Privacy by Design in Human Rights Due Diligence: Four Tensions, One Mechanism

Part 2 of 2

Part 1 of this series documented a consistent structural pattern in EU due diligence law: instruments that mandate or induce the collection of personal data from potentially impacted individuals—the CSDDD, the Batteries Regulation, the Forced Labour Regulation, and the Deforestation Regulation—build data protection into their regulatory infrastructure and product data systems while leaving the activities that require collecting and processing personal data from rightsholders poorly addressed, if at all. The Commission guidelines mandated under Article 19 of the CSDDD, as amended by the recently adopted Omnibus I Directive (Directive 2026/470), are not required to fill this gap, though Article 19(2)(e) is broad enough that they could, and should.

This post—Part 2 of the series—identifies four operational tensions between the GDPR’s data protection principles and the requirements of effective HRDD, and proposes data protection impact assessments (DPIAs) as one mechanism for addressing them.

Four Operational Tensions

The legislative gap described in Part 1 leaves unresolved a set of operational tensions between the GDPR’s data protection principles and the processes of effective HRDD. It should be emphasised that these tensions do not concern the lawful basis for processing ordinary (i.e. non-sensitive) personal data under Article 6 (for example, a worker’s name, job title, or contact details, or a supplier representative’s business address), which companies conducting mandatory or voluntary HRDD will generally be able to demonstrate. The lawful basis for processing special category data under Article 9 remains a separate question. The tensions below instead concern the application of Article 5’s principles to the processing itself.

Data minimisation versus comprehensive risk assessment. Article 5(1)(c) requires that personal data be “adequate, relevant and limited to what is necessary” for its stated purpose. Effective HRDD demands the opposite approach: comprehensiveness in identifying all potential impacts across all affected groups. Consider a company conducting a human rights impact assessment of a mining operation near an Indigenous community. Assessing impacts on cultural rights requires understanding the community’s relationship to ancestral lands, spiritual practices, and governance structures. Assessing health impacts requires individual health data. Assessing the risk of reprisals against community leaders requires knowing who those leaders are and what positions they have taken. Each category of information is necessary for a meaningful assessment, but each may also involve collecting sensitive personal data from individuals who may face retaliation if that data is disclosed. The tension is not between good practice and bad practice. It is between two legal obligations that pull in opposite directions when applied to the same population.

Resolving these competing aims is possible, but it requires deliberate design choices. One option is tiered data collection in which assessors draw first on aggregated, facility-level data and public sources, then proceed to individual data collection only where specific risks emerge, with pseudonymisation applied at the point of collection. Rigorous data collection processes can strengthen these protections and contribute to reconciling the two goals. What is important is that assessors document why data is collected at each stage and why it is necessary for the HRDD objective rather than merely useful or potentially relevant. That documentation is, in substance, a Data Protection Impact Assessment (discussed in more detail below).

Purpose limitation versus iterative due diligence. Article 5(1)(b) provides that data collected for one purpose may not be reused for an incompatible purpose. HRDD, however, is iterative by design: the CSDDD contemplates a continuous cycle of risk identification, prevention, remediation, monitoring, and reporting. Data collected at one stage becomes valuable at the next. A worker files a complaint through a CSDDD Article 14 grievance mechanism alleging unsafe conditions. The company investigates, collects testimony, and remediates. Two years later, the company faces a civil liability claim in a Member State court and wants to use the grievance records to demonstrate it responded adequately. The data was collected for one purpose—receiving and addressing complaints—and is now being used for another—legal defence. The worker provided testimony for a grievance process, not for use as evidence in litigation. The company’s interest in demonstrating compliance is legitimate. The worker’s interest in not having testimony repurposed is also legitimate. Article 6(4) provides a compatibility test, but the test requires judgments about consequences for the data subject that the GDPR does not resolve for this context.

The challenge is equally acute at the point of data collection. A grievance mechanism may receive inquiries ranging from simple information requests, which require no personal data, to sensitive allegations of misconduct. If the mechanism’s intake procedure collects personal information from every user before establishing the nature of the inquiry, it systematically gathers data that is unnecessary for a substantial proportion of interactions. Privacy by design thinking would reverse the order: determine the purpose of the inquiry first, then collect only the data that purpose requires.

