Electronic Signature HR & GDPR: Complete Guide 2026

The digitalisation of human resources has accelerated considerably since 2020: employment contracts, amendments, pay slips, IT policies, remote work agreements — virtually all of these documents now pass through in digital form. Yet dematerialisation does not mean escaping legal obligations. Quite the opposite: electronic signature of HR documents under GDPR constitutes a subject with a dual regulatory entry, as it combines the eIDAS framework on the evidential value of the signature and the European regulation on the protection of personal data. If poorly managed, this double constraint exposes the business to legal risks and CNIL sanctions. This guide presents the essential rules, best practices and key points of caution you absolutely need to know in 2026.

Why does GDPR apply to electronic signature in HR?

Electronic signature necessarily processes personal data

Signing an employment contract online involves collecting, transmitting and storing personal data within the meaning of Article 4 of GDPR No 2016/679: name, first name, professional e-mail address, sometimes mobile phone number, signature timestamp and IP address. In an HR context, this data is particularly sensitive as it directly identifies the employee and is linked to their contractual relationship with the employer.

The qualified trust service provider (TSP) that supplies the signature solution is classified as a data processor under Article 28 of the GDPR. The employer remains the data controller. This distinction is fundamental: it is the business that is accountable to the CNIL in case of breach, not the software provider.

Legal bases available in HR context

For each category of dematerialised HR documents, the employer must identify the legal basis for processing that is most appropriate:

• Contract performance (Art. 6.1.b GDPR): signature of employment contract, salary amendment, working time forfeit convention. This is the most robust legal basis for contractual documents.

• Legal obligation (Art. 6.1.c GDPR): dematerialised delivery of pay slip (authorised since the Macron Law of 2015 under conditions), staff registers.

• Legitimate interest (Art. 6.1.f GDPR): IT policies, internal regulations, internal policy documents — provided the balancing test is passed.

The consent basis (Art. 6.1.a) should be avoided in HR context: the CNIL and the EDPB (European Data Protection Board) consider that the subordination relationship between employer and employee makes consent rarely free. An employee who refuses to sign electronically could fear professional repercussions.

Concrete obligations of the HR data controller

Update the Records of Processing Activities (RPA)

Article 30 of the GDPR requires any organisation employing more than 250 employees (and SMEs processing sensitive data on a large scale) to maintain a Records of Processing Activities. The introduction of an electronic signature tool for HR documents must be recorded with:

• The purpose of processing (e.g.: dematerialisation and archiving of contractual HR documents)

• The categories of data processed (identity, contact data, authentication data)

• The retention period (statutory retention period for employment contract: 5 years after the end of the contract under Labour Code, Art. L. 1234-20)

• The data processor's contact details (the signature platform)

• The security measures in place

Sign a DPA (Data Processing Agreement) with the service provider

Pursuant to Article 28 of the GDPR, any recourse to a processor for processing personal data must be formalised by a Data Processing Agreement (DPA). This contract must specify:

• The subject matter and duration of processing

• The nature and purpose of processing

• The type of personal data and categories of data subjects

• The obligations and rights of the data controller

• The location of data (hosting within the EU recommended to avoid transfers outside the EEA)

• Technical and organisational security measures

A serious electronic signature service provider systematically proposes a GDPR-compliant DPA. Its absence constitutes an immediate non-compliance that is sanctionable.

Inform employees before the first signature

Article 13 of the GDPR requires prior information of persons whose data is collected. Before deploying electronic signature for HR documents, the employer must inform employees:

• Of the identity of the data controller

• Of the purpose and legal basis

• Of the data retention period

• Of their rights (access, rectification, erasure within the limits of statutory retention obligations, portability)

• Of the Data Protection Officer's (DPO) contact details if appointed

This information may be integrated into the signature process itself (information banner before signature), into the updated internal regulations, or via a service note distributed during deployment.

Signature level required for HR documents: SES, AES or QES?

The hierarchy of eIDAS signature levels

Regulation eIDAS No 910/2014 defines three levels of electronic signature, each offering increasing evidential value:

• SES (Simple Electronic Signature): low evidential value, suitable for low-stakes documents (acknowledgements of receipt, internal forms)

• AES (Advanced Electronic Signature): uniquely linked to the signatory, created using data under their exclusive control. Suitable for most standard HR documents.

• QES (Qualified Electronic Signature): the highest level, equivalent to handwritten signature under Art. 25.2 eIDAS. Requires reinforced identity verification (face-to-face or video identification).

Which level for which HR documents?

