Electronic Signature HR & GDPR: Complete Guide 2026

The digitalisation of human resources has accelerated significantly since 2020: employment contracts, amendments, payslips, IT policies, teleworking agreements — virtually all of these documents now circulate in digital form. However, dematerialisation does not mean escaping legal obligations. Quite the opposite: the electronic signature of HR documents under GDPR constitutes a subject with a dual regulatory gateway, as it links the eIDAS framework on the probative value of signatures and the European regulation on the protection of personal data. If mishandled, this dual constraint exposes the company to legal risks and CNIL sanctions. This guide presents the essential rules, best practices and points of caution you absolutely need to know in 2026.

Why does GDPR apply to electronic signatures in HR?

Electronic signature necessarily processes personal data

Signing a work contract online involves collecting, transmitting and storing personal data within the meaning of Article 4 of GDPR No 2016/679: name, forename, professional email address, sometimes mobile telephone number, signature timestamp and IP address. In an HR context, this data is particularly sensitive because it directly identifies the employee and is linked to their contractual relationship with the employer.

The qualified trust service provider (QTSP) that provides the signature solution is qualified as a processor within the meaning of Article 28 of GDPR. The employer remains the controller. This distinction is fundamental: it is the company that answers to the CNIL in the event of breach, not the software supplier.

Applicable legal bases in the HR context

For each category of dematerialised HR documents, the employer must identify the most appropriate legal basis for processing:

• Performance of contract (Art. 6.1.b GDPR): signature of employment contract, salary amendment, fixed-days working agreement. This is the most robust legal basis for contractual documents.

• Legal obligation (Art. 6.1.c GDPR): dematerialised delivery of payslips (authorised since the Macron law of 2015 under conditions), personnel registers.

• Legitimate interest (Art. 6.1.f GDPR): IT policies, internal regulations, internal policy documents — subject to passing the balancing test.

Consent as a basis (Art. 6.1.a) should be avoided in the HR context: the CNIL and the EDPB (European Data Protection Board) believe that the relationship of subordination between employer and employee rarely renders consent freely given. An employee who refuses to sign electronically could fear professional consequences.

Concrete obligations for the HR data controller

Update the Records of Processing Activities (ROPA)

Article 30 of GDPR requires any organisation employing more than 250 employees (and SMEs processing sensitive data on a large scale) to maintain a records of processing activities. The introduction of an electronic signature tool for HR documents must be included therein with:

• The purpose of processing (e.g.: dematerialisation and archiving of HR contractual documents)

• The categories of data processed (identity, contact data, authentication data)

• The retention period (legal retention period for employment contracts: 5 years after the end of the contract under the Labour Code, Art. L. 1234-20)

• The coordinates of the processor (the signature platform)

• The security measures implemented

Sign a DPA (Data Processing Agreement) with the service provider

In accordance with Article 28 of GDPR, any recourse to a processor to process personal data must be formalised by a data processing contract (DPA). This contract must specify:

• The subject matter and duration of processing

• The nature and purpose of processing

• The type of personal data and categories of data subjects

• The obligations and rights of the controller

• The location of data (hosting within the EU recommended to avoid transfers outside the EEA)

• Technical and organisational security measures

A serious electronic signature service provider will systematically offer a GDPR-compliant DPA. Its absence constitutes an immediate non-conformity that can be sanctioned.

Inform employees before first signature

Article 13 of GDPR requires prior information of individuals whose data is collected. Before deploying electronic signature for HR documents, the employer must inform employees:

• Of the identity of the controller

• Of the purpose and legal basis

• Of the data retention period

• Of their rights (access, rectification, deletion within the limits of legal retention obligations, portability)

• Of the contact details of the Data Protection Officer if appointed

This information can be integrated into the signature process itself (information banner before signature), into an updated internal regulation, or via a memorandum distributed during deployment.

Level of signature required for HR documents: SES, AES or QES?