Storage limitation versus long-term accountability. Article 5(1)(e) requires that personal data be kept in a form that permits identification “for no longer than is necessary for the purposes for which the personal data are processed.” HRDD pushes in a different direction, towards maintaining longitudinal records that track remediation outcomes, demonstrate compliance over time, and evidence adequate responses to grievances. The Batteries Regulation requires companies to retain documentation demonstrating fulfilment of their due diligence obligations for ten years, a period of time that starts running not from collection, but from the date the last battery manufactured under the relevant due diligence policy is placed on the market (Article 48(3)). For a policy that remains in operation, that date lies in the future and keeps receding, leaving the total retention period for personal data collected today indeterminate. For example, if a company pseudonymises grievance data after remediation but retains the key linking pseudonyms to identities—because it may need to re-identify individuals if remediation fails—the data remains personal data under the GDPR, and storage limitation continues to apply. If a worker requests erasure under Article 17 three years after remediation, Article 17(3)(b) likely permits the company to retain what the Regulation actually mandates, since the erasure right yields to retention required by Union law. But that defence extends only as far as the mandate. The Regulation requires retention of documentation demonstrating compliance, not of every record due diligence generates. Whether raw interview records fall within that scope, or whether findings and summaries suffice, is a judgment each company must make for itself absent Commission guidance.

Progressive anonymisation offers a pathway but not a complete answer. For example, a firm may retain identifiable data during follow-up, pseudonymise after remediation concludes, and aggregate into de-identified data for archival purposes. Even this approach requires clear retention schedules, communicated to participants during the consent process, and a principled framework for determining when re-identification is and is not permissible.

Disclosure versus data subject protection. The CSDDD requires annual reporting on due diligence (Article 16; post-Omnibus, an annual statement published on the company’s website where the company is not already reporting under the CSRD). The Batteries Regulation requires public disclosure of findings of “significant adverse impacts” (Article 52(3)). Norway’s Transparency Act creates a statutory right to information whose grounds for refusing disclosure—including the protection of personal matters—do not apply to actual adverse impacts of which the enterprise is aware (Section 6(3)). These provisions create pressure toward disclosure; the GDPR creates countervailing obligations of minimisation, purpose limitation, and data subject protection.

Consider the following example. A company publishes its annual due diligence report as required by CSDDD Article 16, disclosing that it identified forced overtime at a supplier factory in a specific region based on worker interviews. The report does not name the workers. But the factory employs 40 people, the local community knows who was willing to speak with outside investigators, and the finding itself—forced overtime at that specific facility—narrows the pool of possible sources. In a small-community context, anonymisation may not prevent identification. The company faces a choice between meaningful disclosure (which the CSDDD requires) and effective protection of the individuals whose testimony made that disclosure possible (which the GDPR requires). No guidance addresses how companies should resolve this conflict, and aggregation to a level that eliminates re-identification risk may also eliminate the specificity that makes due diligence reporting meaningful.

Data Protection Impact Assessments

Article 35 of the GDPR requires controllers to conduct a Data Protection Impact Assessment (DPIA) whenever processing is “likely to result in a high risk to the rights and freedoms of natural persons.” Article 35(3)(b) specifies that large-scale processing of special categories of data meets that threshold. For any company conducting HRDD that involves sensitive data about vulnerable communities—ethnicity, health, political opinions, religious beliefs—a DPIA is required as a matter of law.

Less widely appreciated is that the DPIA is also the mechanism through which privacy by design can be operationalised for HRDD. A compliant DPIA must describe the intended processing and its purpose, test its necessity and proportionality, map the risks to data subjects’ rights, and set out the technical and organisational safeguards that will mitigate those risks. These are precisely the questions the legislative gap leaves unanswered. When a company builds its due diligence system, conducting a DPIA at the design stage compels it to confront each of the four tensions identified above at the outset.

