Part 1 of 2
Ten years ago, the European Union adopted the General Data Protection Regulation (GDPR), ushering in a sea-change two years later in how companies operate in and with the European Union. It imposed binding data protection and privacy standards with extraterritorial reach, requiring that the collection of personal data respect, inter alia, the principles of data minimisation, purpose limitation, and storage limitation. The GDPR also embedded the concept of privacy by design into its structure—the principle that data protection should be integrated into systems from inception (referred to as “Data protection by design and by default” in Article 25).
With the adoption of the Omnibus I Directive, another wave of change—albeit much smaller than anticipated—is materialising in the EU: mandatory human rights due diligence (HRDD). Over the past few years, a series of EU instruments have emerged that will require or incentivise companies to identify and account for how they address various adverse human rights and environmental impacts through due diligence, stakeholder engagement, grievance mechanisms, monitoring, and public reporting. These include the Corporate Sustainability Due Diligence Directive (CSDDD), the Batteries Regulation, the Deforestation Regulation, and the Forced Labour Regulation. The first three of these instruments impose obligations on in-scope companies that involve collecting, processing, and retaining the personal data of affected individuals; the Forced Labour Regulation imposes no due diligence obligation as a legal requirement but makes the same processing a practical necessity for companies seeking to show their products are not made with forced labour. Yet these instruments vary markedly in the extent to which they acknowledge, let alone address, the GDPR obligations they trigger. None of these due diligence obligations yet applies, but they will in the coming years: the Deforestation Regulation’s obligations take effect on 30 December 2026 for large operators, the Batteries Regulation’s due diligence obligations in August 2027, the Forced Labour Regulation in December 2027, and the CSDDD in July 2029.
How should companies conduct HRDD in a way that respects the hard-law requirements of the GDPR? Guidance from the European Commission on this question does not appear likely or imminent. What should companies do in the meantime? This two-part series argues that firms should embed privacy by design into their HRDD systems now. Part 1 maps each law’s incorporation of the GDPR and its principles—or lack thereof—revealing a spectrum of engagement and notable gaps that should be filled, and soon, by official guidance. Part 2 then identifies four operational tensions between the GDPR and effective due diligence that make such guidance necessary. It also proposes that firms carry out data protection impact assessments on their HRDD systems as a first step to respecting the GDPR in practice. It concludes by arguing that privacy by design should be integrated into the infrastructure of due diligence.
A Structural Pattern
Conducting HRDD requires gathering personal data. Interviewing workers about labour conditions, consulting Indigenous communities about land rights, operating a grievance mechanism, auditing supplier payrolls, and tracking remediation outcomes each can involve collecting information about identifiable individuals, which is personal data within the meaning of the GDPR. Because the company decides why this data is collected and how it is processed, it is the data controller, the actor that bears GDPR obligations for ensuring that the processing is conducted in line with the regulation (a data processor processes personal data only on behalf of the controller). In many cases, this information will reveal racial or ethnic origin, health status, political opinions, or trade union membership—categories of data that are given heightened protection under Article 9 of the GDPR. Yet the instruments that mandate these activities address data protection to strikingly different degrees.
The Whistleblowing Directive, while not an HRDD regulation itself, provides the most developed model of data protection integration in a due diligence-adjacent instrument. Article 17 requires that all personal data processing under the Directive comply with the GDPR and provides that personal data “manifestly not relevant for the handling of a specific report” shall not be collected. This represents the principle of data minimisation, one of the GDPR’s key principles. Recital 83 explicitly invokes data protection by design and by default under Article 25 of the GDPR (the principle of privacy by design mentioned before). And Recital 76 notes Member States should “ensure that competent authorities have in place adequate protection procedures for the processing of reports and for the protection of the personal data of the persons referred to in the report.”
