GDPR Scenario · Pressure Signal: Diligence

You Were Just Being Thorough.

Q: The employee told me willingly. Doesn't that make it okay to record?

No. Someone sharing something in conversation is not the same as your organization having a lawful basis to store it. Be supportive in what you do; be minimal in what you write down.

Q: What should I actually write in a return-to-work note?

The minimum the work requires, usually the agreed practical outcome like a schedule adjustment and a review date. Leave the underlying health, family, and religious details out, and tell the employee what is being recorded.

A team member is back from medical leave. The check-in went well — warm, honest. Now there’s a “context notes” field waiting for you to fill in. What do you write down?

Quick Answer

What personal data can a manager record about an employee?

Only what’s necessary for a clear, legitimate work purpose — and no more. Details about someone’s health, family situation, or religious beliefs are special-category data: collecting and storing them needs a lawful basis and proper handling, not a manager’s informal note in a shared file. Record the work-relevant outcome (for example, an agreed schedule adjustment), keep sensitive personal details out of your notes, and route anything health-related through your confidential HR or occupational health channel. Caring about someone doesn’t mean writing their private life into a file.

The Pressure Signal: Diligence

The pull here isn’t carelessness — it’s the opposite. The instinct to be thorough, supportive, and complete. Write it all down so nothing’s forgotten, so the next manager understands, so the person feels looked after. It feels like good management. It’s also how an organization quietly collects far more sensitive data than it has any basis to hold.

The Situation

Karin manages a team at Velsenhoff Medical. One of her people is just back from several weeks of medical leave, and she’s had the return-to-work check-in HR rolled out last year. It went well — the employee was open about a health condition that flares under stress, a difficult family situation at home, and a religious observance that affects scheduling.

Now Karin is at the template. There’s a field labeled context notes — “anything that will help us support this employee.” Every other manager fills it in. It feels like the responsible thing to do: capture what she learned so the team can be considerate, so she remembers, so whoever manages this person next isn’t starting blind. Her cursor is in the box. What does she type?

Three Ways Managers Respond

1. Write it all down.

Capture the health condition, the family situation, the religious observance — it’s all useful context, and there’s a field for it. Why it fails: she’s just created a record of special-category personal data, stored where many people can read it, without a lawful basis and likely without the employee’s knowledge. The template inviting it doesn’t make it lawful. “Thorough” became over-collection.

2. Keep her own private notes instead.

Skip the template and jot it in a personal file “just so I remember.” Why it fails: a private note about someone’s health and beliefs is still personal data processing — usually less secure, completely off the radar, and just as subject to the rules. Shadow records are worse, not safer.

3. Record only what the work requires.

Note the work-relevant outcome — the agreed schedule adjustment — leave out the sensitive personal details, and route anything health-related through the proper confidential channel. Why it works: see below.

The Right Call

Record the minimum needed for a legitimate work purpose — here, the accommodation the two of them agreed on (“adjusted start times on certain days, reviewed monthly”). That’s it. The health condition, the family details, and the religious specifics don’t belong in a manager’s note in a shared folder. If health information needs to be formally recorded for an accommodation, it goes through the confidential HR or occupational health process, which has a lawful basis for holding it.

And tell the employee. Part of doing this right is transparency: the person should know what’s being recorded and why. Supporting someone well is about what you do with what they shared — the schedule, the check-ins, the discretion — not about writing their private life into a file the team can open.

Why It’s Harder Than It Looks

Every signal points toward writing more, not less. The template invites it. Every other manager does it. It feels caring — like the manager who writes nothing down is the one who doesn’t pay attention. And the employee shared it willingly, in a good conversation, which makes it feel like the information is now simply yours.

It isn’t. Someone telling you something in confidence is not the same as your organization having a basis to store it. The instinct to be thorough is exactly what turns a supportive practice into an unlawful one — one note at a time, across dozens of managers, until it’s a folder no one meant to build.

“I’d never surveil my team. I’m just looking out for them.”

Of course you are — and so was everyone whose well-meaning notes became a regulatory case. From the inside, it never feels like surveillance; it feels like care. That’s what makes it slip past you. The line isn’t your intention. It’s what you collect, where it lives, and who can open it.

Where One Note Leads

One manager’s “context note” is a small thing. Multiply it across dozens of managers and several offices over a couple of years, and it becomes a shared folder full of employees’ health, family, and religious details that no one decided to build and no one is watching.

That’s the moment a data subject access request — or a regulator — turns a caring habit into a crisis. The decision in front of Karin is where it’s actually prevented.

How to Use This in Training

Run it in 10–15 minutes with managers. Before revealing anything, ask them to actually write what they’d put in the “context notes” box. Read a few aloud. Most will include the health and family details — because it feels caring. That’s the lesson landing in real time. Then walk through the data-minimization principle and the proper channel for sensitive information.

Close on the three habits: record only what the work needs; keep special-category details out of informal notes; route health information through the confidential channel. Available as a manager-led Decision Brief™.

Related Scenarios

Go deeper with GDPR training, see how this same practice plays out at the executive level in the Executive Decision Lab™ “The Context Notes,” or browse the full Scenario Library.

Frequently Asked Questions

Can a manager keep notes about an employee’s health?

Health information is special-category data under GDPR and needs a lawful basis and proper handling — not an informal manager’s note in a shared file. Where it must be recorded for an accommodation, route it through the confidential HR or occupational-health channel that’s set up to hold it.

The employee told me willingly — doesn’t that make it okay to record?

No. Someone sharing something in conversation isn’t the same as your organization having a lawful basis to store it. Be supportive in what you do; be minimal in what you write down.

What should I actually write in a return-to-work note?

The minimum the work requires — usually the agreed practical outcome, like a schedule adjustment and a review date. Leave out the underlying health, family, and religious details, and tell the employee what’s being recorded.

Help managers know where care crosses the line

Run this scenario with your team as a 15-minute Decision Brief™, or explore the full Xcelus approach to decision-ready employees.

Explore Decision Briefs →
Contact Xcelus