GDPR in HR: Employee Data Processing

The General Data Protection Regulation (GDPR) does not apply solely to commercial relationships between a business and its customers: it also regulates, in very precise terms, the processing of personal data of employees. Recruitment, payroll management, access control, performance evaluation, video surveillance… each stage of the employment contract lifecycle generates personal data that the employer must process in strict compliance with European law. With fines reaching up to 20 million euros or 4% of annual worldwide turnover, the stakes are considerable. This article details the applicable legal bases, practical obligations for HR departments and best practices to secure your processing — including when digitising HR documents.

The legal foundations of HR data processing

Legal bases admissible under employment law

GDPR lists six legal bases for processing personal data (Article 6). In an HR context, three of them are mobilised almost systematically:

• Execution of the employment contract (art. 6.1.b): constitutes the main basis for managing payroll, monitoring working time, issuing payslips or managing leave.

• Legal obligation (art. 6.1.c): justifies processing required by employment law or social legislation, such as pre-employment declaration (DPAE), nominal social declaration (DSN) or maintenance of the unified personnel register.

• Legitimate interest (art. 6.1.f): may support certain information security or internal fraud prevention processing, provided that this interest is not outweighed by the fundamental rights of employees.

⚠️ The consent basis must be handled with extreme caution in a payroll context. The CNIL regularly reminds that the inherent imbalance in the employer-employee relationship makes consent rarely "free" within the meaning of Article 7 of the GDPR. Resorting to consent for processing that could rely on another legal basis exposes the employer to a risk of requalification.

Special categories of data: a reinforced regime

Some data collected by HR falls under the "sensitive data" regime referred to in Article 9 of the GDPR, the processing of which is in principle prohibited except for exceptions:

• Health data: sick leave, unfitness declared by occupational health, job adjustments for disability.

• Trade union data: membership of a trade union, representative mandates.

• Biometric data: access control by fingerprint or facial recognition.

• Data relating to offences: verification of criminal records, authorised only in regulated sectors (security, child protection, etc.).

For these categories, the employer must identify an explicit exception (art. 9.2), conduct a data protection impact assessment (DPIA) in most cases, and often consult the CNIL before deployment.

Practical obligations for HR departments

The processing activity register

Any organisation employing more than 250 employees is required to maintain a record of processing activities (art. 30 of GDPR). Below this threshold, the obligation remains where processing is not occasional or concerns sensitive data — which is almost always the case in HR. This register must document:

• The purpose of each processing (e.g.: "payslip management")

• The categories of data concerned

• The recipients (third parties, processors, authorities)

• The retention periods

• The security measures implemented

The CNIL provides a freely downloadable model register. Its rigorous maintenance constitutes the first line of defence in case of inspection.

Retention periods: often overlooked

Article 5.1.e of GDPR imposes the principle of storage limitation: data must not be kept beyond the period necessary for the purpose for which it was collected. In HR, the reference legal retention periods are as follows:

| Type of data | Recommended retention period | |---|---| | Payslip | 5 years (civil limitation period) | | Employment contract | 5 years after contract termination | | Recruitment data (unsuccessful candidate) | 2 years maximum after last contact | | Disciplinary file | Variable duration depending on sanction (max. 3 years for a warning) | | Video surveillance data | 1 month as a rule | | DSN and personnel register | 5 years after employee departure |

These periods must be entered in the register and applied via deletion or definitive archiving procedures.

Information of employees: an often underestimated obligation

Article 13 of GDPR requires providing complete information notice to data subjects at the time of collection. In HR, this notice should ideally be provided:

• From the application stage: for data collected during the recruitment process.

• Upon hiring: incorporated into the employment contract or provided as an annex at signature.

• During the contractual relationship: each time new processing is implemented (e.g.: deployment of a biometric time-tracking tool).

Digitisation of the onboarding process, in particular via electronic signature for HR, facilitates traceability of this information provision: the date and time of reading and signing the notice is time-stamped reliably, which constitutes valuable evidence in case of dispute.

Security of HR data: technical and organisational measures

Encryption, access control and segregation

Article 32 of GDPR requires the implementation of security measures adapted to the risk. For HR data, which are by nature sensitive and targeted during breaches, minimum best practices include:

• Encryption of data at rest and in transit: payroll files, contracts and personal files must be stored encrypted (AES-256 minimum) and transmitted via secure protocols (TLS 1.3).

• Role-Based Access Control (RBAC): only authorised HR managers access payroll data; the team manager accesses only data necessary for management.

• Access logging: any consultation or modification of an employee file must be tracked with the user identifier, date and time.

