Employee Privacy Notice — UK GDPR (England & Wales)
UK GDPR Articles 13–14 & Data Protection Act 2018
This Employee Privacy Notice is issued by [Company Name], a company registered in England and Wales with company number [Company Registration Number], whose registered address is [Company Street], [Company City], [Company Postcode] (the "Company", "we", "us", or "our").
This Notice explains how the Company collects, uses, stores, shares, and protects personal data relating to its employees, workers, and job applicants. It is issued in accordance with our transparency obligations under Articles 13 and 14 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This Notice takes effect on [Policy Effective Date] and was last reviewed on [Last Review Date].
1. WHO IS THE DATA CONTROLLER?
1.1 The Company is the data controller of your personal data for the purposes of the UK GDPR and the Data Protection Act 2018. This means we are responsible for deciding how and why your personal data is processed.
1.2 Our registered address is [Company Street], [Company City], [Company Postcode]. Our Companies House registration number is [Company Registration Number].
2. DATA PROTECTION OFFICER / CONTACT
2.1 We have appointed a Data Protection Officer (or designated data protection contact) who is responsible for overseeing compliance with this Notice and our obligations under data protection law.
2.2 The details of our Data Protection Officer are:
Name: [DPO Name]
Email: [DPO Email]
2.3 If you have any questions about this Notice, or wish to exercise your data protection rights, please contact the Data Protection Officer using the details above.
3. WHAT PERSONAL DATA DO WE COLLECT ABOUT YOU?
3.1 In the course of your employment (or pre-employment process), we collect and process the following categories of personal data:
[Data Categories]
3.2 We collect this data directly from you (for example, through your application form, your employment contract, and forms you complete during employment), from third parties (such as occupational health providers, reference providers, and background screening companies), and automatically through our IT systems.
3.3 Providing certain categories of personal data is a requirement of your employment contract or a legal obligation. Where this is the case, failure to provide the data may affect our ability to fulfil our obligations as your employer — for example, we cannot operate PAYE without your National Insurance number.
4. WHY DO WE PROCESS YOUR PERSONAL DATA?
4.1 We process your personal data for the following purposes:
[Processing Purposes]
4.2 We will only use your personal data for the purposes for which it was collected unless we reasonably consider that we need to use it for another reason that is compatible with the original purpose and is permitted by law.
5. WHAT IS OUR LAWFUL BASIS FOR PROCESSING?
5.1 Under UK GDPR Article 6, we are required to have a lawful basis for processing your personal data. We rely on the following lawful bases:
[Lawful Basis]
5.2 Where we rely on legitimate interests as our lawful basis, we have conducted a Legitimate Interests Assessment (LIA) to ensure our interests are not overridden by your rights and freedoms. You have the right to object to processing on this basis — see Section 10 below.
5.3 Please note that consent is not our primary lawful basis for processing employment-related personal data. Because of the nature of the employment relationship, the ICO and the Employment Practices Code recognise that freely given consent is difficult to establish. Where we do rely on consent, you have the right to withdraw it at any time without suffering a detriment.
6. WHO DO WE SHARE YOUR PERSONAL DATA WITH?
6.1 We may share your personal data with the following categories of third parties:
[Data Sharing Recipients]
6.2 We require all third-party recipients to respect the security of your personal data and to treat it in accordance with the law. Where third parties process data on our behalf as data processors, we have in place written data processing agreements that require them to act only on our instructions and to implement appropriate security measures.
6.3 We may also be required to disclose your personal data to law enforcement agencies, regulatory authorities, or courts in compliance with a legal obligation. We will inform you of any such disclosure unless we are prohibited from doing so by law.
7. HOW LONG DO WE KEEP YOUR PERSONAL DATA?
7.1 We will only retain your personal data for as long as is necessary for the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements. We apply the following retention periods:
[Retention Periods]
7.2 In some circumstances, we may retain your personal data for longer than the standard periods stated above — for example, where we are required to preserve records in connection with an ongoing legal claim, Employment Tribunal proceeding, or regulatory investigation.
7.3 Once your personal data is no longer required, we will securely delete or anonymise it in accordance with our Data Retention Policy. You may request a copy of our Data Retention Policy from the Data Protection Officer.
8. YOUR DATA PROTECTION RIGHTS
8.1 Under the UK GDPR, you have the following rights in relation to your personal data:
- Right of access (Article 15): You have the right to request a copy of the personal data we hold about you. This is known as a Subject Access Request (SAR). We must respond within one calendar month.