In practice, a two-level approach would be appropriate. An enterprise-level DPIA would address the company’s overall HRDD system: data flows across the due diligence cycle, the allocation of controller and processor roles, systemic safeguards such as encryption and pseudonymisation policies, retention schedules, permissible data reuse cases under Article 6(4), cross-border transfer mechanisms, and procedures for fulfilling data subject rights. This assessment would be conducted once and reviewed annually. Activity-specific DPIAs would then supplement it for high-risk processing: worker interviews in conflict or authoritarian contexts, community consultations with Indigenous peoples, grievance mechanisms handling sensitive allegations, or any processing of special category data at scale. The enterprise-level DPIA provides the institutional structure; the activity-specific DPIA addresses the particular vulnerabilities of each engagement, such as a human rights impact assessment.

At present and to the author’s knowledge, no European Data Protection Board guidance, national data protection authority publication, or industry standard provides a DPIA template or framework adapted to the specific data protection risks arising from HRDD processing under the CSDDD or related instruments. The Commission guidelines mandated under Article 19 of the CSDDD are not required to address this, though Article 19(2)(e)’s reference to data and information sources available for compliance, and to digital tools and technologies, is broad enough to serve as a vehicle for such guidance. It should be used as one.

Recommendations

For regulators. The European Data Protection Board should issue guidance on how companies can reconcile the GDPR with effective human rights due diligence under the CSDDD and related instruments, addressing the four tensions identified above: satisfying data minimisation while conducting the comprehensive impact identification that due diligence requires; applying the Article 6(4) compatibility test when data gathered for due diligence is reused at a later date for a separate purpose; giving effect to storage limitation where sectoral law mandates long or open-ended retention, such as the Batteries Regulation’s ten-year period; and approaching disclosure obligations that risk re-identifying the individuals whose testimony underlies a reported impact, particularly in small-community settings. The guidance should discuss how and to what extent DPIAs can address these and other tensions. The question of lawful basis for the collection of personal data as part of HRDD should also be addressed in this guidance. In particular, the Board should clarify the availability of the Article 9(2)(g) substantial public interest exception for due diligence.

For industry bodies. The OECD should develop a data protection module for its Due Diligence Guidance for Responsible Business Conduct. Sector-specific bodies, including the Responsible Business Alliance and the Initiative for Responsible Mining Assurance, should integrate DPIA requirements into their audit and certification protocols.

For companies and consultancies. Companies should consider taking the following actions in the short term. First, conduct an enterprise-level DPIA of existing HRDD data flows; map all personal data processing activities across the due diligence cycle; and implement foundational safeguards, including pseudonymisation at the point of collection, encrypted storage, and defined retention schedules. Over the medium term, develop activity-specific DPIAs for high-risk engagements, such as human rights impact assessments; redesign grievance mechanisms so that intake procedures align with data minimisation principles, collecting personal information only to the extent the complaint requires; and establish cross-functional coordination between HRDD, legal, and data protection teams.

Conclusion

Privacy by design is not an impediment to effective HRDD but an asset that strengthens it and protects its intended beneficiaries. The DPIA framework the GDPR already provides can address the operational tensions identified in this series while ensuring that the individuals whose data are collected are protected by the same regulation that governs every other form of personal data processing in the European Union. But DPIAs should not bear that weight alone. The structural pattern documented in Part 1 reflects a legislative gap that regulatory guidance should fill. Article 19(2)(e) of the CSDDD provides a vehicle for doing so. Until it does, companies risk breaching individuals’ privacy rights in the very course of attempting to respect their human rights.

Author

  • Jacob Bogart is Counsel at Perseus Strategies. Prior to joining the firm, Jacob served as Senior Associate at The Remedy Project, where he advised companies, international organizations, and governments on business and human rights issues. In his career, Jacob has worked for the United Nations peacekeeping mission in the Central African Republic, ASEAN Parliamentarians for Human Rights, Global Labor Justice, the World Food Programme, and Fortify Rights. He graduated from Columbia Law School in 2018 where he received a Commendation in Human Rights, and was a Public Interest Fellow, James Kent Scholar, and Global Public Interest Fellow. Jacob graduated summa cum laude with a B.A. in International Studies and French from The Ohio State University in 2014. Following university, he worked for the National Human Rights Commission of Thailand as a Luce Scholar. Jacob is a member of the New York State and Washington, D.C. bars, and he is a term member of the Council on Foreign Relations.

    View all posts

Leave a Reply

Discover more from BHRJ Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading