GDPR in HR: Employee Data Processing

Introduction

Since the General Data Protection Regulation (GDPR) came into force on 25 May 2018, HR departments have been at the forefront of compliance. Human resources functions process sensitive personal data daily: CVs, payslips, health data, performance reviews, bank details. Mismanagement exposes the company to penalties of up to 20 million euros or 4% of global turnover (Article 83 of the GDPR). This article presents the key obligations and best practices for securing the processing of employee data throughout the HR cycle.

Fundamental principles applicable to HR data

The GDPR imposes six cardinal principles codified in Article 5: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation and integrity/confidentiality. In practice, this means that the HR department can only collect data strictly necessary for a determined purpose. For example, asking for a social security number at the application stage is disproportionate: it is only justified after hiring for the DSN.

The CNIL, via its ruling no. 2019-160 on the personnel management framework, specifies recommended retention periods: 2 years for rejected applications (except with consent), 5 years after departure for the administrative file, 6 years for payslips in the employer version.

Legal basis and employee information

Contrary to popular belief, consent is rarely the appropriate legal basis in HR, due to the employment relationship. The more relevant bases are rather the performance of the employment contract (Article 6.1.b), legal obligation (Article 6.1.c) or legitimate interest (Article 6.1.f). For sensitive data (health, trade union), Article 9 requires a specific basis such as an obligation under labour law.

The employer must provide clear information via a GDPR notice given at hiring, update the processing register (Article 30) and consult the Works Council before any new processing affecting employees (Article L.2312-38 of the Labour Code).

Security and employee rights

Technical and organisational security (Article 32) requires: HRIS encryption, access control by profile, traceability of consultations, confidentiality clauses with payroll or recruitment subcontractors (Article 28). In case of breach, notification to the CNIL within 72 hours.

Employees have enhanced rights: access, rectification, erasure (limited by legal retention obligations), portability, opposition. An internal procedure must allow responses within a maximum of one month. Refusal of access to disciplinary files must be legally justified.

Practical examples

Example 1 – Recruitment: A small business has been storing CVs from all candidates in a shared folder for 5 years. Non-compliant: excessive duration, lack of security. Solution: automated purge at 2 years, access restricted to recruiters, GDPR mention in the job advertisement.

Example 2 – Video surveillance: A logistics warehouse films work stations continuously. Possible sanction (the CNIL sanctioned Amazon France Logistique with 32 million euros in 2024). Solution: limit to sensitive areas, individual notification, Works Council consultation, maximum retention period of one month.

Example 3 – Collaborative tools: The deployment of Microsoft 365 requires an impact analysis (DPIA) if monitoring functions are enabled, as well as a processing agreement clause compliant with the publisher.

Compliance and penalties

In addition to CNIL fines, the employer faces labour court claims for invasion of privacy (Article 9 of the Civil Code, Article L.1121-1 of the Labour Code). The appointment of a DPO is mandatory for entities processing data on a large scale. An annual mapping of HR processing, coupled with manager training, constitutes the best legal and operational protection.

Conclusion

GDPR compliance in HR is not a one-off project but an ongoing process of improvement. Between legal obligations, employee rights and operational performance, HR managers must pilot data governance with rigour. Investing in a compliant HRIS, training teams and documenting each processing transforms regulatory constraint into a driver of employee trust.