06 Jun 2026
GDPR and Employees: What to Delete (and What to Keep) When Someone Leaves
A practical guide for small businesses on GDPR obligations when an employee leaves: what data to delete, what to keep, for how long, and how to document it.
Why an employee's departure is a critical GDPR moment
When an employee leaves your company, your first instinct is to sort out the paperwork, the final pay, and the handover. What most small business owners don't ask — until it's too late — is: what happens to their data?
The GDPR sets out specific obligations when an employment relationship ends. And failing to meet them isn't just a theoretical risk: fines from data protection authorities can reach €20 million or 4% of global annual turnover.
This guide explains, without legal jargon, what you need to delete, what you need to keep, for how long, and how to document it.
During employment, you process the employee's data under a clear legal basis: the performance of a contract (Art. 6.1.b GDPR). When that contract ends, that legal basis disappears. From that point on, you can only keep data you're legally required to retain, or that you genuinely need to defend against potential claims.
Everything else must be deleted — not eventually, but within a reasonable, documented timeframe.
What you need to delete (and when)
Access to tools and digital platforms
This is the area most businesses overlook, and the one that creates the most real-world risk.
When an employee leaves, they should immediately lose access to:
- Corporate email (Gmail, Outlook, Zoho…)
- Work tools (Slack, Notion, Trello, Asana, GitHub, Figma…)
- Internal systems (ERP, CRM, POS, website admin…)
- Shared accounts (company social media, supplier accounts…)
- Messaging groups (WhatsApp Business, team Telegram channels…)
The GDPR doesn't regulate digital access directly, but it does require that personal data not be accessible to unauthorised people. A former employee who still has access to customer data, colleague information, or internal company data is a documentable security breach.
When: on the day the departure is confirmed, or at the very latest on their last working day.
The employee's personal data in your systems
Once the employment relationship ends, the personal data you collected to manage the contract — name, national ID, personal email, phone number, bank account, address — must be deleted from active systems.
There is, however, an important exception: you cannot delete everything immediately if you have a legal obligation to retain certain records.
What you need to keep (and for how long)
Deleting everything immediately is also a mistake. The law requires you to retain specific data for defined periods:
| Data type Retention period Legal basis | ||
| Payroll records, social security contributions | 4–6 years | Employment and social security law (varies by country) |
| Employment contract and amendments | 4–6 years | Employment law |
| Tax records (income tax, withholdings) | 4–7 years | Tax law |
| Sick leave records and medical documentation | 5 years | Employment regulations |
| Working time records | 4 years | Working time regulations |
| Access logs and system activity history | Variable (2 years recommended) | Legitimate interest / evidence for claims |
The key principle: you retain because the law requires it, not because you want to. When the retention period expires, you delete.
A concept many businesses confuse: anonymisation is not deletion
The GDPR allows an alternative to deletion: anonymisation. This means transforming data so that it's impossible to identify the individual, even when combined with other information.
An audit record stating "user 4821 revoked access to Notion on 15 March 2025" contains no personal data if ID 4821 can no longer be linked to any real person. That record can be kept indefinitely for compliance and traceability purposes.
This is especially relevant for:
- Access audit logs: you need to know what happened, but you don't need to know the full name of who did it once any potential claim has expired.
- Internal statistics: number of employees who completed onboarding within X weeks, without identifying anyone.
Proper anonymisation is permanent and irreversible. If you can reverse it, it's pseudonymisation — and the data remains personal data under the GDPR.
How to document the offboarding process (and why it's essential)
The GDPR doesn't just require you to comply — it requires you to demonstrate that you comply (accountability principle, Art. 5.2). This means you need a record of what you did and when.
For every employee who leaves, you should be able to show:
- What access they had at the time of departure
- When each access was revoked and who did it
- What data is being retained and under which legal basis
- When it's scheduled for deletion
A message saying "I've removed them from everything" is not enough. You need a structured, dated, traceable record.
The most common mistake: the informal offboarding
In small businesses, the departure process usually goes like this: someone announces they're leaving, there's a handshake, and the contract is closed out. Digital access is forgotten.
Two weeks later, the former employee is still receiving CRM notifications. Or they're still in the WhatsApp group with customer data. Or their Google Workspace account is still active and sending emails in the company's name.
This isn't just a security problem. It's a documentable GDPR violation that any customer or employee could report to your national data protection authority.
The solution doesn't require an HR department. It requires a process.
GDPR offboarding checklist
Save this list and run through it every time someone leaves:
On the day of departure (or before):
- ☐ Revoke access to corporate email
- ☐ Revoke access to all digital tools and platforms
- ☐ Remove from company messaging groups
- ☐ Change passwords on shared accounts
- ☐ Recover any corporate devices
Within 7 days:
- ☐ Verify no active access remains (check Google Workspace admin, Slack, etc.)
- ☐ Archive or reassign their conversations and documents
- ☐ Document what access they had and when each was revoked
Retain with a set expiry date:
- ☐ Payroll and employment records (4–6 years depending on your country)
- ☐ Tax documentation (4–7 years)
- ☐ Internal system activity logs (2 years recommended)
When the retention period expires:
- ☐ Delete or anonymise the retained data
- ☐ Record that the deletion was carried out
Tools that can help
If you're managing this process manually — spreadsheets, emails, calendar reminders — the risk of something slipping through is high. Especially if you have frequent turnover, as is common in hospitality, retail, or cleaning.
Klibio automates exactly this process: it generates the access revocation checklist for each departing employee, assigns each step to the right person, records who did what and when, and exports the full audit trail as a PDF if you need to demonstrate compliance in an audit or dispute.
Questions about GDPR compliance for your business? Write to us at privacy@klibio.com and we'll help you figure it out.