Data Protection for Personnel Files 2026: Retention Periods, Digital Payroll Records, and NIS2 Obligations
10 min Reading Time
Last updated: March 2026 | Originally published: 2021
As of January 2027, digital payroll records become mandatory. At the same time, German data protection authorities are imposing record-breaking fines – €900,000 alone for retaining data beyond legally permitted periods. Companies still managing personnel files using 2020-era practices risk not only non-compliance but also personal liability for managing directors under NIS2.
TL;DR
- As of 1 January 2027, all employers must maintain payroll documentation digitally – the option to apply for exemptions expires at the end of 2026 (7th Amendment Act to the Social Code Book IV).
- In 2024, German data protection authorities issued a total of 266 fines amounting to €2.5 million – its highest single fine: €900,000 for excessive data retention (dsgvo-portal.de).
- 37% of all data stolen in cyberattacks in Germany are personnel data – more frequent than financial data (KPMG Cyber Study 2024).
- The proposed Employee Data Act failed following the coalition breakdown in November 2024 – § 26 of the German Federal Data Protection Act (BDSG) remains the sole fallback provision.
- NIS2 entered into force in December 2025: Security incidents involving HR systems now trigger both an NIS2 reporting obligation and a GDPR personal data breach notification under Articles 33/34.
Why Personnel Files Are a Strategic Security Issue in 2026
Personnel files were long considered purely an HR matter. That has fundamentally changed. Three developments compel companies to rethink how they handle employee data: the upcoming digital payroll record mandate in 2027, intensified enforcement by data protection authorities, and the NIS2 reporting obligations, which – for the first time – bring HR systems squarely within the scope of cybersecurity regulation.
The reason? Personnel files constitute one of the most valuable data collections within any organization. They contain bank account details, tax identification numbers, health data, and performance evaluations – more than enough material to fuel identity theft, extortion, or highly targeted social engineering attacks against executives.
Legal Framework in 2026: What Applies – and What Failed
Hopes for a dedicated Employee Data Act have been dashed. In October 2024, the German Federal Ministry of Labour and Social Affairs published a draft bill intended to define clear rules for applicant data, workplace health monitoring, and AI-supported personnel decisions. Following the coalition collapse on 6 November 2024, the draft never reached Parliament. The current CDU/CSU-SPD coalition agreement makes no mention of the topic.
Practically speaking, this means § 26 BDSG remains the sole national opening clause under the GDPR governing employee data protection. A provision even data protection lawyers describe as “thin,” since it essentially permits processing employee data only to the extent necessary for the employment relationship.
In contrast, GDPR enforcement in Germany has noticeably tightened. The DLA Piper study from January 2025 documents €1.2 billion in fines across Europe for 2024. Within Germany itself, 266 proceedings resulted in a total of €2.5 million in fines. The highest individual fine stood at €900,000 – imposed on a service provider that stored data five years beyond its legal retention period without any lawful basis.
“The Hamburg data protection authority launched twice as many fine proceedings in 2024 as it did in the entire previous year. Saxony’s authority reached the full-year 2023 level already in the first half of 2024.”
– Summary of enforcement trends (security-insider.de, 2024)
Two Cases Every Company Should Know
Case One: A cultural institution systematically documented employees’ health status and their interest in forming a works council – intending to ease probationary dismissals. The data protection authority imposed a €215,000 fine for violating Article 9 GDPR (processing of special categories of data) and § 26 BDSG.
Case Two: Covert video surveillance of three interns via cameras hidden inside power sockets – without the subjects’ knowledge or any legal basis. Fine: €4,000. While the direct financial damage was minor, the reputational harm to the company was substantial.
Both cases demonstrate: Authorities examine not only technical safeguards but also the intent behind data processing. Companies misusing personnel files as instruments against employees pay multiple times over.
Retention Periods: The Table Every HR Department Needs
There is no uniform statutory retention period for “the personnel file.” Different documents fall under different retention requirements – and this is one of the most common compliance errors. A €900,000 fine for excessive storage illustrates where blanket “we keep everything for ten years” policies lead.
| Document Type | Retention Period | Legal Basis |
|---|---|---|
| Income tax records, ELStAM certificates | 6 years | § 41 para. 1 Income Tax Act (EStG), § 147 Fiscal Code (AO) |
| Payroll lists, accounting vouchers | 10 years | § 257 Commercial Code (HGB), § 147 AO |
| Social insurance documentation | 5 years | Social Code Book IV (SGB IV) |
| Minimum wage documentation | 2 years | Minimum Wage Act (MiLoG) |
| Occupational pension schemes | Up to 30 years | Occupational Pensions Act (BetrAVG, statute of limitations) |
| Sick leave notifications (<6 weeks/year) | 12 months | GDPR data minimisation principle |
| General employment-related claims | 3 years | §§ 195, 199 German Civil Code (BGB) |
Core rule: Statutory retention obligations supersede the GDPR’s right to erasure. But once all applicable deadlines have expired, Article 17 GDPR applies – and active deletion becomes mandatory. Without automated deletion processes, unlawful storage is inevitable.
Digital Payroll Records: What Becomes Mandatory in 2027
The 7th Amendment Act to the Social Code Book IV mandates, effective 1 January 2027, that all employers maintain payroll documentation digitally. The existing option to submit exemption requests expires at the end of 2026. Affected documents include those relevant to remuneration and social insurance:
- Health insurance enrolment confirmations and membership certificates
- Working hours records and payroll statements
- Remuneration-related certificates and social insurance reports
Important: This obligation covers the core payroll documentation – not the entire personnel file. Performance appraisals, formal warnings, or training records may continue to be maintained in paper form – though this raises the question of whether maintaining parallel digital and analog systems remains practical.