The hierarchy of eIDAS signature levels

Regulation eIDAS No 910/2014 defines three levels of electronic signature, each offering increasing probative value:

• SES (Simple Electronic Signature): weak probative value, suitable for low-stakes documents (acknowledgements of receipt, internal forms)

• AES (Advanced Electronic Signature): linked uniquely to the signatory, created from data under their exclusive control. Suitable for the majority of common HR documents.

• QES (Qualified Electronic Signature): the highest level, equivalent to handwritten signature under Art. 25.2 eIDAS. Requires enhanced identity verification (face-to-face or video identification).

Which level for which HR documents?

The recommended mapping in 2026, taking account of positions in French case law and sector-specific recommendations:

| HR Document | Recommended Level | Justification | |---|---|---| | Permanent/Fixed-term employment contract | AES minimum, QES recommended | Strong contractual value, employment law risk | | Contractual amendment | AES minimum, QES recommended | Same logic as main contract | | Trial period (renewal) | AES | Short timeframe, limited formality | | Teleworking/BYOD charter | SES or AES | Collective agreement or internal regulation | | Fixed-days working agreement | QES strongly advised | Demanding employment law case law | | Negotiated termination | QES mandatory | Homologated Cerfa form, high stakes | | Receipt for full and final settlement | AES or QES | Liberatory value, Art. L. 1234-20 CT |

For high-stakes contentious documents (fixed-days agreement, negotiated termination), QES is essentially required to guarantee enforceability before employment courts. The Court of Cassation has progressively tightened its requirements regarding proof of employee agreement.

Storage, archiving and personal rights: pitfalls to avoid

Legal retention periods for electronically signed HR documents

The retention of electronically signed HR documents is governed by imperative legal periods. These periods take precedence over the right to erasure under GDPR (Art. 17.3.b):

• Employment contract: 5 years after the end of the contract (employment law limitation period, Art. L. 1471-1 Labour Code)

• Payslips: 5 years (wage prescription period), but retention recommended until settlement of employee pension rights

• Documents relating to occupational accidents: 30 years (long-term litigation risk)

• Vocational training (plans, certificates): 3 years

• Personnel registers: 5 years after the date the employee left the establishment

Long-term electronic archiving with probative value must comply with the requirements of standard NF Z 42-013 and ideally the ETSI EN 319 162 standard (long-term archiving of electronic signatures). Simple server storage is not sufficient: integrity, readability and qualified timestamping of documents must be guaranteed throughout the retention period.

Managing employee rights without compromising probative value

An employee can legitimately exercise the right of access (Art. 15 GDPR) to obtain a copy of the signature data concerning them. They may also request rectification of inaccurate data.

However, the right to erasure (Art. 17 GDPR) cannot be exercised on HR documents subject to legal retention obligations. The employer must be able to clearly explain this refusal, citing the applicable legal basis. Documenting these exchanges in a register of rights requests is a best practice recommended by the CNIL.

Portability (Art. 20 GDPR) applies to data provided by the employee on the basis of consent or contract performance. In practical terms, an employee can request their signature data in a structured format — an obligation to anticipate when choosing the signature solution.

Technical and organisational security: essential measures

Technical requirements for the signature platform

In accordance with Article 32 of GDPR, security measures must be appropriate to the risk. For an electronic HR signature solution, this translates notably into:

• Encryption of data in transit (TLS 1.3 minimum) and at rest (AES-256)

• Multi-factor authentication (MFA) for platform access

• Audit logs (logs) timestamped and tamper-proof, tracing every action on the document

• Hosting within the EU (or EEA) to avoid transfers outside the EEA without adequate safeguards (adequacy decision or standard contractual clauses)

• Annual penetration tests and ISO 27001 certification of the service provider

• Business continuity plan guaranteeing service availability and archive recovery in the event of an incident

Impact Assessment (DPIA): when is it mandatory?

Article 35 of GDPR requires a Data Protection Impact Assessment (DPIA) when the processing is likely to result in high risk. The CNIL has published a list of types of processing requiring a DPIA: large-scale processing of data relating to professional life is mentioned therein.

