Personnel file
If you, as an employer, create a personnel file, use and store it and, if necessary, transfer it, you must comply with privacy legislation.
On this page
Contents personnel file
As an employer, you retain all data in an employee’s personnel file that are necessary to perform the employment contract with this employee. Such as data:
- om beslissingen te onderbouwen (salarisverhoging, ontslag);
- to substantiate decisions (salary increase, dismissal);
- to comply with statutory obligations (paying taxes and premiums);
- that are important for, for example, personnel policy.
You must ensure that:
- the data in the personnel file are correct (correctness);
- you do not record more data in the personnel file than is necessary (data minimisation);
- the data are relevant.
What can be included in the personnel file?
You may include the following data in an employee’s personnel file:
- contact details;
- salary;
- copy of identity document;
- citizen service number (Dutch: BSN);
- reports of assessment and performance reviews that have been signed for approval or seen by the employee;
- complaints;
- warnings;
- rate of absence (how often an employee is absent);
- your personal work notes.
What cannot be included in the personnel file?
You are usually not allowed to include the following in the personnel file:
- health data;
- criminal data;
- data on origin (race/ethnicity).
Health data
In principle, you are not allowed to include any data about an employee’s health in the personnel file. Unless your employee has epilepsy, for example, and colleagues need to know this, so they can help this employee if they suffer an epileptic fit.
Criminal data
If criminal personal data about an employee are available, about a conviction, for example, you are usually not allowed to include this in the personnel file. Unless:
- the processing of these data is necessary to protect your interests, such as security and integrity;
- it concerns criminal offences in the workplace;
- the processing is done in accordance with the Works Councils Act.
Data on origin
Data on origin (race/ethnicity) are a special category of personal data. It is usually prohibited to process special categories of personal data.
You may only include information about origins in an employee’s personnel file:
- if this is necessary to identify the person;
- to apply positive discrimination/preferential treatment.
Identification
The use of data about an employee’s appearance may be unavoidable in order to identify that employee. For example, if you employ many employees and you want to determine their identity before they come to work.
In that case, you can issue access badges with photos to all your employees. For example, because the photo of an employee shows their skin colour, the photo is deemed data on origin (race/ethnicity).
Positive discrimination or preferential treatment
If you want to apply positive discrimination, also known as preferential treatment, by which you grant employees from a certain ethnic or cultural minority group a privileged position, it may be necessary to include information about their country of birth or that of their (grand)parents in their personnel file.
You can only include these data if the employees have not objected in writing. They can object at any time and do not have to give a reason for this. In that case, you must immediately stop processing these data.
Positive discrimination/preferential treatment is only permitted if there is a demonstrable disadvantage. Furthermore, you can only use this temporarily, until it is no longer necessary.
Informing employees
You must inform your employees about what you do with their data. For example, which data you record in the personnel file and for what purposes. Your employees have a right to information.
Securing personnel file
You must secure the personal data in the personnel file properly, so the data are not lost or end up in the wrong hands.
For example, you need to determine who has access to an employee’s personnel file. These may only be persons who need data from this employee to be able to do their work. They include the employee’s direct manager or employees of the human resources department.
Some organisations have specific regulations in place for who has access to personnel files. For example, only persons who have undergone (additional) screening.
Digitising personnel file
You can digitise personnel files. You may only destroy the original paper file if you ensure the proper security of the digital file. For example: firewalls when the personnel information system is linked to the Internet. This applies if employees can view their personnel files online.
Retention personnel file
A personnel file contains different types of data. Some data must be retained longer than other data. The general rule is that you are not allowed to retain personal data longer than necessary.
Statutory retention obligation
You are by law obliged to retain some data from the personnel file for a certain period of time. For example:
- You must retain some payroll administration data for 7 years after the employee has left the company. These data are required by the Tax and Customs Administration.
- Wage tax statements and a copy of the identity document of the employee must be retained for 5 years after the end of their employment.
Retain for a maximum of 2 years
For some data from the personnel file, the law does not specify a retention period. In general, you must retain these data for 2 years after the employee has left the company. If the data are no longer needed before that date, you must remove the data immediately.
Examples of these types of data are:
- reports of performance and assessment interviews;
- employment contracts and changes thereto;
- correspondence regarding appointment, promotion, demotion and dismissal;
- agreements about activities for the works council;
- testimonials;
- rate of absence.
Retain longer
You can retain data of your (former) employee for longer if there is (or has been) an employment dispute with this employee or if a court case is pending.
Privacy rights employees
You must offer your employees the opportunity to exercise their privacy rights. For example, they have the right to access their personnel file.
Transferring personnel file
You can transfer personnel files in the event of the bankruptcy, merger or acquisition of your company or organisation. You do have to adhere to the following conditions:
- You announce the transfer of personnel files, for example via the Intranet.
- You only transfer data that are necessary to perform the employment contract. You clean up the personnel files by removing all old data and data that are no longer relevant.
- You give employees the opportunity to view their personnel file and, if desired, exercise their other privacy rights, such as the right to have certain data changed, or to have data deleted.