← Back to Resources

COMPLIANCE · 14 MIN

GDPR for HR: exits and deletions.

GDPR for HR isn't about cookies. It's about what happens to Pedro's data when Pedro leaves the company. Do you delete everything? Keep the payslip? The email? The photo on the website? Each decision has a different legal basis and a different retention period. This guide is the map.

BY DANIEL GARCÍA · CO-FOUNDER · CTO @ ORQUIVA UPDATED 12 MARCH 2026 10 MIN READ
DÍA 0 — EXIT · TRATAMIENTO DE DATOS EMP. 042 CONSERVAR Contrato10 AÑOS Nómina10 AÑOS Fichaje4 AÑOS BORRAR · 30D Email · Foto · LinkedIn

The 4 legal bases you must know

  1. Performance of contract (art. 6.1.b GDPR): payslips, withholding, contracts. While the relationship lasts + statutory periods.
  2. Legal obligation (art. 6.1.c): social-security filings, tax forms. Periods set by labour law and tax authority.
  3. Legitimate interest (art. 6.1.f): performance history, exit-interview notes. Until limitation runs out.
  4. Consent (art. 6.1.a): photo on intranet, optional extra data. Revocable at any time.

Real retention periods (Spain)

  • Employment contracts: 10 years from termination (civil limitation, art. 1964 CC).
  • Payslips and social-security filings: 10 years (Law 30/2015).
  • Tax form 145: 4 years (tax limitation, Law 58/2003).
  • Time-recording: 4 years (RDL 8/2019).
  • CVs of non-hired candidates: max 2 years (Spanish DPA guidance).
  • Performance reviews: until civil limitation (4 years from the last).
  • Corporate email: closed on exit day; backup retained 6 months per internal policy.
  • Photo on web/LinkedIn: removed within 30 days (consent revoked on exit).

What must happen the day someone leaves

  1. Immediate access lockdown (SSO, tools, buildings).
  2. Corporate email closure, 30-day forward to manager.
  3. Backup of project data to new owner.
  4. Personnel file flagged "employee terminated" with date.
  5. Auto-retention triggered: system flags every datum with its period.
  6. Photo and data removed from internal/external publications within 30 days.
  7. Former employee notified of what data is retained and why.

Former-employee rights

  • Access: they have the right to know what you have. Deadline: 1 month.
  • Rectification: if something's wrong, you fix it. Deadline: 1 month.
  • Erasure: only if the legal basis no longer applies. Last year's payslip is not deleted.
  • Restriction: during a dispute, the data is frozen.
  • Portability: only for data they provided themselves.

Real Spanish DPA fines 2024–2025

€48,000

Average fine to <100-person companies for GDPR breaches in HR processing.

Published case (PS/00342/2024): 60-person company fined €32,000 for keeping 14 former employees' emails accessible for 18 months after exit. Case PS/00518/2024: consultancy fined €60,000 for missing the deadline on an access request.

Start free with Orquiva →

KEEP READING

ART. 34.9 ET · MAYO 2026 REGISTRO_MAYO.XLSX 13/05 09:00–18:00 M.Sánchez 13/05 09:00–18:00 M.Sánchez 13/05 09:00–18:00 M.Sánchez 13/05 09:00–18:00 M.Sánchez 13/05 09:00–18:00 M.Sánchez NO VÁLIDO ORQUIVA · FICHAJE 09:01 ENTRADA sha256· 13:34 PAUSA sha256· 14:30 VUELTA sha256· 18:02 SALIDA sha256· SELLO RDL 8/19

COMPLIANCE · DEFINITIVE GUIDE · 22 MIN

The time-record law nobody is enforcing properly.

Read guide →
28 PREGUNTAS · 5 CATEGORÍAS VENDOR A €8.40 /persona/mes Fichaje SSO API pública Vacaciones RECOMENDADO ORQUIVA PRO €5.00 /persona/mes Fichaje SSO API pública Vacaciones VENDOR C €12.00 /persona/mes Fichaje SSO API pública Vacaciones

HR · DEFINITIVE GUIDE · 16 MIN

How to pick an HRIS without losing your mind

Read →
PLAN 30 / 60 / 90 · NUEVA INCORPORACIÓN DAY 1 — KICKOFF RM Rocío DG Diego CM Carla MS Marta · NUEVA PLAN DE MARTA DÍA 1 Setup + buddy SEMANA 1 1:1 diario · 1ª tarea DÍA 30 eNPS · feedback DÍA 60 Entrega media DÍA 90 Probation review

PRODUCT · 8 MIN

Remote onboarding: 7 common mistakes.

Read →