• Pseudonymisation for analytical processing (HR dashboards, remuneration studies).

Management of HR processors

HR services rely on many processors: HRIS editors, outsourced payroll providers, training platforms, online recruitment tools. Each of these third parties must be subject to a processing agreement compliant with Article 28 of GDPR, specifying in particular:

• The nature and purpose of sub-contracted processing

• The processor's obligations regarding security and confidentiality

• The prohibition on sub-processing without prior authorisation

• Procedures for return or destruction of data at end of contract

When selecting a provider, you should also verify whether its servers are located in the European Economic Area (EEA) or whether an adequate transfer mechanism (standard contractual clauses, adequacy decision) is in place for transfers outside the EEA.

Digitisation of HR documents and GDPR compliance

The growing digitisation of HR processes — electronic employment contracts, dematerialised payslips, amendments signed remotely — raises specific GDPR issues. While eIDAS-compliant electronic signature provides undeniable guarantees of integrity and authenticity, the employer must ensure that the platform used:

• Does not collect superfluous data during the signature process (minimisation principle, art. 5.1.c)

• Preserves proof of signature (audit trail) under secure conditions and for an appropriate period

• Enables the exercise of signatories' rights (access, rectification, deletion within legal limits)

For further information on signature tool compliance, Certyneo's complete electronic signature guide details the technical and legal criteria to verify before any deployment.

Employee rights and their effective exercise

Overview of rights guaranteed by GDPR

Employees benefit from all rights provided for in Articles 15 to 22 of GDPR. In an HR context, the most frequently exercised rights are:

• Right of access (art. 15): the employee can request a copy of all data concerning them held by the employer, including work-related emails in certain circumstances.

• Right to rectification (art. 16): correction of inaccurate data (error in bank details, diploma incorrectly entered, etc.).

• Right to erasure (art. 17): limited in HR by legal retention obligations, but applicable to recruitment data for an unsuccessful candidate.

• Right to object (art. 21): may be exercised against processing based on legitimate interest, such as certain surveillance processing.

• Right to data portability (art. 20): applicable to data provided by the employee themselves in the context of contract execution.

Response timeframe and internal procedures

The employer has one month to respond to any request to exercise rights, extendable to three months in case of complexity or high volume of requests (art. 12.3). To organise this processing effectively, it is recommended to:

• Designate a single point of contact (DPO or GDPR officer) to receive requests

• Set up a dedicated form accessible to employees

• Document each request and its response in a register of requests to exercise rights

• Train HR managers to identify an implicit request (an employee requesting "their personnel file" is exercising their right of access)

The role of the DPO in the organisation

GDPR requires the appointment of a Data Protection Officer (DPO) in three cases (art. 37): public authority, large-scale processing of sensitive data, or systematic large-scale monitoring. Many organisations whose HR processing is significant fall within this obligation. The DPO may be internal or outsourced; they must have functional independence and be involved in all decisions affecting data protection, including deployment of new digital HR tools. Their role is advisory and not decisive: final responsibility remains with the controller, which is the employer.

Legal framework applicable to HR data processing

GDPR: the founding text

The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) constitutes the regulatory foundation for personal data processing in Europe. Directly applicable in all Member States since 25 May 2018, it applies to any employer processing data of employees residing in the EU, regardless of the organisation's nationality. The main articles applicable in an HR context are:

• Art. 5: fundamental principles (lawfulness, fairness, transparency, minimisation, accuracy, storage limitation, integrity and confidentiality, accountability)

• Art. 6: legal bases for processing

• Art. 9: regime for sensitive data

• Art. 12 to 22: rights of data subjects

• Art. 24 to 32: obligations of the controller and processor

• Art. 33-34: notification of data breaches (72 hours to the CNIL, and information to individuals if high risk)

• Art. 35: impact assessment (DPIA) mandatory for high-risk processing

• Art. 83: administrative penalties (up to 20 M€ or 4% of worldwide turnover)

The modified French Data Protection Act

Under French law, the Law n°78-17 of 6 January 1978 on data processing, data files and freedoms, as amended by Law n°2018-493 of 20 June 2018 and Ordinance n°2018-1125 of 12 December 2018, supplements GDPR by opening national scope ("opening clauses"). Among the most important in HR: the possibility of processing trade union data within the framework of managing staff representative bodies (art. 9 of the law), or specific rules for processing occupational health data.

Employment Code and labour case law

The Employment Code requires information and prior consultation of the Social and Economic Committee (CSE) before deploying any device for monitoring or controlling employees (art. L. 2312-38). Failure to consult results in non-enforceability of evidence gathered and criminal penalties.