- Right to rectification (Article 16): You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
- Right to erasure (Article 17): You have the right to request the deletion of your personal data in certain circumstances, for example where it is no longer necessary for the purpose for which it was collected. Note that this right is more limited in the employment context where retention is required by law.
- Right to restriction of processing (Article 18): You have the right to ask us to suspend processing of your personal data in certain circumstances, such as while you contest its accuracy.
- Right to data portability (Article 20): Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format.
- Right to object (Article 21): You have the right to object to processing of your personal data where we rely on legitimate interests as our lawful basis. We must stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
8.2 [Employee Rights Description]
8.3 You will not be subjected to any detriment for exercising your data protection rights. If you believe you have been treated unfairly as a result of making a data subject request, please contact the Data Protection Officer in the first instance.
9. CHANGES TO THIS NOTICE
9.1 We may update this Employee Privacy Notice from time to time to reflect changes in our processing activities, applicable law, or ICO guidance. We will notify you of any material changes by providing you with an updated copy of this Notice.
9.2 Where a change significantly affects how we use your personal data, we will draw it to your attention and, where required by law, seek your agreement.
9.3 The current version of this Notice, together with its effective date and review date, is maintained by the Data Protection Officer. You may request the most up-to-date version at any time.
10. GOVERNING LAW
10.1 This Employee Privacy Notice is governed by and construed in accordance with the laws of England and Wales. The Information Commissioner's Office is the competent supervisory authority for the purposes of the UK GDPR and the Data Protection Act 2018.
Issued on behalf of [Company Name]
Authorised Signatory: [Signatory Name], [Signatory Title]
Employee: [Employee Name]
Employer Representative
[Signatory Name]
Signature
Date: ________________
Employee
[Employee Name]
Signature
Date: ________________
What Is a Employee Privacy Notice — UK GDPR (England & Wales)?
An Employee Privacy Notice — UK GDPR in the United Kingdom records an employment particular or request and the information the parties need to action it, and takes its legal force from the Data Protection Act 2018.
The UK GDPR is the version of the EU General Data Protection Regulation that was retained in UK domestic law following the United Kingdom's exit from the European Union, by virtue of the European Union (Withdrawal) Act 2018 and subsequently amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. It applies to any organisation established in the UK that processes personal data, and — in the employment context — imposes specific obligations on employers as data controllers. The Data Protection Act 2018 supplements the UK GDPR with additional provisions specific to the United Kingdom, including the Schedule 1 conditions for processing special category data in the employment context.
Article 13 of the UK GDPR applies where personal data is collected directly from the data subject — in the employment context, this means data collected directly from the employee through an application form, onboarding documentation, or information the employee provides during employment. Article 14 applies where personal data is obtained from a third party, such as a previous employer providing a reference, a background screening company, or an occupational health provider. In both cases, the required information must be provided at the time of data collection (Article 13) or within a reasonable period not exceeding one month (Article 14).
The ICO's Employment Practices Code provides supplementary guidance for employers on how to handle personal data lawfully and fairly throughout the employment lifecycle, from recruitment and selection through to termination and beyond. While the Code does not have direct statutory force, it represents the ICO's authoritative view of best practice and is regularly referenced in enforcement decisions and Employment Tribunal proceedings. A well-drafted Employee Privacy Notice that reflects the requirements of the Code, Articles 13 and 14 of the UK GDPR, and the relevant provisions of the Data Protection Act 2018 provides employers with a strong foundation for demonstrating accountability under Article 5(2) of the UK GDPR.
The legal framework governing the Employee Privacy Notice — UK GDPR (England & Wales) in United Kingdom draws on several key statutes and regulatory bodies. Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. The Competition and Markets Authority (CMA) enforces the Consumer Rights Act 2015. The Financial Conduct Authority (FCA) regulates financial services under the Financial Services and Markets Act 2000. The High Court of Justice has jurisdiction under the Senior Courts Act 1981. Parties executing a Employee Privacy Notice — UK GDPR (England & Wales) in United Kingdom should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Companies Act 2006 sets the foundational requirements.
When Do You Need a Employee Privacy Notice — UK GDPR (England & Wales)?
An Employee Privacy Notice is needed at the start of every employment relationship — it should be provided to each new employee on or before their first day of work, alongside their employment contract and other onboarding documentation. Under Article 13 of the UK GDPR, the required transparency information must be provided at the time personal data is collected; since employers collect significant quantities of personal data from the very beginning of the recruitment process, an Employee Privacy Notice should ideally be provided to job applicants at the point of application as well as to successful candidates on commencement of employment.
A new or updated Employee Privacy Notice is also required whenever there is a material change to the employer's data processing activities. Common triggers include the introduction of new monitoring technologies (such as a new CCTV system, a GPS vehicle tracking system, or monitoring software for remote workers), the engagement of new third-party service providers who will process employee data (such as a new payroll provider or HR platform), a change in the employer's retention periods, or a change in the lawful basis relied upon for processing. The ICO recommends that employers review their Employee Privacy Notice at least annually to confirm it remains accurate and up to date.
An updated Employee Privacy Notice should also be provided when employees return from prolonged absences — such as maternity leave, shared parental leave, long-term sick leave, or a career break — because processing activities and policies may have changed during the absence. Similarly, where an employer is acquired by or merges with another organisation, employees should receive a new or updated notice explaining any changes to the data controller and the processing activities.
In practice, many employers incorporate the Employee Privacy Notice into their new starter documentation pack, alongside the employment contract, the Employee Handbook, and any role-specific confidentiality obligations. Including an acknowledgment receipt — confirming that the employee has read and understood the Notice — provides evidence that the employer has fulfilled its Article 13 transparency obligations, which can be important in the context of ICO investigations, Employment Tribunal claims, or data subject access requests.
What to Include in Your Employee Privacy Notice — UK GDPR (England & Wales)
A legally compliant Employee Privacy Notice for England and Wales must contain all of the information specified in UK GDPR Articles 13(1), 13(2), 14(1), and 14(2), as supplemented by the ICO's Employment Practices Code and accompanying guidance.
Identity and Contact Details of the Data Controller — The notice must identify the employer by its full legal name, registered address, and Companies House registration number. Where the employer belongs to a group of companies and personal data is shared between group entities, each entity acting as a controller should ideally be identified, or the group structure should be described clearly.
Data Protection Officer Contact Details — Where the employer has appointed a DPO under Article 37 (mandatory for public authorities and organisations carrying out large-scale systematic monitoring of individuals or large-scale processing of special category data), the DPO's name and contact details must be provided. Even where a DPO is not mandatory, the ICO's Employment Practices Code recommends designating a named data protection contact.
Categories of Personal Data Collected — The notice must specify all categories of employee personal data processed, from basic contact and payroll data to health records, performance information, disciplinary records, CCTV footage, and IT usage logs. The ICO expects employers to be specific rather than generic in describing data categories.
Purposes of Processing — Each processing purpose must be clearly described. Common employment purposes include payroll administration, compliance with PAYE obligations, management of absence and sickness, performance management, health and safety management, IT system security monitoring, and business continuity planning.
Lawful Basis for Processing — The specific UK GDPR Article 6 lawful basis relied upon for each processing activity must be stated. In the employment context, the most common bases are contract (Article 6(1)(b)), legal obligation (Article 6(1)(c)), and legitimate interests (Article 6(1)(f)). Where legitimate interests are relied upon, the specific interests must be identified and a Legitimate Interests Assessment should have been conducted.
Special Category Data — Where the employer processes special category data (most commonly health data, trade union membership, or disability information), the notice must additionally identify the applicable condition under Article 9(2) of the UK GDPR and, where relevant, the applicable condition under Schedule 1 of the Data Protection Act 2018.
Data Sharing and Third-Party Recipients — The notice must identify the categories of third-party recipients of employee personal data, including payroll providers, pension trustees, occupational health providers, IT service providers, HMRC, and any group companies.
International Transfer Safeguards — Where employee data is transferred outside the UK, the applicable transfer mechanism must be stated (UK adequacy regulations, UK International Data Transfer Agreement, or binding corporate rules).
Retention Periods — The notice must state how long different categories of employee data are retained, or the criteria used to determine retention periods. Retention schedules should reflect applicable legal obligations under the Income Tax (Earnings and Pensions) Act 2003, the Limitation Act 1980, and other relevant legislation.
Employee Rights — The notice must set out all applicable data subject rights under UK GDPR Articles 15 to 22, including the right of access (Subject Access Request), rectification, erasure, restriction, portability, objection, and rights in relation to automated decision-making. The mechanism for exercising rights and the applicable response timeframe (one calendar month under Article 12) must be specified.
