Different phases of the employment relationship

Different phases of the employment relationship

What data are employers allowed to use? What do
they have to do?

Employers in the private sector are required to process a great deal of personal data relating to their employees at various times, from the recruitment process through an employee’s working career to the termination of employment. In doing so, employers must protect and respect the personality rights of their employees.

During the recruitment process (application and interview):

Employers may process data on applicants to determine their suitability for the job in question. 

Application and interview

Employers may only ask an applicant for the information and documents needed to determine whether the applicant meets the requirements for the job and is suited to the business. If the job is as a cashier, for example, an employer may ask applicants if they have ever been convicted of a crime of dishonesty. But systematically asking candidates about convictions that are spent or that have no relevance to the job in question would be going too far.

Questions about education, previous employment experience and professional goals are generally allowed. However, questions about candidates’ financial circumstances, possible debts, whether they have any medical conditions or are pregnant are only allowed if there are special reasons for doing so in view of the position to be filled. Questions about family background, membership of any groups or associations (e.g. a trade union), religion, philosophical or political beliefs are only allowed if they are relevant to the company's 'ideology’.

If potential employers want to request information from third parties - from current or former employers, for example – they must obtain the consent of the applicant beforehand. Likewise, current or former employers cannot give any information to a new employer without the consent of their employee or former employee. In addition, the information provided must be relevant to the job in question (e.g. details of the employee's performance and conduct at work). A current or former employer are not permitted to grant access to the personal file of the current or former employee, nor should they disclose the terms of the employee’s contract, as this type of information could significantly weaken an applicant’s position.

The application file may only be accessed by authorised persons, i.e. generally by the personnel department or by the line manager. 

End of the recruitment process

At the end of the recruitment process, documents submitted by unsuccessful candidates must be returned to them and copies, if any, must be destroyed unless there is a legitimate reason not to. Employers can only keep documents that belong to them, e.g. letters of application and references that they have requested, which will then be destroyed. 

If the applicant agrees, documents may be kept for a pre-determined period of time where there is reason to believe that they will need to be re-used in the near future. It may even be possible to retain documents without the consent of the person concerned, if the company has an overriding interest in doing so and the person concerned is informed.

During the employment relationship:

During the employment relationship, a file is kept on each employee. This file should only contain data that are essential for the performance of the employment contract. The main documents and data contained in personnel files include the contact details and address of the employee concerned, the application file, the references requested about the applicant, the results of any tests he/she has undergone as part of the recruitment procedure, the contract of employment, information relating to absences caused by illness and holidays, salary and insurance data, appraisals, training courses and career plans, disciplinary measures (warnings, reprimands, fines), correspondence between the employee and the employer, notes on specific events, register extracts and medical certificates. Personnel files should be sorted regularly to remove unnecessary documents. The data contained in the files must be processed solely by the personnel department and be accessible only to those departments entitled to use them.

Beendigung des ArbeitsverhältnissesPersonal data must only be made accessible to those persons who are entitled to have access to them to carry out their duties. Access must be documented by the company in a way that makes it clear who has read the file. 

In general, employers may not disclose any personal data to third parties (e.g. provide information on employees' income to landlords or credit institutions) without the consent of the person concerned unless required to do so by law. This also applies if another company in the same group or, if the contract has been terminated, a potential employer wants to obtain information about an employee or ex-employee. Information about employees' illnesses is covered by medical confidentiality; doctors is obliged to treat as confidential information that comes to their knowledge in the course of his professional activity. Patient data may only be disclosed to third parties if the patient agrees or if the law allows it. This also applies to employers if an employee is ill and a medical examination is carried out by the company doctor.

After the end of the employment relationship: 

Once the employment has been terminated, only essential data can be kept, such as data that must be kept in order to comply with legal requirements (e.g. accounting, social insurance or tax data) or data whose retention is in the interest of the employee (e.g. documents required to issue an employer’s reference). Data that the employer needs for an ongoing dispute may also be stored. The retention period in each case depends on the category of data. It is normally between 5 and 10 years depending on what the law prescribes. In other cases, the data must be destroyed as soon as their retention is no longer required. Employees retains the right of access set out in Article 25 FADP even after their employment relationship has ended.

Questions on data protection

Take a look at our FAQ or call our hotline.

The main provisions

Here you can find out more about changes to the Data Protection Act, which came into force on 1 September 2023.

Last modification 11.05.2023

Top of page