GDPR-Compliant Leave Management: What German Companies Need to Know

Leave management and GDPR: what data protection obligations apply to German companies? EU servers, access controls, deletion deadlines — the essential overview.

7 Min. Lesezeit

Wichtige Erkenntnisse

  • Leave management processes personal data (master data, absences, sick notes) — GDPR compliance is non-negotiable.
  • Five core GDPR obligations for leave management: legal basis, data minimization, purpose limitation, access controls, and data subject rights.
  • EU server location matters for German companies — providers with US servers or a US parent company create elevated legal risk.
  • A Data Processing Agreement (DPA) is mandatory when a third-party provider processes employee data.
  • Leave data generally must not be retained for more than 3 years after the end of employment.

GDPR-Compliant Leave Management: What German Companies Need to Know

Leave management sounds like a mundane administrative topic. But look a little closer and it becomes clear: behind every leave request, every sick note, and every absence record lies personal data — and in some cases, especially sensitive health data.

For German companies, this means the choice of leave management software is also a data protection decision. Act carelessly here and you risk fines, legal warnings, and the trust of your employees.

This article explains what GDPR-compliant leave management actually means in practice — and what to look for when choosing software.

What Personal Data Leave Management Processes

At first glance, leave management seems harmless from a data protection perspective. But a closer look reveals that the data involved is varied and sometimes highly sensitive.

Employee Master Data

Name, department, line manager, employment percentage, start date, leave entitlement — all of this is necessary for accurate leave management and is unambiguously personal data under Art. 4 GDPR.

Absence Data

Who was absent, when, and for how long. This may sound trivial, but a closer analysis can reveal patterns: regular Friday sick days, frequent doctor's appointments, care leave. Absence data can be used to draw conclusions about someone's health, family situation, or job satisfaction.

Sick Notes and Medical Certificates

This is the most critical area. Sick notes are health data — and health data falls under Art. 9 GDPR as a "special category of personal data." Processing this data is subject to stricter requirements than ordinary personnel data.

In practice, this means: sick notes must not be visible to everyone by default. The reason for an illness generally must not be stored in the system — only the fact of incapacity for work and its duration.

What GDPR Concretely Requires for Leave Management

Legal Basis for Processing

Every processing of personal data requires a legal basis. For leave management, this is typically Art. 6(1)(b) GDPR (processing necessary for the performance of a contract) or Art. 6(1)(c) (legal obligation, e.g. under the German Federal Leave Act (BUrlG) or the Continued Remuneration Act (EFZG)). A separate consent from employees is generally not required — and in practice, genuine voluntary consent from employees is difficult to obtain.

Data Minimization

Art. 5(1)(c) GDPR requires that only as much data be processed as is necessary for the given purpose. For leave management, this means: do not store diagnoses, medical reports, or reasons for special leave if they are not strictly required for administration.

Purpose Limitation

Data collected for leave management may not be used for other purposes — for example, not for performance evaluations or to identify employees with high rates of sick leave as candidates for dismissal. That would constitute an unlawful change of purpose under Art. 6(4) GDPR.

Access Controls and Role Concepts

Not everyone should be able to view all absence data. GDPR requires that access to personal data be restricted to the minimum necessary (the principles of data minimization and confidentiality). In practice, this means a role-based access model:

  • Employees see only their own data
  • Team leaders see their team's data
  • HR sees all employee data
  • No one sees diagnoses or medical details

Data Subject Rights

Under GDPR, employees have concrete rights regarding their data:

  • Right of access (Art. 15): Every employee can ask what data is stored about them.
  • Right to rectification (Art. 16): Incorrect data must be corrected.
  • Right to erasure (Art. 17): After employment ends and statutory retention periods expire, data must be deleted.
  • Data portability (Art. 20): Employees can request their data in a machine-readable format.

These rights must be technically implementable. Software that offers no export function or deletion process is problematic from a data protection standpoint.

EU Server Location: Why This Matters for German Companies

The Schrems II ruling by the Court of Justice of the EU (CJEU) in 2020 significantly complicated the use of US cloud services by European businesses. The Privacy Shield agreement was declared invalid. While the EU-US Data Privacy Framework has since been introduced as a successor, it too remains legally contested and could be overturned again.

For German small businesses, the safest option is to use only providers that store data exclusively on servers within the EU. This is especially true for sensitive HR data such as sick notes and absence histories.

What many don't realize: even a US company that lists a European server location can be problematic — if US authorities can access the data under the CLOUD Act. This is generally possible with US companies regardless of where the servers are located.

Recommendation: look not just at the server location, but also at the provider's company headquarters and corporate structure. European providers with EU infrastructure are the safest choice.

The Data Processing Agreement (DPA)

When you use cloud software for leave management, the provider processes your employees' personal data on your behalf. This creates a data processing relationship under Art. 28 GDPR.

Requirement: conclude a Data Processing Agreement (DPA) with the provider before you put the software into production use. Without a DPA, you are in breach of GDPR — even if the software itself is technically secure.

What to look for in a DPA:

  • Processing purposes clearly defined
  • Server locations specified (EU)
  • Security measures described (encryption, access controls)
  • Sub-processors listed
  • Deletion deadlines and data return procedures upon contract termination

Reputable providers make a standardized DPA available and are willing to adapt it on request.

Technical and Organizational Measures (TOMs)

GDPR requires that personal data be protected by appropriate technical and organizational measures (Art. 32). For leave management software, this means specifically:

  • Transport encryption: All database connections must be encrypted via TLS/HTTPS.
  • Encryption at rest: Stored data should be encrypted on the server.
  • Access logging: Who accessed which data, and when?
  • Two-factor authentication: Especially recommended for administrator accounts.
  • Backups: Regular data backups with encrypted transfer and storage.

Ask your software provider directly for documentation of their TOMs. Anyone who cannot or will not provide this is not a trustworthy partner.

Retention Periods: How Long Can Leave Data Be Stored?

A common practical question: how long must (and may) absence data be retained?

GDPR stipulates that data may not be stored longer than necessary for the purpose (Art. 5(1)(e)). At the same time, statutory retention requirements must be observed:

  • Payroll tax-relevant documents (including continued remuneration records): 6 years under § 41 of the German Income Tax Act (EStG)
  • Social insurance-relevant records: up to 30 years in special cases
  • General personnel files: typically 3 years after leaving (corresponding to the statute of limitations)

Once these periods expire, data must be securely deleted. Your software should offer a deletion function that supports this process.

Common Data Protection Mistakes in Leave Management

From experience, these are the typical violations:

  1. Reasons for illness are noted in the system: Even if employees voluntarily provide the reason, it must not be stored permanently.
  2. All colleagues can see all absences: A shared calendar without a role concept is not a data protection-compliant system.
  3. No DPA with the software provider: The most common formal violation.
  4. US-based tools without an adequate legal basis: Popular, but risky.
  5. No deletion processes after employees leave: Former employees remain in the system for years.

Conclusion: GDPR-Compliant Leave Management Is Not Optional

Data protection in leave management is not a nice-to-have — it is a legal obligation. The good news: with the right software, GDPR compliance is not extra effort, it is a standard feature. The bad news: many cheap or free tools do not meet these requirements.

If you want to know what else to look for when choosing time tracking software, read our Time Tracking App Comparison 2026. And for an overview of how a complete absence management setup should be structured, see our foundational article on Absence Management for Teams.

GDPR-compliant leave management on EU servers — get started with TodayOff today → https://app.todayoff.de