Right to Lodge a Complaint with the ICO — Under Article 13(2)(d), the notice must inform employees of their right to complain to the ICO if they believe their data has been processed unlawfully. The forms-legal.com Employee Privacy Notice — UK GDPR (England & Wales) template covers the mandatory elements under Companies Act 2006.
Sources & Citations
Statutory citations link to official government sources.
- GDPR Article 6EU – GDPR
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Employee Privacy Notice — UK GDPR (England & Wales) (United Kingdom) [Legal document template]. Forms Legal. https://forms-legal.com/uk/business/policies/employee-privacy-notice-uk-gdpr
"Employee Privacy Notice — UK GDPR (England & Wales) (United Kingdom)." Forms Legal, 2026, https://forms-legal.com/uk/business/policies/employee-privacy-notice-uk-gdpr.
@misc{formslegal-employee-privacy-notice-uk-gdpr,
author = {{Forms Legal}},
title = {Employee Privacy Notice — UK GDPR (England & Wales) (United Kingdom)},
year = {2026},
howpublished = {\url{https://forms-legal.com/uk/business/policies/employee-privacy-notice-uk-gdpr}},
note = {Free legal document template. Based on Companies Act 2006}
}Frequently Asked Questions
Yes. Under UK GDPR Articles 13 and 14 — which form part of UK domestic law by virtue of the European Union (Withdrawal) Act 2018 — employers are required to provide employees with specific information about how their personal data is processed. Article 13 applies where personal data is collected directly from the employee (for example, through a job application or onboarding form), and Article 14 applies where data is obtained from a third party (such as a reference provider or background screening company). The information must be provided at the time of data collection (Article 13) or within a reasonable period not exceeding one month (Article 14). The ICO's Employment Practices Code reinforces this requirement and provides practical guidance on what a compliant Employee Privacy Notice must contain. Failure to provide adequate transparency information is a breach of UK GDPR, and the ICO has the power to issue enforcement notices and fines of up to £17.5 million or 4% of global annual turnover under section 157 of the Data Protection Act 2018.
In most cases, no. The ICO's Employment Practices Code and the Article 29 Working Party (now the European Data Protection Board, whose guidance continues to influence UK practice) have consistently held that consent is not a valid lawful basis for most employment data processing. This is because of the inherent imbalance of power in the employment relationship: an employee who refuses to consent to processing may fear negative consequences, which means consent cannot be truly freely given as required by UK GDPR Article 7. The appropriate lawful bases for most employment data processing are performance of the contract of employment under Article 6(1)(b), compliance with a legal obligation (such as PAYE reporting to HMRC) under Article 6(1)(c), and the employer's legitimate interests (such as performance management, IT security monitoring, and fraud prevention) under Article 6(1)(f). Where consent is the only available basis — for example, for certain optional wellness programmes — it should be clearly separated from employment-related decisions and employees must be able to withdraw it without detriment.
Employers commonly process several types of special category data as defined by UK GDPR Article 9. Health data is processed routinely for managing sickness absence, occupational health referrals, and making reasonable adjustments under the Equality Act 2010. Trade union membership data is processed by employers who deduct union subscriptions from payroll. Disability information (which falls within health data) is processed to comply with reasonable adjustment duties. Employers processing health data typically rely on Article 9(2)(b) — processing necessary for employment law obligations — together with Schedule 1, paragraph 1 of the Data Protection Act 2018, which permits processing of special category data for employment purposes where it is necessary for the controller to perform or exercise employment law obligations or rights. Criminal conviction and offence data (which is not special category data but is separately regulated under UK GDPR Article 10 and the DPA 2018) may be processed for DBS checks in regulated activities involving children or vulnerable adults.
UK law imposes specific retention obligations for different categories of employment records. Under section 49 of the Income Tax (Earnings and Pensions) Act 2003 and HMRC guidance, PAYE records must be kept for 3 years after the end of the tax year to which they relate, though most employment lawyers recommend retaining payroll records for 6 years in line with the general limitation period under the Limitation Act 1980. The Working Time Regulations 1998 (regulation 9) require working time records to be kept for 2 years. Under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013, accident records must be kept for at least 3 years. Pension records must be kept for 6 years after the last relevant event. The general principle under UK GDPR Article 5(1)(e) is that data should not be kept longer than necessary. Employers should maintain a Data Retention Policy that specifies retention periods by category, cross-referenced to the applicable legal requirements.
