employee reference

How do I comply with GDPR when providing an employee reference?

In providing a reference confirming an employee’s name, dates of employment, absence record etc you are processing data. The General Data Protection Regulations therefore apply.

Express consent must therefore be given by the employee unless the data is being processed for one of the following reasons: –

  • the processing is necessary for the employer to comply with their legal obligations;
  • the processing is necessary for an employer to comply with a contractual obligation; or
  • there is a legitimate interest for the employer to provide a reference.

In the vast majority of cases, none of these exclusions will apply. As such, you should ensure that the express consent of the employee is given before providing a reference.
A practical solution would be to ask the new/prospective employer to obtain express consent from the employee and provide you with a copy before you provide the reference.

The consent should be signed by the employee and should refer to the specific details that have been requested.

If you have any queries about this or any other aspect of employment law please do not hesitate to contact me on 01789 336 957 or amanda@pillingerandassociates.co.uk


  1. There is debate around whether consent is the appropriate lawful basis, given it may not be seen as freely given. There’s also often legal/regulatory reasons for performing these kinds of background checks, could be made a condition of the contract, otherwise could be assessed as a legitimate interest of the business. It could be seen as polite to ask for approval (not consent), but as an employer, I would be keen to know if the person had been removed from their previous employment due to serious misconduct and not use data protection law to hide that important information!

Leave a Reply

Your email address will not be published. Required fields are marked *