The Court of Cassation's case law regularly reminds that monitoring tools (geolocation, time clocks, activity monitoring software) must be proportionate to the objective pursued and cannot be diverted to purposes other than those declared to employees and the CNIL.

Electronic signature of HR documents: eIDAS and Civil Code

When digitising employment contracts, amendments or disciplinary documents, the employer must comply with Regulation (EU) n°910/2014 eIDAS, which defines three levels of electronic signature. For documents as foundational as a permanent employment contract or a separation notice, an advanced electronic signature (or even qualified) is recommended to guarantee the signatory's identity and document integrity. The Civil Code at Articles 1366 and 1367 establish the evidentiary value of electronic documents and electronic signatures, provided there is reliable identification of the signatory and assurance of integrity.

Penalties issued by the CNIL in HR matters

The CNIL has issued several significant penalties for HR data processing: in 2022, a company was fined 400,000 euros for excessive monitoring of remote workers via screen capture software. In 2023, a security company received a 200,000 euro penalty for excessive collection of biometric data without valid legal basis. These decisions illustrate the regulator's growing vigilance in this area.

Usage scenarios: GDPR HR in practice

Scenario 1 — A mid-sized industrial company with 450 employees brings its recruitment process into compliance

A mid-sized industrial company employing approximately 450 people across three sites received over 3,000 unsolicited applications and responded to around sixty job postings each year. CVs and cover letters were stored indefinitely in a shared email inbox managed by six department managers. No information notice was provided to candidates on the use of their data.

Following a GDPR audit, the following actions were deployed over six months:

• Migration to an ATS (Applicant Tracking System) certified GDPR-compliant, with automatic deletion of files after 24 months of inactivity

• Addition of a GDPR information notice in each online application form

• Electronic signature of offer letters and employment contracts via an eIDAS-compliant platform, reducing the average return time of signed contracts from 8 days to less than 48 hours

• Update of the record of processing activities with 12 new HR processing sheets

Result: no CNIL requests received in the following 18 months; estimated gain of 1.2 FTE in recruitment administrative management thanks to digitisation.

Scenario 2 — A retail group with 1,200 employees regulates its video surveillance policy

A group specialising in food retail had deployed a video surveillance system covering 34 stores. Images were retained for 45 days at some locations, with no notice posted for employees. Several cameras continuously covered individual cashier positions, generating a risk of disproportionate surveillance.

Following an employee complaint to the CNIL, the company engaged in compliance work including:

• Reduction of the retention period to 30 days maximum across all locations

• Repositioning of cameras to exclude continuous surveillance of individual workstations

• Consultation and approval by the central CSE before any new deployment

• Systematic information of employees via employment contracts and an internal charter displayed on-site

Result: closure of the CNIL complaint without penalty; improvement in staff morale as measured by the following year's satisfaction survey (+11 points on the "trust in employer" item).

Scenario 3 — An outsourced HR consulting firm secures data transfers with its clients

A firm specialising in payroll and personnel administration outsourcing managed employee files for around twenty SME clients, representing approximately 1,800 payslips monthly. Payroll files were transmitted by unencrypted email, without a formalised processing agreement under Article 28 of GDPR.

The firm engaged in a complete overhaul of its practices:

• Signature of Data Processing Agreements (DPA) compliant with Article 28 with each of its clients, via an advanced electronic signature platform enabling traceability

• Implementation of a secure client portal (TLS encryption + two-factor authentication) for uploading and retrieving payroll files

• Hosting data on servers located in France, certified HDS for occupational health data

• Drafting of a sub-processing policy governing the use of third parties (payroll software editor, archiver)

Result: 100% reduction in unsecured email transmission of HR data; acquisition of two new client contracts having made GDPR compliance a mandatory selection criterion in their call for tenders.

Conclusion

GDPR in HR is not simply an additional administrative constraint: it is a lever for building trust between employer and employees, and a competitive factor in a labour market where transparency is increasingly valued. A processing activity register kept up to date, controlled retention periods, formalised employee information, enhanced security of sensitive data and contractualised processors: each of these pillars contributes to building an HR policy that is both legal and responsible.

Digitisation of HR documents — contracts, amendments, payslips, information notices — offers a unique opportunity to combine GDPR compliance and operational efficiency, provided you rely on certified tools. Certyneo supports you in this journey with an eIDAS-compliant electronic signature solution designed for HR teams. Discover our pricing and start your free trial on Certyneo to secure your HR documents today.