Under the UK GDPR, employees have the same data subject rights as any other individual. The right of access under Article 15 allows employees to request a copy of all personal data held about them — this is commonly known as a Subject Access Request (SAR). Employers must respond within one calendar month (extendable by two months for complex requests). The right to rectification under Article 16 allows employees to correct inaccurate data, such as an incorrect job title or date of birth in their personnel file. The right to erasure under Article 17 is more limited in the employment context because many records must be retained to comply with legal obligations; however, it may apply to data processed on the basis of consent. The right to object under Article 21 is particularly relevant where processing is based on legitimate interests — for example, an employee may object to monitoring of their internet usage. The right to data portability under Article 20 may allow employees to obtain their data in a machine-readable format where processing is automated and based on consent or contract.
The ICO Employment Practices Code (originally published under the Data Protection Act 1998 and now updated to reflect the UK GDPR) provides detailed guidance on how employers should handle personal data throughout the employment lifecycle. Key areas covered by the Code include recruitment and selection (where the Code recommends minimising data collection, not retaining unsuccessful applicants' data for more than six months without consent, and conducting pre-employment checks proportionately), employment records (where the Code emphasises the need for a documented retention schedule), monitoring at work (where the Code requires a privacy impact assessment before implementing monitoring measures such as CCTV, email monitoring, or GPS tracking, and recommends informing employees of monitoring arrangements in the privacy notice), and health information (where the Code sets out strict limitations on the medical information employers may seek and the conditions under which it may be processed). The Code does not have statutory force, but ICO enforcement decisions and Employment Tribunal judgments regularly reference it as a guide to good practice.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Data Retention Policy (UK)
Create a detailed Data Retention Policy for England and Wales that supports compliance with the UK GDPR storage limitation principle (Article 5(1)(e)) and the Data Protection Act 2018. This template covers all essential elements: organisation identification, policy scope, a detailed retention schedule by data category (employee records, payroll and PAYE, recruitment, health and safety, CCTV, customer records, contracts, and financial records), legal retention requirements under the Companies Act 2006, Income Tax (Earnings and Pensions) Act 2003, HMRC guidance, Limitation Act 1980, RIDDOR 2013, and COSHH Regulations 2002. Includes secure destruction procedures, legal hold provisions, review and audit obligations, responsibilities, and breach consequences. Download as PDF or Word.
Employment Contract (England & Wales)
Hiring someone in England or Wales? You are legally required to give them a written statement of employment particulars on or before their first day of work. Our UK Employment Contract template meets all requirements of the Employment Rights Act 1996 and covers working hours, salary, holiday entitlement, notice periods, pension auto-enrolment, confidentiality, and optional restrictive covenants. Download as PDF or Word in minutes.
Privacy Policy (UK)
Create a detailed UK Privacy Policy compliant with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018. This template covers data controller identification, ICO registration, lawful bases for processing, data subject rights, cookies under PECR, international data transfers, data retention, and breach notification. Suitable for websites, apps, and online services operating in England and Wales. Fill in your organisation's details, preview in real time, and download as PDF or Word.
Data Processing Agreement — UK GDPR (England & Wales)
Create a Data Processing Agreement (DPA) fully compliant with UK GDPR Article 28 and the Data Protection Act 2018 for England and Wales. This template covers all mandatory Article 28(3) processor obligations, ICO registration, sub-processor authorisation with prior notice, UK IDTA provisions for international transfers outside the UK, technical and organisational security measures under Article 32, personal data breach notification timelines, data subject rights assistance, DPIA support, audit rights with advance notice, and data deletion or return obligations. Includes controller ICO registration details, special category data provisions, and automatic termination with the principal services agreement. Governing law: England and Wales. Download as PDF or Word.
Employee Non-Disclosure Agreement (England & Wales)
Protect your business's confidential information and trade secrets with an Employee NDA drafted for England and Wales. Unlike a general commercial NDA, an employee-specific confidentiality agreement addresses the unique legal obligations that arise in the employment relationship — including mandatory whistleblowing carve-outs under the Public Interest Disclosure Act 1998, compliance with the Victims and Prisoners Act 2024, and alignment with the Trade Secrets (Enforcement, etc.) Regulations 2018. Our template ensures your confidential information is protected both during and after employment while fully respecting the employee's statutory rights.