None of the other aforementioned EU human rights instruments achieves this standard. The Forced Labour Regulation—which itself does not require HRDD but does incentivise companies seeking access to the EU market to ensure their goods are not made with forced labour—notably empowers the Commission to adopt implementing acts specifying “rules on the processing of personal data, confidentiality and controllership” for the regulation’s enforcement information system (Article 7(7)), the infrastructure through which competent authorities investigate and share information. For other activities that are necessary to give effect to the prohibition of products made using forced labour (e.g., investigations, interviews with victims, field inspections), the Regulation notes in Recital 61 that “such processing should be carried out in accordance with Union law on the protection of personal data.” Thus, while the legislature mandated specific, bespoke data processing rules for the regulatory IT systems, it relied on the overarching framework of the GDPR and general confidentiality obligations to protect the highly sensitive data of the vulnerable workers the regulation aims to help.
The Deforestation Regulation follows the same pattern. Article 33(3) empowers the Commission to adopt implementing acts establishing “rules for the protection of personal data and exchange of data with other IT systems” for the EUDR’s information system. Article 33(5) requires that public datasets be “complete anonymised datasets” in machine-readable formats. The Commission’s Guidance Document also reassures users that the Information System is “in line with the applicable data protection provisions” and is equipped with security measures to “ensure the integrity and confidentiality of the information.” These are meaningful data protection provisions but for the regulatory infrastructure. Outside of that, the Commission’s guidance document references data protection only once—in a single sentence at the end of the legality verification section, advising downstream non-SME operators and traders to “respect the applicable data protection rules and competition rules” when collecting information.
The CSDDD—the EU’s flagship mandatory HRDD instrument—occupies a notably weak position for data protection. Recital 96 acknowledges that all personal data processing under the Directive must comply with the GDPR, and specifically names three Article 5 principles: purpose limitation, data minimisation, and storage limitation. The CSDDD also notes in Recital 97 that the European Data Protection Supervisor was consulted during drafting. However, the operative text contains no data protection provision comparable to the Whistleblowing Directive’s Article 17. Its only GDPR references concern the redaction of personal data from published penalty decisions. While the Directive does not require Member States to incorporate data protection procedures into complaints mechanisms or stakeholder engagement, Articles 13(5), 14(3) and 14(5) do require companies to ensure that participants of these systems are not subject to retaliation including by maintaining their confidentiality or anonymity.
The Batteries Regulation presents the starkest illustration, most notably in regards to the battery passport—an electronic record required under the regulation that carries life cycle data including individual use data such as charge and discharge cycles and accident history. The legislature built in the following data protection safeguards for the passport: Article 78(d) imposes a purpose limitation rule on data processors, Article 78(h) requires “a high level of security and privacy,” Article 78(f) restricts access rights, Article 77(8) terminates the passport once the battery is recycled, and Recital 126 confirms that the technical design should carry data “in a secure way which respects privacy rules.” For the supply chain due diligence chapter (Articles 47–53) — whose due diligence obligations on companies were postponed to 18 August 2027 by Regulation (EU) 2025/1561, the same amendment that pushed the Commission’s own deadline for guidelines under Article 48(5) from 18 February 2025 to 26 July 2026 — the Regulation contains no data protection provision at all, despite requiring companies to identify upstream actors by name and address, consult with suppliers and stakeholders concerned, including affected third parties such as local communities, operate a grievance mechanism, retain documentation demonstrating compliance for ten years, and publish findings of significant adverse impacts. The section’s only qualifier is Article 52, which specifies that disclosure should occur “with due regard for business confidentiality and other competitive concerns.”
The pattern is consistent across every instrument examined: data protection provisions cover regulatory infrastructure and product data systems, while the activities that collect personal data from affected individuals—worker interviews, community consultations, grievance mechanisms, stakeholder engagement—are left unaddressed. The legislature demonstrated in each case that it knew how to write data protection provisions. Yet it applied them to systems that process data about companies and products rather than to processes that collect data from the people HRDD is meant to protect.
There is an obvious response to this critique: the GDPR is a horizontal, directly applicable regulation, so sectoral instruments do not need to restate it for private controllers, whereas EU-run information systems require bespoke provisions because controllership of, and access to, those systems must be specified somewhere. However, this reply does not fully address the issue. The Whistleblowing Directive shows that the legislature operationalises data protection in operative text where it judges the stakes to be high, and the GDPR’s general applicability is precisely why companies need guidance on applying its principles to the unusual processing that due diligence entails. The gap, in other words, is not in applicable law but in operational guidance on reconciling the tensions and competing demands of the two regimes.
