Gartner for HR

Practical Privacy —
Managing HR Data
Practical Privacy — Managing HR Data
Refreshed 8 July 2022, Published 25 January 2021 - ID G00740474 - 22 min read
FOUNDATIONAL This research is reviewed periodically for accuracy.

By Analyst(s): Nader Henein, Helen Poitevin, Bart Willemsen

Initiatives: Cybersecurity and IT Risk; HCM Technology Transformation; Privacy
Program Management

Employee data represents a substantial portion of privacy risk and

the lion’s share when it comes to B2B organizations. Security and
risk management leaders should actively administer human
resources application and associated vendor risk by enforcing
minimal and deliberate processing practices.

Overview
Key Findings
■ Maturity in both capabilities and granularity of data control varies greatly between
HR applications, particularly around reporting, record keeping and subject rights
management. Furthermore, data protection implications are not consistently
considered in the acquisition process.

■ Many organizations have shifted to cloud-based HR providers without sufficient

consideration for privacy and cross-border transfer implications.

■ Complementary services (such as benefits, pensions, payroll and insurance) often

lack the sophistication to scale their capabilities in line with the regulatory
requirements for privacy.

Recommendations
Security and risk management leaders responsible for technology, information and
resilience risk should:

Gartner, Inc. | G00740474 Page 1 of 16

■ Aggressively manage personal information in HR workflows by conducting an
impact assessment and implementing proportional retention policies and data
minimization exercises with the intent of limiting the volume and duration of held
records. Outdated and unused data represents pure risk with no benefit to the
business.

■ Assess, monitor and manage privacy risk in HR applications by requiring vendors to

demonstrate alignment with competitive personal data protection standards and
regulations.

■ Establish and enforce transparency within complementary services by developing

detailed data processing agreements. These contractual addenda provide clear
responsibility matrices to ensure that all parties involved understand where one set
of responsibilities ends and the other begins.

Introduction
In the shadow of a growing list of maturing privacy regulations inclusive of the General
Data Protection Regulation (GDPR), the California Consumer Protection Act (CCPA) and
Lei Geral de Proteção de Dados (LGPD) — HR data is regarded as highly sensitive,1
requiring proportionally more due care and due diligence. Be it demographic details
regarding gender and identity, salaries or just notes from an assessment or an internal
investigation, human capital management (HCM) applications often represent substantial
privacy risk in any organization where the data is stored for long periods of time and
shared with third-party suppliers.

Security and risk management (SRM) leaders must ensure that HR data is only processed
for deliberate, predefined and documented processing purposes. Mishandled employee
data does not merely carry a regulatory impact, but it also erodes trust, affects morale,
and leaves employees in a compromised and dependent position, conflicted about
whether to take legal action against their employer. Furthermore, the resulting reputational
damage and employee distrust hinder the organization’s capacity to hire and retain the
best and the brightest.

Gartner, Inc. | G00740474 Page 2 of 16

 As part of the Gartner Practical Privacy Series, this research pulls
from our larger client community to provide tried and tested
guidance in balancing the utility that comes through the business
value gained from human capital management data and processes
with the risk to individual privacy.

Analysis
Assess and Manage Your HR Workflows
The aim of HCM applications is to help ensure the efficient allocation of staff, support
the talent management life cycle, improve employee engagement and, often, manage
contingent worker data. (For more detail see Market Snapshot — Human Capital
Management, Worldwide, 2020.) They manage HR workflows and track role
assignments of an employee’s tenure within an organization from start to finish.

Regardless of how much of the organization’s human capital management is done

internally and how much is outsourced, accountability sits with the employer. In a lawsuit
raised by 60,000 current and former staff following a security incident, a large university
in the United States was found liable for data breaches caused due to improper care.2

Furthermore, with a majority of core HR applications residing in, or transitioning to, the
cloud, data residency concerns arise, such as those following the Schrems II ruling (July
2020), and the invalidation of Privacy Shield. (For further detail, see Practical Privacy —
Balancing Data Residency Requirements With Business Needs.)

The three subsections outlined in Figure 1 focus on an organization’s duty to assess the
impact of HR workflows on employee privacy and adequately protect employee data —
past, present and future. The research goes on to address concerns while selecting
service providers (processors) and solutions that are able to handle personal
information appropriately.

