If a company wishes to allow access to their system (e.g a new manager to view HR records, salary etc) before their employment start date, does this break any privacy, GDPR laws etc?
Lets say they sign off the contract and they are given access but before any background checks are conducted. As long as they are signed off, then is it acceptable? What if they are deemed not hire worthy before they start but have since seen some records? Are there any implications?
The GDPR requires data controllers to use appropriate organizational measures to protect the data. It is the controller's job to decide which measures are appropriate, taking into account possible risks.
For an employment context, I'd think the important part is that anyone accessing this data is bound to discretion regarding the data they will see. Whether this is ensured by an employment contract or another legal mechanism is not important.
There is one subtlety though: employees of the controller act on behalf of the controller, and aren't a third party. In contrast, non-employees are third parties. They are either controllers of their own, or they are processors that serve the controller. If a controller takes on a processor, this requires a contract with certain items.
So while I think that an data controller can decide to give an employee access to some data under whatever circumstances the controller deems appropriate, they cannot give a not-yet employee such access. They would rather have to establish a subprocessing relationship with that person.
