Retention of the personal data is ‘lawful basis’ where it is necessary, for compliance with a legal obligation, for the exercise or defence of legal claims. For Payroll and HR reasons, employers must hold and retain personal information about their employees and former employees to meet these legal requirements.
In the United Kingdom, HM Revenue & Customs (HMRC) have a requirement on employers to record and retain certain personal information from a current
and historic aspect and these legal requirements supersede an individual’s request for deletion or change where that information is being processed
and kept for those legal reasons.
HMRC law requires employers to both record and report aspects of personal information such as: name, address, date of birth, gender, national insurance
number and to report to HMRC using Real Time Information (RTI) under PAYE Regulation 67B or 67D, which must contain the information specified in Schedule
A1 of the PAYE Regulations.
An individual cannot prevent their employer informing HMRC who then inform the Department for Work & Pension of their employment related earnings and
personal information.
Equally, immigration law often requires 'Right to Work' identification documents for all new employees to be retained for potential inspection, excuse
and/or defense in relation to showing that an illegal worker has not been employed by them. Such retention would be a 'lawful basis' and in the UK
must be kept for a minimum of 2 years after they have finished employment with you.
Working Time directors and Minimum Wage law, would require employers to retain and keep records of time and payments to employees to enable appropriate audit to take place. This also would be a 'lawful basis'. The following is a list of a few of the 'lawful basis' examples within the UK:
Sometimes law may provide no definitive retention period indicated for some records and it is therefore up to the employer to appropriately decide and
justify their basis of retention. These judgement time limits may be associated with claims limits allowed within GDPR. A common general position is
indicated as a retention of personal information and records in the UK is for 6 years plus current based on the Limitation Act 1980 where legal proceedings
would have to have commenced.
Similar requirements will exist throughout the European Union. Don't implement data deletion or change policies as a result of new GDPR processes which would breach the 'lawful basis' requirements. You could find yourselves in trouble with national tax collectors and immigration departments if you don't retain records required by law.
