GDPR in HR: Processing Employee Data

Human resources management generates, day after day, a considerable volume of personal data: employment contracts, pay slips, health data, performance evaluations, bank details… Since the General Data Protection Regulation (GDPR) came into force in May 2018, HR departments have become central players in organisational compliance. Yet, according to CNIL's 2024 activity report, the human resources sector remains one of the three areas most frequently involved in inspections. This article guides you through key obligations, best practices and available tools to process your employees' data in full compliance.

What personal data do HR departments process?

Common data categories

HR departments handle a very broad spectrum of personal data. Two main families can be distinguished:

Ordinary data, collected as part of the employment contract: name, surname, address, social security number, bank account details, CV, qualifications, professional history, annual assessments, working hours, attendance and absence data.

Sensitive data, subject to enhanced restrictions under Article 9 of the GDPR: health data (sick leave, work accident declarations, medical restrictions), trade union data (union membership, representative mandates), data relating to criminal convictions in certain recruitment contexts.

The latter can only be processed subject to an explicit exception provided for by the regulation — such as compliance with legal obligations in employment law, or explicit consent from the data subject.

The particular case of recruitment

The recruitment phase generates specific processing, often poorly regulated. The collection of CVs, cover letters and test results involves precise retention periods: according to CNIL recommendations, data on unsuccessful candidates must be deleted or anonymised within a maximum period of two years after the last contact. Indefinitely retaining CVs in an unsecured shared directory constitutes a clear violation.

The use of tracking tools in ATSs (Applicant Tracking Systems) or behavioural analysis algorithms must be explicitly mentioned in the privacy policy communicated to candidates, in accordance with Articles 13 and 14 of the GDPR.

Legal bases for processing in HR contexts

Identifying the correct legal basis

The GDPR requires that any processing of personal data is based on one of six legal bases defined in Article 6. In HR contexts, three bases are mainly used:

• Performance of an employment contract (Art. 6.1.b): justifies the processing of data necessary for payroll management, leave or training.

• Legal obligation (Art. 6.1.c): applies to mandatory social declarations (DSN), personnel registers or work accident monitoring.

• Legitimate interest (Art. 6.1.f): may be invoked for processing such as access badge management or video surveillance, subject to a rigorous balancing test.

Consent (Art. 6.1.a) is conversely a fragile legal basis in a work context: CNIL and the European Data Protection Board (EDPB) recall that the structural imbalance between employer and employee makes it difficult to prove freely given consent. It should only be used as a last resort.

The processing register, an essential obligation

Any organisation employing at least 250 people — or processing sensitive data on a smaller scale — must maintain a record of processing activities (Art. 30 of the GDPR). In HR, this register must document, for each processing: the purpose, data categories, recipients, retention periods, and security measures implemented.

This document, made available to CNIL in the event of an inspection, is also a valuable management tool. Combined with a HR-dedicated electronic signature solution, it enables tracing and time-stamping each stage of the lifecycle of an HR document, thus strengthening process auditability.

Rights of employees and obligations of the employer

Informing employees: an immediate obligation

Article 13 of the GDPR requires informing data subjects at the time their data is collected. In practice, HR departments must provide employees — ideally when signing the employment contract — with a GDPR privacy notice detailing: the identity of the controller, the purposes and legal bases, retention period, available rights and the contact details of the DPO (Data Protection Officer) if the company has one.

Digitising and securing this exchange is essential. The use of electronic signature in the enterprise for delivering this notice ensures time-stamped and incontestable proof of delivery, aligned with the requirements of the eIDAS regulation.

Employee rights to be strictly respected

Employees have extensive rights over their data:

• Right of access (Art. 15): any employee may request a copy of all data concerning them processed by the employer.

• Right to rectification (Art. 16): correction of inaccurate data (e.g. postal address, bank account details).

• Right to erasure (Art. 17): applicable in certain cases, in particular after termination of contract and expiry of legal retention periods.