Gartner, Inc. | G00740474 Page 3 of 16

Figure 1: Critical Privacy Considerations Across Three Key HR Workflows

Past Employees
Basic mathematical modeling shows that with moderate staff growth of 10% and an
average turnover of 15%, 3 the number of past employees surpasses the current
headcount by year 10. Many organizations are holding more personal data on their past
employees than their current staff. In some countries, such data retention may be required
by law, but holding the data in active storage exposes it to unnecessary risk. This requires
whole teams and multiple outsourced providers to deal with pensions and complementary
services for past staff members.

SRM leaders who do not take steps to minimize these records will find themselves with a
higher privacy risk for unused data than for that held to maintain the active employee
population.

SRM leaders should ensure that HR data on departing employees, held both internally and
with service providers, follows a clear and strict data retirement process that is audited
periodically. This transition (from current to former employee) is a natural opportunity for
risk minimization through a variety of options (see Practical Privacy — Managing Data
Retention and Backups). The core focus at this stage is that the data held provides a
healthy balance between utility to the organization (for example, through talent analytics)
and privacy risk to the departing employee.

Gartner, Inc. | G00740474 Page 4 of 16

Existing Staff
To manage employee HR workflows as well as eligibility for employee benefits, HCM
applications process a large variety and an increasing volume of data. This data is
seldom stored exclusively within the organization’s HCM applications; it’s also frequently
shared through various channels with third-party providers, often crossing borders. This is
common practice in domains such as payroll and benefits management.

HCM applications come with varying degrees of governance capabilities. Issues often
arise as organizations blur the lines between the data they need or are required to hold
and data held due to unclear or unenforced retention policies. (To employ further security
rigor, please review How to Use the Data Security Governance Framework.)

With the move to remote work, employee activity data is increasingly collected and
analyzed as an alternative to in-person mentorship. This is exceedingly done in non-HR
applications without adequate due diligence. The  Microsoft Productivity Score mines
employee behavioral data across the Office 365 ecosystem, which makes it a very strong
tool for digital transformation. This offering was launched in November 2020, and by
December concern over privacy was so great that  Microsoft updated the product to
exclude specific employee data and only show aggregate insight.

Note regarding the CCPA: Data collected in the process of employment activities is not
currently covered by the California Consumer Privacy Act. That exemption would have
expired4 at the end of 2021; but following the approval of the consumer privacy rights act
(CPRA) on 3 November 2020,5 that moratoria has been extended by a year to the end of
2022. This is not to say that the parties involved in the negotiation will not reach an
agreement ahead of that deadline. SRM leaders should put a plan in place to offer the
same rights available to consumers to their employees.

While handling data internally or having it processed by a third party, transparency is

critical. An employee portal, closely integrated with the HCM and other HR services, is
strongly advised to enable staff to administer their own data and self-serve subject rights
requests (SRRs). This should be a key consideration in selecting the organization’s HCM
platform and other HR solutions.

Gartner, Inc. | G00740474 Page 5 of 16

Future Hires

The data associated with each candidate increases substantially as the hiring process
moves forward. For SRM leaders, understanding the steps where data is collected during
this process is crucial so as to best identify the associated systems where that data will
need to be purged at the conclusion of the process. The following three steps outline the
main data collection junctures, where transparency is a crucial aspect:

■ Source/pipeline — Information collected once a candidate has shown interest in the

organization or when recruiters have placed a profile within a talent pool.

■ Post/assess — A position is opened and prospects are added to the process either
actively (though application) or passively (selection from the existing talent pool).
The assessment of the existing candidate data starts, as well as the collection of
complementary information (such as background checks).

■ Select/hire — Once a candidate is hired and their information is integrated as part of

the employee pool. The HR team is left with a fair bit of data collected with the
explicit intention of hiring a position that is now closed.

SRM leaders must evaluate the systems associated with the steps of the hiring process.
This should ensure that the decision to hold, purge or treat candidate data is conducted
purposefully and with a lawful basis justification. Clear guidelines reflected in technical
controls within the HCM solution maintain valid purposes of processing and remove
guesswork as well as conflicting opinions from the process.

The following two outcome-driven scenarios in the hiring process provide an example of
policy applications.

Negative Outcome

If the applicant is not successful, the organization adopts a structured approach:

■ The HR team sees value in the applicant and the organization holds the resume for
future opportunities, given the appropriate consent. Most organizations hold this
data for a period of six months to a year, though this may vary per country, as some
have applicant data retention requirements to help ensure compliance with
antidiscrimination laws.

Gartner, Inc. | G00740474 Page 6 of 16

■ Request on a regular basis if the candidate has any updates, and if they allow the
organization to continue to hold their data for future opportunities. This may be of
particular interest for organizations that have high volumes of seasonal hiring to do,
and that would find value in contacting past employees and others in maintained
candidate pools to quickly fill temporary positions.

