BlogHugo

HR Data Breaches and GDPR: 8 Concrete Examples

An HR data breach is defined by Article 4.12 of the GDPR as any security incident leading to the destruction, loss, alteration, or unauthorized disclosure of employees' personal data. The most common examples of HR data breaches under the GDPR involve particularly sensitive information: payslips, the social security number (NIR in France), health data, or disciplinary records. The CNIL actively monitors these failures, and GDPR penalties for companies can reach 4% of global annual turnover. Understanding these concrete cases is the first step toward strengthening your compliance posture.

1. HR Data Breach Examples: Poorly Secured Server Migration

A server migration carried out without first deleting the data constitutes a sanctionable GDPR breach. A 2026 ruling confirmed that accidental access by a colleague to payslips exposed during a poorly secured migration was enough to constitute a breach. This type of incident occurs when IT teams transfer data without verifying that the old servers have been properly wiped and disconnected.

Failing to delete HR data on obsolete servers increases the attack surface and exposes the company to litigation years after the fact. Payslips, contracts, and performance reviews remain accessible long after their active use if no purge procedure is formalized.

Technicians are busy preparing the hardware for the server migration.

Pro tip: Before any migration, draw up a complete inventory of the stored HR data and validate its permanent deletion on each source medium with a formal report signed by the CISO.

2. Unauthorized Access to Employee Files

Unauthorized access occurs when a manager or colleague consults HR data without clearance. This is common in companies where access rights are not compartmentalized by role. HR access management requires that sensitive data be isolated and that unauthorized managers cannot access it.

The risk is heightened when access logs are not retained or analyzed. Without traceability, the company can neither detect the incident nor prove its good faith to the CNIL.

3. Sending Payslips to the Wrong Recipient

Sending a payslip by unsecured email to the wrong recipient is one of the most common human resources GDPR violations. This type of human error directly exposes the social security number, gross salary, and bank details of the employee concerned. Unsecured email transmission is a documented risk: simple password encryption is often still insufficient.

Using a compliant digital safe is the recommended method for transmitting paperless payslips. This solution ensures that only the relevant employee can access their document, via personal authentication.

4. Excessive Retention of Former Employees' Data

Indefinite or excessive retention of former employees' data is the most common pitfall in GDPR non-compliance. According to the CNIL, retention periods are strictly regulated: badge logs must be deleted after 3 months, while payslips may be kept for 50 years. Other data, such as unsuccessful applications or performance reviews, must be erased once the applicable legal time limits have passed.

Many companies retain all HR files by default, with no automated purge procedure. This inertia constitutes an ongoing breach, exposed to any CNIL inspection.

5. Processing Without a Valid Legal Basis

Processing HR data without a valid legal basis is a direct violation of the GDPR. Employee consent is often deemed invalid by the CNIL, because the inherent imbalance between employer and employee taints the consent. The correct legal basis in HR is generally the performance of the employment contract or compliance with a legal obligation.

This pitfall applies in particular to processing related to employee monitoring, internal investigations, or the collection of health data. Basing such processing on consent exposes the company to immediate reclassification during an inspection.

6. Failure to Respond After Detecting a Vulnerability

The absence of corrective measures after detecting a vulnerability significantly aggravates potential penalties. The CNIL made this principle a central message in 2026: failing to respond to a known vulnerability is considered a fault distinct from the initial breach. This stance means that a company that detects an incident and fails to act exposes itself to a double penalty.

The legal procedure requires notification to the CNIL within a maximum of 72 hours. If the data concerned is sensitive, such as the social security number or health data, the affected employees must also be informed directly.

7. Exposure of Sensitive Data: Health, Disability, Social Security Number

Health data, disability data, and the social security number belong to the special categories under Article 9 of the GDPR. Their exposure constitutes a personal data breach of heightened severity, triggering a reinforced notification obligation under Article 34 of the GDPR. Breaches involving health data require direct communication to the affected employees, in addition to notifying the CNIL.

