Payroll and contracts in HR: what the GDPR expects
HR handles payslips, contracts, sick notes and bank details. Here's what the GDPR asks of whoever processes them, and why doing it on your own device helps.
An HR desk is one of the most data-heavy places in any company. On a normal Tuesday, one person might open a payslip, a signed contract, a sick note, a bank certificate and a copy of someone’s ID. Each of those is a PDF, and each of those PDFs is about a real person who never gets to see how it’s handled.
That’s the job. The question is what the GDPR expects you to do with all of it, and where the everyday PDF work fits into the rules.
The data HR touches is the sensitive kind
Not all personal data is equal under the GDPR. A work email address is personal data. So is a salary figure, but it carries more weight, and HR sits on a pile of it.
Payslips show what people earn. Contracts show terms, sometimes clauses about health or family situations. Sick notes can reveal a medical condition, which is a special category of data with extra protection. Bank details open the door to fraud. National ID and social security numbers are exactly what identity thieves want. Put all of that in one department and you have a target.
The GDPR cares more about this material because the damage from a leak is bigger. A leaked marketing list is annoying. A leaked stack of payslips and ID scans can wreck someone’s finances and their peace of mind.
What the rules actually ask of you
You don’t need to memorise the regulation to follow it. A few duties cover most of what HR does with these files.
Keep the data secure. Article 32 asks for appropriate technical and organisational measures. In plain terms, the files should be protected in a way that matches how sensitive they are. A payslip deserves more care than a lunch menu.
Use only what you need, for as long as you need it. You collect a contract to manage employment, not to keep forever on a shared drive that half the office can read. When the reason is gone, the file should go too.
Know where the data travels. Every time a file leaves your control, you’re meant to know who receives it and why. If you hand personal data to an outside service that processes it for you, that service is a processor, and there’s supposed to be a contract covering what they can do with it.
Be ready to explain yourself. If something goes wrong, you need to show you took reasonable steps. “I uploaded it to a free website I found in search results” is not a step you’ll want to defend.
Where the file goes is part of the job
Here’s the gap that catches good people. HR staff think hard about who can open the shared folder, and then merge two payslips on the first PDF website they find. The careful access control on the folder means nothing if the file gets uploaded somewhere else thirty seconds later.
Most online PDF tools work by sending your file to their server, running the operation there, and sending the result back. The file lands on a machine you don’t own, run by a company you’ve never vetted, in a location you can’t name. Maybe they delete it on schedule. Maybe a backup keeps a copy. Maybe the whole thing runs on rented infrastructure that passes your file through storage you’ll never hear about. You can’t check, and neither can the person whose sick note you just sent across the internet.
For a sick note or a bank certificate, that uploaded copy is the weak point. A file that never leaves the HR laptop can’t be exposed in a breach that happens on someone else’s server.
Doing the work on your own device
There’s a kind of PDF tool that never uploads anything. The whole operation runs inside the browser, on the same computer you’re already using. The code loads once, your PDF opens in the browser’s memory, you do the work, and the finished file saves straight back to your machine. Nothing is sent out, because there’s no server step to send it to.
This is how reader.me works, and it’s why it suits HR documents. Combine a set of payslips, pull a few pages out of a contract, shrink a scan so it fits an email, all of it happens on your computer. Close the tab and the working memory is gone with it.
You don’t have to trust me on that. Open the browser’s DevTools, go to the Network tab, run an operation, and look. No request carries your file out. If the file isn’t in any request body, it wasn’t sent anywhere. That’s the kind of check Article 32 likes, because you can actually demonstrate it.
Two things worth doing today
Protect the files that leave the building. When you send a payslip or a contract by email, the email itself is rarely secure end to end. Put a password on the PDF first, so the document is useless to anyone who intercepts it or gets the wrong recipient. You can do that on your own device with protect PDF, no upload involved, and share the password through a separate channel like a phone call.
Sign without printing and rescanning. Contracts and approvals need a signature, and the old routine of print, sign, scan, throw the paper away leaves loose copies everywhere. Adding the signature to the PDF directly keeps one clean file and skips the paper trail. The sign PDF tool does it in the browser, so the contract never leaves your computer to get signed.
The everyday PDF work in HR looks boring, and that’s the trap. Merging two files or signing a contract takes seconds, and those seconds are where sensitive data either stays put or quietly leaves. If you want the longer version of how this plays out when documents pass through a payroll office or accountant, this piece on payslips and privacy covers it. Keep the work on the device and the GDPR side gets a lot simpler.