■ Mask personal data and maintain only anonymized data to feed into talent-
matching algorithms and models.

■ Delete all information gathered about the applicant within four weeks. Most
organizations view this period to be a reasonable time frame.

Positive Outcome

When the applicant is successful, the HR team will transfer only the relevant information
collected in the hiring process to the active employee record.

For new hires, access to data regarding their previous experience may in fact help them
acclimate better by connecting with new colleagues who have had similar experiences. It
may also help them access new opportunities later in their tenure at their new employer,
leveraging previously acquired skills and knowledge.

Common Considerations
The following considerations represent common concerns raised through analyst
inquiries around the handling of HR data and the thought process involved in tackling
them.

Raw Data Versus Scoring

Some highly regulated data points, such as background checks, may be required by law
(for example, when working with children and vulnerable individuals). However, they are
quite intrusive and must therefore be applied transparently (by informing the applicant in
advance) and with due care (possibly through a specialized vetting agency). Avoid
holding data from background checks. Consider developing a scoring system for your
third-party provider, and based on its findings, it returns only the final score, upon which
you can base your hiring decision. This ensures that the aforementioned sensitive data
does not exchange hands and is subsequently stored unnecessarily.

Consent and Legal Basis of Processing

Gartner, Inc. | G00740474 Page 7 of 16

Should the HR team choose to seek consent from a prospect or an employee to hold or
process their data, bear in mind that one of the requirements for valid consent is that it be
“freely given.” In many cases, if an organization asks a new employee or a prospect to
provide consent to have their recruitment data used for other purposes, they may consider
their employment predicated on approval, which means it is no longer freely given. As
such, consent should be avoided; if it cannot be avoided, it should be used sparingly, as a
lawful basis of processing HR data.6

Table 1, originally published by the French data protection authority,7 demonstrates the
mapping organizations should maintain for employee data processing activities against
clear purposes of processing and legal basis.

Table 1: Mapping Purpose and Legal Basis When Processing Employee Data
(Enlarged table in Appendix)

Gartner, Inc. | G00740474 Page 8 of 16

Employee Monitoring

Automated employee monitoring has increased exponentially, tied to the increase in

remote work. Though employers have a legitimate right to protect their assets and their
clients through logging and employee monitoring, these activities should be done
purposefully and under careful scrutiny.

Figure 2: Employee Productivity Monitoring Data Sources and Analysis

This is conducted traditionally through a mix of overt monitoring (such as surveillance

cameras and security guards) and covert monitoring (such as email scanning and
behavioral analysis). Many organizations prefer covert methods as they can be
configured to be less intrusive and there is a measurable impact on productivity
if staff feel overly surveilled.8

SRM leaders are advised to be transparent and proportional regarding monitoring

activities as well as the purpose behind them, carefully balancing the legitimate interest
of the organization (see Toolkit: Balance the Organization’s Legitimate Business Interest
With the Individual Privacy Rights) against the privacy rights of their employees. Failure to
do so can result in substantial fines as a German retailer discovered following an
investigation by the regulator, which resulted in a €10.4 million fine.9

Gartner, Inc. | G00740474 Page 9 of 16

Proportionality and due care is especially critical as work from home has been
established as a viable, long-term option for many employees (see A Framework for
Collecting Employee Data, Post-Pandemic). There have been multiple instances where
organizations have taken an aggressive approach to employee monitoring to their
public detriment.10,11

Examples of the impact of employee monitoring decisions include:

■ An organization has embraced remote work, with most employees communicating
internally and externally through online meeting solutions. These solutions offer the
capacity to record each session. As employees are working from home, their
surroundings and potentially their personal lives may from time to time slip into
these recordings. Work from home (WFH) should not mandate the surrender of
privacy at home. The organization should consider adapting its data retention
strategy to hold the audio exclusively where necessary, discarding camera feeds.

■ An organization installs biometric readers at all entry and exit points to facilitate
access control, increasing security, reducing the cost of access cards and the
overhead involved when employees misplace them. Six months after deploying the
system, management decided to use the log data to measure employee attendance.
This may seem fairly innocuous, but the organization collected biometric data
(deemed sensitive in most jurisdictions) for the explicit purpose of access control
and later used it for a different purpose (attendance). This is viewed by most
regulators as a violation of the “Use Limitation Principle,” which is quite common in
most privacy regulations.

■ An organization experiences a sudden series of thefts in the employee locker rooms.

