When should I give employees the privacy notice?

Provide the notice at the start of employment, ideally as part of the onboarding pack. For job applicants, a shorter applicant privacy notice should be provided at the point of data collection.

Can I rely on consent for processing employee data?

Consent is generally not appropriate for UK employment data processing due to the power imbalance between British employer and employee. The UK ICO recommends relying on contractual necessity, legal obligation or legitimate interests instead under the UK GDPR.

Do I need to cover CCTV in the privacy notice?

Yes. If you use CCTV or other surveillance in the workplace, the privacy notice should explain the purpose, coverage, retention period and who has access to the footage.

How long should I keep employee records after they leave?

Retention depends on the type of record. General employee files are typically kept for six years after employment ends. Pension records should be kept longer. Tax and payroll records must be retained for the current tax year plus six years.

Does this notice cover contractors and agency workers?

The notice should cover all individuals whose data you process in an employment context, including contractors, agency workers and volunteers. Adapt the scope section to reflect your workforce composition.

Can employees opt out of data processing?

Employees cannot generally opt out of processing that is necessary for the employment contract or a legal obligation. They may have the right to object to processing based on legitimate interests, and can withdraw consent where consent is the basis.

Do I need a Data Protection Officer?

You must appoint a DPO if you are a public authority, if your core activities involve large-scale systematic monitoring of individuals, or if you process special category data on a large scale. Even if not required, appointing a DPO is good practice.

What if I share employee data with overseas offices?

Transfers of British employee personal data outside the UK must be covered by appropriate safeguards such as the UK International Data Transfer Agreement, adequacy regulations or binding corporate rules. The UK privacy notice must inform employees of such transfers under English law.

GDPR & PrivacyUnited Kingdom

Free Employee Privacy Notice Template

An employee privacy notice informs your staff about how their personal data is collected, used, stored and protected during and after employment. Use our free UK template to meet your UK GDPR transparency obligations towards employees.

Create Your Employee Privacy Notice

Free to useInstant PDFNo account required

EMPLOYEE PRIVACY NOTICE

Apex Solutions Ltd · UK GDPR · Effective: 2026-04-01

Data Controller: Apex Solutions Ltd

DPO: dpo@apex-solutions.co.uk

This Employee Privacy Notice explains how Apex Solutions Ltd ("the Company", "we", "us", or "our") collects, uses, stores, and shares your personal data as your employer. This Notice is provided to you in accordance with Articles 13 and 14 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

WHO WE ARE (DATA CONTROLLER)

Apex Solutions Ltd is the data controller responsible for your personal data. Company Registration Number: 12345678.

Registered address: 100 Enterprise Way
London
EC2A 4NE

Data Protection Officer / Privacy Contact: Sarah Johnson
Contact email: dpo@apex-solutions.co.uk

If you have any questions about how we use your personal data, please contact us using the details above.

PERSONAL DATA WE COLLECT AND USE

We collect and process the following categories of personal data about you:

Personal identity (name, date of birth, photograph)
Contact details (address, phone number, email address)
Financial and payroll data (salary, tax information)
Bank account details
National Insurance number
Employment history and references

PURPOSES AND LEGAL BASIS FOR PROCESSING

We process your personal data for the following purposes:

Recruitment and selection
Administration of the employment contract
Payroll, benefits and expense management
Performance management and appraisals
Health and safety compliance
Legal compliance and regulatory obligations

Legal bases for processing: We rely on the following lawful bases under UK GDPR Article 6(1) to process your personal data:

Contractual necessity (Article 6(1)(b) UK GDPR)
Legal obligation (Article 6(1)(c) UK GDPR)
Legitimate interests (Article 6(1)(f) UK GDPR)

HOW LONG WE KEEP YOUR DATA AND WHO WE SHARE IT WITH

How long we keep your data: For the duration of employment and for 7 years after the employment relationship ends, in accordance with the Limitation Act 1980.

Who we share your data with: We may share your personal data with the following categories of third parties, who are subject to appropriate data protection obligations:

HM Revenue and Customs (HMRC)
Pension providers
Legal advisers

We may also share your data with: External payroll provider.

International transfers: Your personal data is not transferred outside the United Kingdom.

YOUR DATA PROTECTION RIGHTS

Under UK GDPR, you have the following rights in relation to your personal data:

Right of access (Article 15): You have the right to request a copy of the personal data we hold about you.
Right to rectification (Article 16): You have the right to ask us to correct inaccurate or incomplete personal data.
Right to erasure (Article 17): In certain circumstances, you have the right to request deletion of your personal data.
Right to restriction of processing (Article 18): In certain circumstances, you have the right to request that we restrict how we use your personal data.
Right to data portability (Article 20): Where processing is based on consent or contract, you may request your data in a structured, machine-readable format.
Right to object (Article 21): Where processing is based on legitimate interests, you have the right to object to such processing.
Right to withdraw consent: Where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

How to exercise your rights: Employees may exercise any of the rights described in this Notice by contacting the Data Protection Officer at dpo@apex-solutions.co.uk or in writing to the registered address above.

We will respond to your request within 1 calendar month of receipt of the request (extendable by a further 2 months for complex or numerous requests).