The recommended mapping in 2026, taking into account French case law positions and sector recommendations:

| HR Document | Recommended Level | Justification | |---|---|---| | Permanent/Fixed-term employment contract | AES minimum, QES recommended | Strong contractual value, employment dispute risk | | Contractual amendment | AES minimum, QES recommended | Same logic as main contract | | Probation period (renewal) | AES | Short timeframe, limited formality | | Remote work/BYOD charter | SES or AES | Collective agreement or internal regulation | | Working time forfeit convention | QES strongly advised | Demanding employment case law | | Mutual termination agreement | QES mandatory | Approved Cerfa form, high stakes | | Final settlement receipt | AES or QES | Discharging effect, Labour Code Art. L. 1234-20 |

For high-stakes documents (working time forfeit, mutual termination), QES is de facto mandatory to guarantee enforceability before employment courts. The Court of Cassation has gradually increased its requirements on proof of employee agreement.

Conservation, archiving and rights of individuals: pitfalls to avoid

Statutory retention periods for signed HR documents

The retention of electronically signed HR documents is subject to imperative statutory periods. These periods take precedence over the GDPR right to erasure (Art. 17.3.b):

• Employment contract: 5 years after end of contract (employment disputes prescription, Labour Code Art. L. 1471-1)

• Pay slips: 5 years (wage prescription), but retention recommended until retirement entitlements liquidation

• Documents relating to workplace accidents: 30 years (long-term dispute risk)

• Professional training (plans, certificates): 3 years

• Staff registers: 5 years after the date the employee left the establishment

Long-term electronic archiving must comply with the NF Z 42-013 standard and ideally ETSI EN 319 162 (long-term archiving of electronic signatures). Simple server storage is not sufficient: you must guarantee the integrity, readability and qualified timestamping of documents for the entire retention period.

Managing employee rights without compromising evidential value

An employee can legitimately exercise their right of access (Art. 15 GDPR) to obtain a copy of signature data concerning them. They may also request rectification of inaccurate data.

Conversely, the right to erasure (Art. 17 GDPR) cannot be exercised over HR documents subject to statutory retention obligations. The employer must be able to clearly explain this refusal, citing the applicable legal basis. Documenting these exchanges in the rights requests register is a good practice recommended by the CNIL.

Portability (Art. 20 GDPR) applies to data provided by the employee on the basis of consent or contract performance. In practical terms, an employee can request their signature data in a structured format — an obligation to anticipate when selecting the signature solution.

Technical and organisational security: essential measures

Technical requirements of the signature platform

Pursuant to Article 32 of the GDPR, security measures must be appropriate to the risk. For an electronic HR signature solution, this translates notably into:

• Data encryption in transit (TLS 1.3 minimum) and at rest (AES-256)

• Multi-factor authentication (MFA) for platform access

• Timestamped and tamper-proof audit logs, tracing every action on the document

• Hosting within the EU (or EEA) to avoid transfers outside the EEA without adequate safeguards (adequacy decision or standard contractual clauses)

• Annual penetration testing and ISO 27001 certification of the service provider

• Business continuity plan guaranteeing service availability and archive recovery in case of incident

Impact assessment (DPIA): when is it mandatory?

Article 35 of the GDPR requires a Data Protection Impact Assessment (DPIA) when processing is likely to result in high risk. The CNIL has published a list of processing types requiring a DPIA: large-scale processing of data relating to professional life is mentioned.

In practice, a DPIA is recommended (or even mandatory for large enterprises) when deploying an electronic HR signature solution affecting all employees. It must identify risks (loss of confidentiality, identity fraud, document alteration), assess their severity and probability, and propose mitigation measures. This analysis must be documented and reviewed if the processing changes.

Applicable legal framework for electronic signature in HR and GDPR

Founding European texts

Regulation eIDAS No 910/2014 (and its eIDAS 2.0 revision currently being rolled out): this text defines the three levels of electronic signature (SES, AES, QES) and their legal value throughout the EU Member States. Article 25 provides that QES has a legal effect equivalent to a handwritten signature. Article 26 lists the technical requirements of advanced signature. Qualified trust service providers are registered on national trusted lists (in France, the list is managed by ANSSI).

GDPR No 2016/679: applicable since 25 May 2018, this regulation governs any processing of personal data within the EU. Articles 5 (principles), 6 (legal bases), 13-14 (information), 28 (processors), 30 (records), 32 (security), 35 (DPIA) and 37-39 (DPO) are directly relevant to electronic HR signature.

Applicable French law

Civil Code, Articles 1366-1367: Article 1366 establishes the principle of functional equivalence between electronic and paper writing. Article 1367 recognises electronic signature as a means of proof, provided it consists of a reliable identification process guaranteeing the link with the act to which it attaches. Reliability is presumed for QES but can be demonstrated for AES.