After various mitigating measures fail (for example, replacing locks and maintaining
entry logs), the decision is made to install hidden cameras. With board approval, the
monitoring systems are installed, and after only a few weeks the culprit is caught
and disciplined. The thefts cease, yet over a year later the cameras are still in place.
Later, they are discovered by a new employee and a complaint is filed with the
regulator; the organization is found to be in violation. With the original purpose now
concluded, neither the cameras nor any of the footage should have been kept. An
exception may be made for the segment involving the culprit for the purpose of
maintaining evidence and pursuing legal action.

For further detail on this space, please review the Market Guide for Employee-Monitoring
Products and Services.

Gartner, Inc. | G00740474 Page 10 of 16

Talent Analytics

Data gathered through the employee life cycle is used for many types of metrics and
insights that help HR leaders and other executives make more data-driven talent
decisions. For example, it may be used to determine which hiring sources produce the best
candidates, or which candidate characteristics are most predictive of fitness for a role
and subsequent performance (see Technology Options for Talent Analytics).

Many HCM applications have introduced the automated processing of historical data to
provide suggestions to employees, managers and HR staff. Examples of such capabilities
include:

■ Employee flight risk analytics — Examining which employment conditions, behavior

and other independent variables point to an employee being at a higher probability
of leaving the organization.

■ Fitness for a new role or a next career step — Commonly referred to as succession
planning, this allows organizations to identify how performance, peer assessments
and skill development indicate when an employee is ready for advancement.

As HR explores more use cases for predictive analytics and machine learning to mine
historical data, SRM leaders must flag and, in some instances, block significant privacy
risks associated with purpose limitation violations relating to sensitive personal data. In
flight-risk-predictive models, solutions that are used for communication purposes (such as
email) may also be considered to track whether an employee is at risk of leaving the
organization by looking at patterns of slowing responsiveness.

Assess, Monitor and Manage Privacy Risk in HR Applications

HR systems address a wide range of requirements, starting with requisitions for new roles,
throughout the lifetime of an employee and beyond, into retirement. These systems
almost always integrate with third-party business process outsourcing (BPO) providers, as
the breadth of services is rarely, if ever, handled exclusively within the organization.

The first task when tackling privacy concerns in HR systems is to create a risk register
associated with common, employee-facing processing activities. These activities span the
employee life cycle and may include new role requisition, onboarding, ongoing employee
life cycle management and managing worker transitions through offboarding and
postemployment services. The risk assessment is not limited to full-time employees.
Seasonal workers (such as temporary staff, interns and contractors) should see their data
processed with equal care.

Gartner, Inc. | G00740474 Page 11 of 16

The privacy risk register should identify not only the risk given the sensitivity and volume
of personal data in isolation, but also the metadata and capabilities HR solutions provide
concerning:

■ Maintaining records of processing activity (ROPA) centered around the individual.

■ Handling subject rights requests. For further guidance on this subject, see Market
Guide for Subject Rights Request Automation.

■ A data retention register to apply applicable laws and regulations to different classes
of employee records across jurisdictions.

Vendor Responsibility
HCM software comes in all shapes and sizes. A cloud-based deployment will see more of
the stack managed by the vendor, whereas an on-premises deployment will see much of
the responsibility held within the organization. The deployment approach will impact the
organization’s shared responsibility model regarding managed personal data.

Vendors developing HCM solutions and managing HR data should clearly differentiate
themselves along two axis:

■ Solutions should provide the capabilities needed to support clients in their

requirements to comply with privacy regulations. Vendors must provide purpose-
built interfaces so clients can respond to SRRs or disclose a personal data breach in
a timely manner. An HCM solution that does not readily provide for these capabilities
increases operational costs and exposes the client to regulatory fines.

■ Solutions should not expose clients to disproportionate privacy risk owing to the
way they process personal information. Vendors should be able to independently
quantify (through external audit) the privacy risk their solutions represent and how
they mitigate these risks.

SRM leaders must support their HR counterparts when reviewing HCM products by
running a detailed data protection impact assessment (DPIA). This process audits the
vendor’s capacity to provide for the principles of  privacy engineering. In turn, this places
the data owner’s (the employee’s) privacy at the heart of the decision-making process.

HCM vendors may choose to focus on their core offering, embedding privacy
management capabilities through partnership with specialized vendors (for further
detail see Market Guide for Subject Rights Request Automation).

