You may still be holding data in relation to ex-employees particularly if they’ve left in the last few years and your retention policy, in relation to data, requires you to retain the data for example, for six or seven years, or even longer where you can justify it.

As you should be aware, from the work you will have been doing with your existing employees, we are required under the GDPR to confirm details of the data we hold and have a privacy notice setting out an explanation for a person to explain what data we hold, why we hold it, who we are sharing it with and anything else we might be doing with it, including the legal basis that we’re relying on for holding the different types of data that might be covered by that notice. This notice is supposed to be given to the data subject at the point before relevant processing takes place.

There is no exemption under the legislation in terms of former employees, workers or contractors, technically they should also be provided with a privacy notice. The technicalities of doing that may pose some difficulty as you may not have current contact details. This would be a commercial decision for you to make; you could decide to issue a privacy notice to those who you are able to contact or, provide the privacy notice at the next point of contact you do have with them such as the next time you get a reference request for that individual.