Finance | Project Operations, Human Resources, ...

GDPR - After employee leaving the company what should be deleted/hide

(1) Share

Report

Posted on by Ali J

In response to GDPR, what are the required measures that need to be taken when an employment contract is terminated?

Is disabling the user and terminating the worker enough?

I tested deleting the user and the worker connected to the user in UAT, the system allows me to do it, is this the correct measure?

However in the transaction, the username is still there and it is including the name, can this be updated/hidden? what do you think ?

I have the same question (0)

All responses (6)

Answers (0)

Suggested answer

André Arnaud de Cal... 300,915 Super User 2025 Season 2 on at

Like (1)

Report

Hi Ali,

I'm not an expert in GDPR, but as long as you are able to provide information what personal data is stored and ensure only relevant people will have access to it, disabling the user and terminating the employment in HRM is sufficient.

A person in the EU does have the right to be forgotten. He can then request your company to delete all personal data. This is often done by obfuscating name, address and contact details as historical records would prevent you deleting the worker record.

Was this reply helpful? Yes No
Deepak Agarwal 8,598 on at

Like (0)

Report

Hi Andre,

I am wondering if transactional data like PR which may have name of employee, will is consider as personal data at all? As you correctly said we can not delete/modify historical data. Curious to lean what can be done in this case.

Was this reply helpful? Yes No
Ali J 52 on at

Like (0)

Report

Thanks for your reply.

Can you describe the process of obfuscating the name?

If you have a transaction in the system with the username = firstname.lastname this means that all transactions need to be updated, right?

Was this reply helpful? Yes No
Suggested answer

CU25102042-0 2 on at

Like (0)

Report

My line manager retired from the company I work for, several years ago. I am in dispute with the company regarding an issue, which requires confirmation or denial by my retired line manager.

The company maintain under gdpr, they are unable to release the contact address of the retiree, who I wish to contact to provide evidence.

Under what GDPR Exemption or Arrangement can the retiree be approached or contacted.

I live in Ireland, am employed in Ireland & my employer is in Ireland.

Any advise would be greatly appreciated.

Thank you.

Was this reply helpful? Yes No
Suggested answer

Alireza Eshaghzadeh 14,672 Super User 2025 Season 2 on at

Like (1)

Report

Hi,
To be concrete, you only need to sign off (deactivate) the employee. Once transactions are posted, you cannot modify or remove transactions due to accounting and audit rules.

From a GDPR perspective, you should consult a GDPR specialist to confirm the correct approach. In some cases, data obfuscation (masking personal data) can be an acceptable solution.

Keep in mind that deleting an inactive employee—either from Users or Employees—does not remove their information from database tables that store “Created by” or “Modified by” fields. Since these are system-stamped audit fields, you won’t have direct access to them.
If your GDPR consultant concludes that the data must be anonymized, you may need to work with a developer to obfuscate the relevant fields, as long as it complies with legal and system requirements.

Was this reply helpful? Yes No
BillurSamdancioglu 19,703 Most Valuable Professional on at

Like (0)

Report

I am not an expert of GDPR. But if there is a lawsuit or audit, isn't it a problem to delete these kind of data?

Was this reply helpful? Yes No