Gartner, Inc. | G00740474 Page 12 of 16

Some organizations with large workforces find that responding to SRRs from employees
has become a full-time undertaking. These organizations should ensure that the privacy
vendors that support them provide a self-service portal for current and past employees
where they have transparency and control over their personal records.

Common Considerations
Be it fully managed in the cloud or part of an owned on-premises deployment, these
considerations should always be taken into account during the selection, administration
and periodical review of the systems and providers that handle HR data:

■ Data loss — Recruitment systems are developed to connect and integrate with third-
party services such as LinkedIn or Twitter. In many cases, these integrations expose
the organization to risk through misconfiguration, resulting in unintentional data
loss. Exposing personal data to a third party with no lawful basis is a violation of
most privacy regulations.

■ Lateral exposure — Depending on the level of integration, lapses in security within

BPO providers may present a point of ingress to attackers.

■ Cross-border transfers — HCM systems involve moving employee data from

multiple jurisdictions into one or more centralized locations. Ensure that the
organization has transparency (the employees are aware of the move); that there is
a lawful basis to transfer the data (such as legitimate business interest); and a valid
mechanism in place (for example, EU standard contractual clauses when the data is
in scope of the GDPR). Also bear in mind that in certain jurisdictions, employee
groups such as the works councils (Betriebsräte) in Germany should be involved in
any such decisions from the start to avoid painful and expensive u-turns later on.

Enforce Transparency Within HR Complementary Services

Complementary services to HR workflows support the business and the employees by
providing a rich benefits ecosystem that promotes attracting new talent and improves
retention. For this ecosystem to exist and grow, SRM leaders must clearly define and
enforce responsibilities through data processing agreements (DPAs; see Beyond GDPR:
How to Scrutinize a Data Processor Agreement). These documents outline a matrix of
processing activities and controls to ensure that all involved understand where one party’s
responsibilities end and the other’s begin.

Five Steps to a Comprehensive DPA

Gartner, Inc. | G00740474 Page 13 of 16

The moment when the processing of personal data is outsourced to a third-party service
provider, the risks of data misuse and regulatory noncompliance expands. SRM leaders
must focus on distinct tasks and the requirements to fulfill them when entering into an
agreement with a third party that will handle HR data. SRM leaders should:

■ Create a clear and concise set of general processing guidelines for personal
information in line with the organization’s policy and the associated regulatory
requirements. This document will be the same for any third-party service provider.

■ Supplement the general processing guidelines with a responsible, accountable,

consulted and informed (RACI) matrix that clearly defines the data records, the valid
processing activities and the responsibility assignments. This appendix will be
customized for every service provider offering based on the service and level of
involvement.

■ Define an oversight structure that encourages a “check first” approach for service
providers. This will foster a transparent relationship in which the organization has
visibility and control over further subprocessing and the overall compliance posture,
allowing it to provide feedback and guidance on an ongoing basis.

■ Include third parties that process personal information in scheduled drills (incident
response and SRR fulfillment), as they now form part of the extended data-
processing chain.

■ Document clear exit terms for the data held by third parties. This should include how
data should be returned (structure and format), as well as data retention guidelines
and subsequent data destruction attestations.

Finally, a close collaboration with legal counsel is necessary for the contract draft to
ensure that the guidelines follow the data and are not limited by geography or the
handling party (see Key Privacy Considerations for Vendor Selection and Control).

Gartner, Inc. | G00740474 Page 14 of 16

Acronym Key and Glossary Terms
BPO Business process outsourcing

CCPA California Consumer Privacy Act

CPRA California Privacy Rights Act

DPA Data processing agreements/addendum

GDPR General Data Protection Regulation

HCM Human capital management

LGPD Lei Geral de Proteção de Dados

WFH Work from home

Evidence
1
 Art. 9 GDPR: Processing of Special Categories of Personal Data, Intersoft Consulting.
2
 Workers Can Sue Employer for Failing to Protect Personal Data, Hutchison & Steffen
Attorneys.
3
 What Is the Ideal Employee Turnover Rate? Monster.
4
 California Extends Employee and B2B Exemptions under the CCPA, JD Supra.
5
 California Voters Approve CPRA, JD Supra.
6
 Greek Data Protection Authority Fines PwC Over Unlawful Processing of Employee
Data, Birketts.

7
 Relatif aux Traitements de Donnees a Caractere Personnel Mis en Oeuvre par des
Organismes Prives ou Publics aux Fins de Gestion du Personnel, CNIL.