Right to complain: If you are not satisfied with how we handle your data or respond to your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

CHANGES TO THIS NOTICE

We may update this Privacy Notice from time to time to reflect changes in our data processing practices, legal requirements, or organisational structure. We will notify you of any significant changes in an appropriate manner. We recommend that you check this Notice periodically.

This Notice was last updated on: 2026-04-01.

What Is an Employee Privacy Notice?

An employee privacy notice is a document provided to employees that explains how their employer processes their personal data. It covers what data is collected, why it is needed, the legal basis for processing, who it may be shared with and how long it is kept.

Under Articles 13 and 14 of the UK GDPR, data controllers must provide data subjects with specific information about data processing in a concise, transparent and easily accessible form. Employers are data controllers in respect of their employees’ personal data.

A UK employee privacy notice should be provided to all British staff at the start of their employment and updated whenever processing practices change. It covers employees, workers, contractors and job applicants whose data the British organisation processes in England and Wales.

What's Covered in This Template

Our employee privacy notice template covers all information required under UK GDPR transparency obligations.

Data Controller Identity

Name, address and contact details of the employer, including the Data Protection Officer where applicable.

Categories of Data Collected

Types of personal data processed, including contact details, bank details, performance data and health information.

Purposes of Processing

Clear explanation of why each category of data is collected and how it is used in the employment context.

Lawful Basis

The legal basis for each processing activity, including contract, legal obligation, legitimate interest and consent.

Special Category Data

How sensitive data such as health records, diversity monitoring and trade union membership is handled and protected.

Data Sharing

Who employee data may be shared with, including HMRC, pension providers, insurers and regulatory bodies.

International Transfers

Whether employee data is transferred outside the UK and the safeguards in place for such transfers.

Retention Periods

How long different categories of employee data are retained and the criteria for determining retention periods.

Employee Rights

Explanation of data subject rights including access, rectification, erasure, restriction, portability and objection.

Monitoring and Surveillance

Information about any workplace monitoring including email, internet, CCTV and GPS tracking.

How to Create an Employee Privacy Notice

Follow these steps to produce a comprehensive and compliant privacy notice for your workforce.

1
Map Your Employee Data
Identify all categories of personal data you collect from employees, where it comes from, how it is used and where it is stored.
2
Identify Lawful Bases
Determine the appropriate lawful basis for each processing activity, whether contract performance, legal obligation, legitimate interest or consent.
3
Document Data Sharing
List all third parties with whom employee data is shared and the purpose and legal basis for each sharing arrangement.
4
Set Retention Periods
Define how long each category of employee data will be retained, referencing statutory requirements and business necessity.
5
Distribute to Employees
Provide the notice to all current employees and include it in the onboarding process for new starters. Review and update it annually.

Legal Considerations

Employee data processing involves specific legal requirements beyond standard UK GDPR obligations.

This template is for informational purposes only and does not constitute legal advice. Consult a qualified solicitor for advice specific to your situation.

Reviewed for England & Wales law

Lawful Basis for Employment Processing

Most UK employment data processing relies on contractual necessity (Article 6(1)(b)), legal obligation (Article 6(1)(c)) or legitimate interests (Article 6(1)(f)) under the UK GDPR. Consent is generally inappropriate as the basis for British employment processing because of the power imbalance between employer and employee in England and Wales.

Special Category Data

Processing health data, diversity information or trade union membership in the UK requires a condition under both Article 9 of the UK GDPR and Schedule 1 of the UK Data Protection Act 2018. Common conditions for British employers include employment obligations, health and safety and equality monitoring under English law.

Workplace Monitoring

The UK ICO Employment Practices Code provides guidance on monitoring British employees. UK employers must carry out an impact assessment before introducing monitoring in England and Wales, inform employees of the nature and extent of monitoring and ensure it is proportionate to the aim pursued under English law.

Subject Access Requests

British employees have the right to make subject access requests under Article 15 of the UK GDPR. UK employers must respond within one calendar month and provide a copy of all personal data being processed. Exemptions under the UK Data Protection Act 2018 may apply for legal professional privilege and management forecasting in England and Wales.

Frequently Asked Questions

Create Your Employee Privacy Notice Now

Meet your transparency obligations and build employee trust. Fill in the details, preview your notice and download it as a PDF in minutes.

Create Your Employee Privacy Notice Browse All Templates

Free · Instant PDF · No account required

Free Employee Privacy Notice Template

What Is an Employee Privacy Notice?

What's Covered in This Template

Data Controller Identity

Categories of Data Collected

Purposes of Processing

Lawful Basis

Special Category Data

Data Sharing

International Transfers

Retention Periods

Employee Rights

Monitoring and Surveillance

How to Create an Employee Privacy Notice

Map Your Employee Data

Identify Lawful Bases

Document Data Sharing

Set Retention Periods

Distribute to Employees

Legal Considerations

Lawful Basis for Employment Processing

Special Category Data

Workplace Monitoring

Subject Access Requests

Frequently Asked Questions

When should I give employees the privacy notice?

Can I rely on consent for processing employee data?

Do I need to cover CCTV in the privacy notice?

How long should I keep employee records after they leave?

Does this notice cover contractors and agency workers?

Can employees opt out of data processing?

Do I need a Data Protection Officer?

What if I share employee data with overseas offices?

Create Your Employee Privacy Notice Now