave history in seconds
• Configurable retention — set up automated data lifecycle management aligned with your retention policy
• Slack and Microsoft Teams integration that processes only the minimum data necessary for leave workflows

All of this for a flat $10/month with unlimited employees — because compliance should not be a luxury reserved for enterprise budgets. Start your 14-day free trial today, no credit card required.