• Right to object (Art. 21): the employee may object to processing based on legitimate interest.

• Right to restrict processing (Art. 18): temporary freeze of disputed processing.

The employer has one month to respond to any request for exercise of rights, extendable to three months in case of complexity (Art. 12 of the GDPR).

Security of HR data and management of sub-processors

Technical and organisational measures

Article 32 of the GDPR requires the implementation of security measures "appropriate to the risk". For HR data, best practices include:

• Encryption of files containing sensitive data (pay slips, medical records).

• Access controls: principle of least privilege — a payroll manager does not have access to disciplinary data.

• Logging of access to HR systems (HRIS, payroll tools).

• Data breach response plan: in the event of a data leak, the employer has 72 hours to notify CNIL (Art. 33), and potentially affected individuals if the risk is high (Art. 34).

A complete audit via the electronic signature guide can help HR teams identify unsecured processing persisting on paper and digitalise it in a compliant manner.

Managing HR service providers via DPAs

HR departments call on numerous sub-processors: payroll software, training platforms, time management tools. Each service provider accessing personal data must be the subject of a data processing agreement (DPA), in accordance with Article 28 of the GDPR. This contract must specify processing instructions, security guarantees, data return or destruction procedures, and obligations in the event of a breach.

Selecting service providers hosting their infrastructure in the European Union, or governed by standard contractual clauses (SCC) approved by the Commission, remains a fundamental requirement to avoid any unlawful transfer outside the EU.

Retention periods: a structural issue

Legal retention periods applicable to the employee file

The retention period for HR data is governed by an overlapping set of texts: the GDPR (principle of storage limitation, Art. 5.1.e), the Labour Code, and various tax and social provisions. In practice, the main periods to be observed are:

| Document type | Minimum retention period | |---|---| | Pay slip | 5 years (social limitation period) | | Employment contract | 5 years after end of contract | | Payroll data (DSN) | 3 years (URSSAF inspection) | | Personnel register | 5 years after employee departure | | Disciplinary data | Duration proportionate to the measure | | Medical file (occupational health) | 50 years (specific regulation) |

Implementation of an automated archiving and purging policy in the HRIS, combined with electronic signature workflows that time-stamp document creation, is now the best practice for demonstrating compliance to CNIL.

Pitfalls to avoid

The most frequent errors observed during CNIL inspections regarding HR data are: indefinite retention of CVs of unsuccessful candidates, maintenance of IT access for former employees, lack of encryption of exported payroll files, and failure to delete access control data beyond regulatory periods. To secure these points, consulting the comparison of electronic signature solutions helps identify tools that natively integrate proven archiving functions and document lifecycle management.

Legal framework applicable to processing employee data

The processing of employees' personal data is part of a dense regulatory framework, articulating several levels of regulation.

Regulation (EU) 2016/679 — GDPR constitutes the cornerstone. Its Articles 5 to 11 define fundamental principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality). Article 9 establishes strict conditions applicable to special categories of data, including health and trade union data, which are particularly frequent in HR. Article 83 provides for fines of up to 20 million euros or 4% of annual worldwide turnover in case of serious breach.

The Data Protection Act amended (Act No. 78-17 of 6 January 1978), in its consolidated version, adapts the GDPR to French law. It grants CNIL its inspection and enforcement powers, and notably provides for sectoral exemptions for health data in occupational medicine.

The Labour Code governs processing related to employee surveillance (Art. L. 1121-1 on respect for privacy), consultation of staff representatives on digital tools (Art. L. 2312-38), and mandatory registers.

The eIDAS Regulation (No. 910/2014), supplemented by eIDAS 2.0 (EU Regulation 2024/1183), governs the legal value of electronic signatures affixed to HR documents. A qualified electronic signature (QES), compliant with eIDAS Annex I and standards ETSI EN 319 132 and ETSI EN 319 122, offers the presumption of equivalence to a handwritten signature within the meaning of Article 1367 of the French Civil Code.