Requirements go well beyond simple PDF archiving: audit-proof logging, structured organisation, and unambiguous assignment to each employee. Systems failing to meet these criteria will be non-compliant as of 2027.
Retention of Non-Digital Personnel Files
Even as digitisation advances, paper-based personnel files remain reality for many companies. The BDSG explicitly affirms the paper format in § 32 para. 2 and imposes stringent physical security requirements.
Filing cabinets and safes must comply with defined EU standards: EN 1143-1 for certified burglary resistance and EN 1047-1 for fire and heat resistance. Sensitive personnel files can be securely stored in accordance with these standards using safes or document security cabinets from Kaiser+Kraft.
Anzeige
Regarding access to personnel files: Only authorised individuals may inspect them. Even supervisors do not enjoy unrestricted access – a landmark ruling by the German Federal Labour Court (Case No. 5 AZR 215/86) limits the circle of authorised persons to the absolute minimum. Access is permitted only in connection with a specific personnel matter or for personnel administration purposes.
NIS2 and HR: When Personnel Files Become a Cybersecurity Issue
Since 6 December 2025, the NIS2 Implementation Act has been in force. Approximately 29,500 companies in Germany are affected – all with more than 50 employees or €10 million in annual turnover across the 18 designated sectors. Relevance for HR data is indirect – but real:
- Risk management obligation: NIS2-bound companies must demonstrate systematic IT risk management. This includes HR systems holding personnel files.
- Dual reporting obligation: A security incident involving HR data triggers both an NIS2 reporting requirement and a GDPR personal data breach notification under Articles 33/34. Two authorities, two deadlines, two procedures.
- Managing director liability: § 30 of the German Federal Office for Information Security Act (BSIG) renders managing directors personally liable for culpable breaches of risk management obligations.
- Sanctions: Up to €10 million or 2% of global annual turnover.
Practical Checklist: 7 Steps Toward Compliant Personnel File Management
- Introduce a deletion concept: Automated deletion schedules per document type (see table above). No blanket “10 years for everything.”
- Conduct a Data Protection Impact Assessment (DPIA): Article 35 GDPR requires a DPIA before deploying any new HR software. Existing systems lacking a DPIA must be retrofitted.
- Review access controls: Role-based, least-privilege principle. HR admins see everything; team leads see only their direct reports; payroll sees only remuneration data. Every access is logged.
- Involve the works council: § 87 para. 1 no. 6 of the Works Constitution Act (BetrVG): Introducing technical systems for monitoring employees requires co-determination. A digital personnel file implemented without a works agreement is legally vulnerable.
- Segregate special categories: Store health data, trade union membership, and religious beliefs (Article 9 GDPR) separately from general personnel data – with distinct access rights and deletion schedules.
- Prepare for digital payroll records: By end-2026, implement an audit-proof system. Requirements: structured organisation, unambiguous employee assignment, and comprehensive logging.
- Define an incident response plan for HR data: Who reports to which authority – and within what timeframe? GDPR: 72 hours to the data protection authority. NIS2: 24-hour initial report to the BSI (for NIS2-covered entities).
Conclusion: Personnel Files Are No Longer Just an HR Matter
Between the 2027 digital payroll record mandate, stricter GDPR enforcement, and NIS2 reporting obligations, personnel file management has evolved into a cross-functional issue demanding joint action by HR, IT security, legal, and executive leadership. Companies still relying on Excel spreadsheets and paper folders have little margin left.
The first step costs nothing: Print out the retention periods table, compare it against your current deletion process, and document where gaps exist. If you discover you lack a deletion process altogether – you now know exactly where to begin.
Frequently Asked Questions
How long may personnel files be retained after termination of employment?
There is no uniform retention period. Income tax records must be kept for six years, accounting vouchers for ten years (§ 147 AO). General employment-related claims expire after three years (§§ 195, 199 BGB). Once all applicable deadlines have passed, Article 17 GDPR mandates deletion. The widespread practice of retaining files for ten years across the board lacks legal justification unless a specific retention obligation applies to each document type.
Who may access personnel files?
Only a narrowly defined group: the HR department for personnel administration purposes, the employee themselves (Article 15 GDPR right of access), and supervisors only in connection with a concrete personnel matter. The German Federal Labour Court (Case No. 5 AZR 215/86) clarified that the circle of authorised persons must be kept as small as possible. Every access must be logged.
Must personnel files be fully digital as of 2027?
No – only payroll documentation (pay slips, social insurance records, working hours records). The 7th Amendment Act to the Social Code Book IV mandates a digital payroll record as of January 2027. Other components – such as performance appraisals or formal warnings – may still be maintained on paper. However, digital requirements go beyond simple PDF storage: audit-proof logging and structured organisation are mandatory.
What happens in case of a data breach involving personnel files?
Up to two parallel reporting obligations apply: Article 33 GDPR requires notification to the competent data protection authority within 72 hours. If the company falls under NIS2 (50+ employees in regulated sectors), an initial report to the BSI must be submitted within 24 hours. Where there is a high risk to affected individuals, Article 34 GDPR additionally requires individual notification.
Is a Data Protection Impact Assessment required for HR software?
In most cases, yes. Article 35 GDPR mandates a DPIA when data processing is likely to result in a high risk to the rights of data subjects. For HR systems that systematically process employee data – including special categories such as health data – this is regularly the case. German data protection authorities explicitly list personnel management systems in their positive lists of processing activities requiring a DPIA.
Editor’s Reading Recommendations
More from the MBF Media Network
- → cloudmagazin – Cloud, SaaS, and IT Infrastructure
- → Digital Chiefs – Strategies for IT Decision-Makers
- → MyBusinessFuture – Digital Transformation in the SME Sector
Header Image Source: Pexels / Element5 Digital (px:1370294)