The Gap in International Frameworks
While these laws do not uniformly reference the same standards, the UN Guiding Principles on Business and Human Rights (UNGPs) provide the conceptual architecture for HRDD legislation. However, the UNGPs are largely silent on the question of data protection, with a few minor exceptions. For example, Principle 21(c) requires that public communications about impacts “not pose risks to affected stakeholders,” and the commentary to Principle 31 calls on grievance mechanisms to safeguard the confidentiality of individuals’ identities “where necessary.” Whether this reflects a deliberate scope limitation (the EU Data Protection Directive 95/46/EC was already in force) or an understandable gap given the UNGPs’ focus on establishing broad consensus across diverse legal systems, the result is that the theoretical framework for HRDD provides no guidance on reconciling due diligence with data protection obligations.
Even years later, after the adoption of the GDPR, the OECD’s 2018 Due Diligence Guidance on Responsible Business Conduct, which provides the operational framework on which the CSDDD draws, references privacy only as a limitation on disclosure—a reason not to share certain information with stakeholders—rather than as a principle to be integrated into the due diligence activities that generate personal data. The 2023 revised Multinational Enterprise Guidelines address data protection in their chapters on consumer interests and science and technology, but not in connection with the HRDD obligations set out in Chapter IV.
What little academic literature exists on this topic is thin. Ebert, Wildhaber, and Adams-Prassl proposed a “Privacy Due Diligence” framework in 2021, but their analysis concerns surveillance in the workplace, not HRDD and its data-generating activities. Broader practitioner commentary has begun to identify the tensions between GDPR principles and Environmental Social and Governance (ESG) data practices generally, but this discourse has not examined the specific legislative instruments that create HRDD obligations in relation to privacy by design principles.
The Omnibus I Directive
The recently adopted Omnibus I Directive (Directive 2026/470), published in the Official Journal on 26 February 2026, compounds the problem. Among its provisions, it amends Article 19 of the CSDDD, which requires the European Commission to issue implementation guidelines in two phases. By July 2027, the Commission will issue guidelines on due diligence processes, stakeholder engagement, risk factor assessment, and digital tools. Forthcoming guidance on voluntary model contractual clauses is now located in Article 18, which will also be issued in July 2027. By July 2028, the Commission will issue guidelines on information sharing, trade secret protection, and protection from retaliation, as well as guidance for stakeholders engaging in the due diligence process. While the phrase “data protection” does not appear among the mandated topics in either phase, Article 19(2)(e) requires the Commission to provide “references to data and information sources available for the compliance with the obligations provided for in this Directive” and guidance on digital tools and technologies. The provision is broad enough that it could encompass guidance on how companies should handle the personal data they collect from workers, communities, and other stakeholders in the course of due diligence, and this series argues that it should. But as currently phrased, nothing in Article 19 appears to require the Commission to address the GDPR compliance questions that arise at every stage of the due diligence process.
This omission is significant in light of Recital 96, which is the CSDDD’s acknowledgment that all processing must comply with the GDPR’s purpose limitation, data minimisation, and storage limitation principles. It could be read to create an expectation that operational guidance would follow. The Omnibus I Directive now suggests that no such guidance is likely to arrive. Companies will receive detailed instructions on risk identification, stakeholder engagement, and cascading contracts—activities that generate substantial volumes of personal data—without corresponding instructions on how to handle that data in compliance with the GDPR.
What Follows
The structural pattern discussed above and the potential absence of forthcoming Commission guidance create a set of operational tensions for companies attempting to conduct HRDD in a manner that respects the GDPR’s text and principles. In Part 2 of this series, I identify four tensions stemming from the twin aims of data protection and effective due diligence and argue that data protection impact assessments—which are already required under the GDPR for high-risk processing—provide one mechanism for resolving them. Privacy by design should not be an afterthought for due diligence systems, but included in them from the outset and throughout operations.








Leave a Reply