Article 1366 of the Civil Code states that "electronic writing has the same probative force as writing on paper, provided that the person from whom it emanates can be duly identified and that it is established and kept in conditions such as to guarantee its integrity". This provision is directly applicable to employment contracts, amendments, confidentiality agreements and other dematerialised HR documents.

The NIS2 Directive (EU 2022/2555), transposed into French law by the Act of 26 February 2025, imposes on essential and important entities (notably large industrial companies and digital service operators) enhanced requirements in terms of managing risks related to information security, including the protection of sensitive HR data.

CNIL's penalties are on a sharp rise: in 2024, the total amount of fines exceeds 100 million euros, with several decisions directly involving breaches in the management of employee data. Non-compliance with retention periods, absence of DPA with HR sub-processors, and insufficient security measures are among the most frequently cited grievances.

Use cases: GDPR compliance in HR in practice

Scenario 1 — A mid-sized industrial company with 450 employees digitises its onboarding processes

An intermediate-sized industrial company, spread across three sites in France, managed its employment contracts and amendments on paper. New employee files were only transmitted to the payroll department after an average of 12 working days, generating payroll errors in approximately 8% of cases. Furthermore, no formal GDPR privacy notice was given to new hires: information was only found at the bottom of the employee handbook, not signed separately.

After deploying an electronic signature solution integrated into its HRIS, with simultaneous delivery of a GDPR privacy notice co-signed by the employee and the HR director, the company reduced the documentary onboarding period to 2 working days (83% reduction). Payroll errors related to missing data fell to less than 1%. Each signed document is archived with qualified time-stamping, providing evidence that can be invoked in the event of a CNIL inspection or labour court proceedings.

Scenario 2 — A distribution group with 1,200 employees brings its retention policy into compliance

A group operating in specialised distribution was subject to a CNIL inspection following a complaint from a former employee. The inspection revealed that Excel files containing payroll data for employees who had left more than 8 years ago were still accessible on an unsecured shared server, without encryption. A formal warning was issued, accompanied by an instruction to comply within 3 months.

The group then carried out a complete audit of its HR processing, mapped its 23 processing activities, and implemented an automated purge plan triggered by the HRIS. Electronically signed documents were migrated to a digital vault with retention periods configured according to legal obligations. The DPO produced a comprehensive HR processing register, presented at a second CNIL inspection 18 months later, which concluded without further action. The cost of compliance was estimated at less than 60% of the amount of a potential fine.

Scenario 3 — An HR consulting firm of 35 people secures the data of its own consultants and its clients

A firm specialising in human resources manages both the data of its own consultants and that of candidates and employees of its client companies (in the context of assessment or outplacement assignments). It thus finds itself in a dual role: controller for its own HR data, and processor (or even joint controller) for third-party data.

The firm implemented a differentiated documentary architecture: simple electronic signatures for routine internal exchanges, advanced signatures for mission contracts with clients, and data processing agreements (DPA) systematically integrated into engagement letters. All consultants received an updated GDPR charter, electronically signed and kept in a dedicated register. This organisation enabled the firm to demonstrate its compliance as a sales argument to large accounts subject to strict supplier audits, reducing the average time to contract from 7 to 2 weeks.

Conclusion

The GDPR requires HR departments to fundamentally transform their practices: rigorous identification of legal bases, effective notification to employees, management of rights, contractual oversight of sub-processors, data security and compliance with retention periods. These obligations are not mere administrative formalities — they determine the organisation's ability to avoid sanctions that can reach millions of euros and to maintain the confidence of its teams.

Digitisation of HR processes, via eIDAS-compliant electronic signature solutions, is one of the most effective levers for reconciling operational efficiency and regulatory compliance. Certyneo supports HR teams in this transition, from signing the employment contract to secure archiving of employee files.

Discover how Certyneo can secure your HR processes by consulting our dedicated HR offer or by starting for free to test the solution with no commitment.