8
 Why Hiding From Managers Can Increase Worker Productivity, Forbes.

9
 New German Fine: EUR 10.4 Million for Unlawful CCTV, Norton Rose Fulbright.

10
 Barclays Scraps ‘Big Brother’ Staff Tracking System, BBC.
11
 PwC Facial Recognition Tool Criticised for Home Working Privacy Invasion, Personnel
Today.

Gartner, Inc. | G00740474 Page 15 of 16

Recommended Resources for Gartner Clients
The Distributed Workplace of the Future Is Now
How CIOs Must Lead the Ethical Debate on Remote Employee Monitoring
Client Questions Video: How to Deal With EU-U.S. Personal Data Transfers (With
Privacy Shield Gone)?
Critical Capabilities for Meeting Solutions
The State of Privacy and Personal Data Protection, 2020-2022
Getting Value From Employee Productivity Monitoring Technologies for Remote and
Office-Based Workers

How to Harness Voice of the Employee Insights for Continuous Employee Experience
Improvement

© 2022 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of
Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form
without Gartner's prior written permission. It consists of the opinions of Gartner's research
organization, which should not be construed as statements of fact. While the information contained in
this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties
as to the accuracy, completeness or adequacy of such information. Although Gartner research may
address legal and financial issues, Gartner does not provide legal or investment advice and its research
should not be construed or used as such. Your access and use of this publication are governed by
Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its
research is produced independently by its research organization without input or influence from any
third party. For further information, see "Guiding Principles on Independence and Objectivity."

Gartner, Inc. | G00740474 Page 16 of 16

Table 1: Mapping Purpose and Legal Basis When Processing Employee Data

Stage Purpose of Processing Legal Basis

Recruitment Processing of applications (CVs and cover letters) Contractual obligation (precontract)
and interview management.

Maintaining a library of recent applications and Legitimate interest

CVs.

Administrative Management of Employees Management of employee records, kept in Contractual obligation

accordance with legal and regulatory
requirements.

Development and production of statistical reports Legitimate interest

or lists of employees to meet administrative needs.

Management of internal employee directories and Legitimate interest

organization charts.

Management of individual endowments supplies, Legitimate interest

equipment, expenses, vehicles and payment cards.

Management of internal professional elections of Legal obligation

employee representatives.

Scheduling and administration of internal Legal obligation

meetings.

Remuneration and Taxation Remuneration and processing payslips. Contractual obligation

Gartner, Inc. | G00740474 Page 1A of 3A

Stage Purpose of Processing Legal Basis

Taxation. Legal obligation

Provisioning of IT Services Providing employees with IT supplies and Legitimate interest

subsequent support.

Employee data management for the purpose of Legitimate interest

identity and access management.

Deployment of solutions and capabilities to ensure Legitimate interest

normal functioning and security of IT services.

Email and corporate messaging. Legitimate interest

Intranet allowing the collection and dissemination Legitimate interest

of employee data and services.

Project Management Management of internal projects relating to Legitimate interest

employees.

Career Management and Onward Mobility Professional assessment of personnel in Legitimate interest
accordance with labor laws.

Skills and competency management. Legitimate interest

Forecast management of employment and Legitimate interest

required skills.

Management of professional mobility. Contractual obligation

Gartner, Inc. | G00740474 Page 2A of 3A

Stage Purpose of Processing Legal Basis

Training and Awareness Management of training requests and completed Contractual obligation
training records.

Scheduling of training sessions and knowledge Legitimate interest

management.

Social and Cultural Activities Management of social and cultural activities Legitimate interest
directly organized by the employer, excluding
activities relating to medical and social service.

Source: Commission Nationale de l’Informatique et des Libertés (CNIL)

Gartner, Inc. | G00740474 Page 3A of 3A

Actionable, objective insight
Position your organization for success. Explore these additional
complimentary resources and tools for HR leaders:

Toolkit Resource Hub

HR Transformation Toolkit Future of Work Reinvented
Explore actionable guidance and tools Reinvent where, when and how you work
to drive HR operational excellence and to maximize employees’ engagement
strategic impact. and productivity.

Download now Learn More

Already a client?
Get access to even more resources in your client portal. Log In
Connect With Us
Get actionable, objective insight to deliver on your mission-critical
priorities. Our expert guidance and tools enable faster, smarter
decisions and stronger performance. Contact us to become a client:

U.S.: 1 855 811 7593

International: +44 (0) 3330 607 044

Become a Client

Learn more about Gartner for HR Leaders

gartner.com/en/human-resources

Stay connected to the latest insights

© 2022 Gartner, Inc. and/or its affiliates. All rights reserved. CM_GBS_2070600