Such data frequently appears in HR files: sick leave, disability declarations, and benefits certificates. Processing it requires a specific legal basis and reinforced security measures, such as GDPR pseudonymization.

8. What Are the GDPR Penalties for Companies?

Financial penalties tied to GDPR breaches can reach 4% of global annual turnover. The average cost of a breach is estimated at 4.4 million euros in 2025, with average fines of 2.1 million euros for security failures. These figures show that HR non-compliance is not a theoretical risk.

Beyond fines, companies are exposed to labor court litigation. An employee whose data has been exposed can take the matter to an employment tribunal to obtain compensation for the harm suffered. Reputational risks round out the picture: a public sanction from the CNIL has a lasting impact on the employer brand.

"When a vulnerability is known, the absence of immediate corrective measures significantly aggravates potential penalties." — CNIL, 2026


Key Takeaways

HR data breaches expose companies to fines of up to 4% of global annual turnover and to employee litigation, making GDPR compliance non-negotiable for any HR department.

PointDetails
Server migrationPermanently delete HR data before any migration to avoid residual access.
Retention periodsApply CNIL time limits: 3 months for badge logs, 50 years for payslips.
Legal basis in HRUse contract performance or legal obligation, never employee consent.
Notification within 72 hoursNotify the CNIL within 72 hours and inform employees directly if the data is sensitive.
PseudonymizationApply pseudonymization to sensitive data to reduce the impact of a potential leak.

What I See in the Field in 2026

Most of the HR data breaches I see are not the result of sophisticated attacks. They stem from a botched migration, an email sent too quickly, or a file forgotten on a decommissioned server. This observation should radically change how HR teams approach compliance.

Human risk is trivialized. HR managers know their employees' data is sensitive, but they underestimate the likelihood of an ordinary incident. A colleague accidentally accessing a payslip during a migration: that is enough to trigger a CNIL procedure and labor court litigation.

What worries me even more is the acceleration of Shadow AI within HR departments. Employees use unsecured artificial intelligence tools to process employee files, performance reviews, or health data. These practices create silent breaches, invisible in the logs, yet very real. Protecting HR data with AI is a topic DPOs must put on the agenda right now, not in six months.

My concrete recommendation: organize a quarterly audit of access to sensitive HR data and formalize a response procedure of under 24 hours. The CNIL does not only penalize the breach. It penalizes inaction.

— Jacques


Safe-doc for HR Compliance

HR teams that process employee files with AI tools expose themselves to silent breaches if no protective layer is in place. Safe-doc addresses this risk precisely by pseudonymizing sensitive documents before any AI processing, without ever storing the files.

https://safe-doc.ai

Safe-doc integrates with existing workflows and allows HR professionals to keep using their usual tools while remaining GDPR-compliant. The platform guarantees real-time processing with no data retention, eliminating the residual risk tied to Shadow AI. The audit and pseudonymization solutions offered by Safe-doc are designed for DPOs and HR managers seeking operational compliance, not just documentary compliance.


Frequently Asked Questions

What is an HR data breach under the GDPR?

An HR data breach is any security incident exposing employees' personal data, whether accidental or malicious, as defined by Article 4.12 of the GDPR.

Which HR data is most exposed to breaches?

Payslips, the social security number, health data, disciplinary records, and badge logs are the HR data most frequently involved in breach cases.

What is the deadline to notify the CNIL of an HR breach?

The employer must notify the CNIL within a maximum of 72 hours after becoming aware of the breach. If the exposed sensitive data presents a high risk, the affected employees must also be informed directly.

What penalties does a company face for a GDPR breach in HR?

Fines can reach 4% of global annual turnover, with an average cost estimated at 4.4 million euros per incident in 2025. Labor court litigation and reputational damage add to this.

How can AI-related HR data breaches be prevented?

Pseudonymizing documents before any AI processing is the recommended method. It reduces the exposure of personal data without changing HR teams' tools or work habits.

Recommendations