Labour Code: Article L. 1221-1 does not require any particular form for the employment contract (except exceptions: fixed-term contract Art. L. 1242-12, apprenticeship contract, etc.). The Macron Law of 2015 (Law No 2015-990) opened the way to electronic pay slip. Article L. 3243-2 governs its modalities.

Data Protection Act as amended (Law No 78-17 of 6 January 1978): French transposition of the GDPR, it gives CNIL its investigative and penalty powers. Fines can reach €20 million or 4% of annual worldwide turnover for the most serious violations.

Reference technical standards

• ETSI EN 319 132: advanced electronic signature format XAdES, applicable to XML documents

• ETSI EN 319 122: CAdES format for CMS electronic document signatures

• ETSI EN 319 162: long-term archiving of electronic signatures (ASiC)

• NF Z 42-013 (AFNOR): functional specifications of a reliable electronic archiving system

• ISO/IEC 27001: information security management, certification reference expected from service providers

Legal risks in case of non-compliance

The cumulative risks are significant: an employment contract signed with an insufficient signature level can be challenged before the Employment Tribunal, exposing the employer to reclassification or nullity. On the GDPR side, the absence of a DPA with the service provider, failure to inform employees or hosting outside the EU without adequate safeguards may lead to a CNIL order to remedy, or even an administrative sanction.

Usage scenarios: GDPR-compliant HR electronic signature

Scenario 1: a mid-cap industrial company of 600 employees digitalises its employment contracts

An industrial company of intermediate size, spread across four sites in France, processed approximately 180 permanent/fixed-term hires each year, generating as many paper files to print, sign in duplicate, scan and archive. Delays between the job offer and effective contract signature averaged 8 working days.

After deploying an advanced electronic signature solution (AES) integrated into its HRIS, with a GDPR-compliant DPA signed with the service provider and a documented DPIA, the company reduced this delay to less than 24 hours. The rate of incomplete files fell by 34% (sources: ANDRH sector benchmarks 2024). Data hosting in France was selected as a contractual criterion, eliminating any risk of transfer outside the EEA. Employees are informed of processing via an information notice integrated into the signature journey, ensuring compliance with GDPR Article 13.

Scenario 2: a retail franchise network deploys QES signature for working time forfeit conventions

A distribution network with approximately sixty retail outlets and one hundred managers on working time forfeits faced an employment dispute risk identified by its legal team: several working time forfeit conventions could only be proved using poor-quality paper copies. The Court of Cassation having increased its proof requirements on this type of convention, the litigation risk was estimated at several hundred thousand euros.

The network deployed a qualified signature solution (QES) for all new conventions and offered existing managers to re-sign their existing conventions. Identity verification by video identification was selected. The Records of Processing Activities was updated, and an external DPO validated the GDPR compliance of the journey. Within 6 months, the entire working time forfeit convention portfolio was secured. The cost of the approach (approximately €15 to €25 per QES signature depending on market providers) was considered far less than the covered litigation risk.

Scenario 3: a local authority dematerialises its amendments and remote work policies

A local authority of approximately 1,200 permanent staff wished to dematerialise the management of its remote work amendments following the national framework agreement of 2021 on remote work in the civil service. The volume to process was approximately 400 documents per year, with specific constraints: staff are public persons whose data is subject to particularly regulated processing.

The authority opted for advanced signatures (AES), with sovereign hosting from a SecNumCloud-qualified provider by ANSSI. The DPIA was submitted to the authority's DPO before deployment. Staff were informed via a service notice published on the intranet and an information notice in the digital journey. The HR service estimated a gain of 3 FTE-days per month on the administrative management of amendments, equivalent to an annual saving of approximately €35,000 in direct costs, consistent with ranges published by the Observatory for the Digital Transformation of Local Authorities (2025).

Conclusion

GDPR compliance of electronic signature for HR documents is not optional: it conditions both the legal value of your acts and the protection of your employees' rights. In 2026, businesses that have not yet updated their processing records, signed a DPA with their service provider and adapted the signature level to each document type risk a double exposure — employment and administrative — whose financial consequences can be significant.

The good news: a well-chosen and well-configured solution makes it possible to reconcile operational fluidity, eIDAS compliance and GDPR respect without friction for HR teams or employees.

Certyneo supports you in this approach: eIDAS-compliant platform, DPA available, European hosting and signature journey designed for HR. Discover our dedicated HR solution or calculate the ROI of your move to full digitalisation in just a few clicks.