In practice, a DPIA is recommended (or even mandatory for large enterprises) when deploying an electronic signature solution for HR touching all employees. It must identify risks (loss of confidentiality, identity spoofing, document alteration), assess their severity and likelihood, and propose mitigation measures. This analysis must be documented and reviewed if processing changes.

Legal framework applicable to electronic signature HR and GDPR

Founding European texts

Regulation eIDAS No 910/2014 (and its revision eIDAS 2.0 currently being deployed): this text defines the three levels of electronic signature (SES, AES, QES) and their legal value across all Member States. Article 25 provides that QES has a legal effect equivalent to handwritten signature. Article 26 enumerates the technical requirements for advanced signature. Qualified trust service providers are registered on national trust lists (in France, the list is managed by ANSSI).

GDPR No 2016/679: applicable since 25 May 2018, this regulation governs any processing of personal data within the EU. Articles 5 (principles), 6 (legal bases), 13-14 (information), 28 (processors), 30 (records), 32 (security), 35 (DPIA) and 37-39 (DPO) are directly relevant to electronic HR signatures.

French law applicable

Civil Code, Articles 1366-1367: Article 1366 establishes the principle of functional equivalence between electronic and paper writing. Article 1367 recognises electronic signature as a means of proof, provided that it consists of a reliable identification process guaranteeing the link with the act to which it is attached. Reliability is presumed for QES but may be demonstrated for AES.

Labour Code: Article L. 1221-1 does not require any particular form for the employment contract (except exceptions: fixed-term contracts Art. L. 1242-12, apprenticeship contracts, etc.). The 2015 Macron law (law No 2015-990) paved the way for electronic payslips. Article L. 3243-2 governs its procedures.

Data Protection Act as amended (law No 78-17 of 6 January 1978): French implementation of GDPR, it confers on CNIL its investigation and sanction powers. Fines can reach 20 million euros or 4% of annual worldwide turnover for the most serious violations.

Technical reference standards

• ETSI EN 319 132: advanced electronic signature format XAdES, applicable to XML documents

• ETSI EN 319 122: CAdES format for electronic signatures of CMS documents

• ETSI EN 319 162: long-term archiving of electronic signatures (ASiC)

• NF Z 42-013 (AFNOR): functional specifications for a system for archiving probative electronic documents

• ISO/IEC 27001: information security management, certification benchmark expected from service providers

Legal risks in case of non-compliance

The cumulative risks are significant: an employment contract signed with an insufficient signature level can be disputed before the Employment Tribunal, exposing the employer to requalification or nullity. On the GDPR side, the absence of a DPA with the service provider, omission of employee information or hosting outside the EU without adequate safeguards can lead to a CNIL notice, or even a public administrative sanction.

Use scenarios: electronic HR signature compliant with GDPR

Scenario 1: a mid-sized industrial company with 600 employees digitalises its employment contracts

An industrial company of intermediate size, spread over four sites in France, was processing around 180 permanent/fixed-term hirings per year, generating as many paper files to print, sign in duplicate, digitise and archive. The time between job offer and effective contract signature averaged around 8 working days.

After deploying an advanced electronic signature solution (AES) integrated into its HRIS, with a DPA compliant with GDPR signed with the service provider and a documented DPIA, the company reduced this time to less than 24 hours. The rate of incomplete files dropped by 34% (sources: ANDRH sector benchmarks 2024). Data hosting in France was retained as a contractual criterion, eliminating any risk of transfer outside the EEA. Employees are informed of processing via an information banner integrated into the signature path, ensuring compliance with Article 13 of GDPR.

Scenario 2: a retail franchise network deploys QES signature for fixed-days working agreements

A distribution network specialising in retail with around sixty points of sale and a hundred salaried staff on fixed-days working arrangements faced an identified employment law risk from its legal team: several fixed-days agreements could only be proven through copies of mediocre quality paper. The Court of Cassation having tightened its requirements for proof of this type of agreement, the risk of litigation was estimated at several hundred thousand euros.

The network deployed a qualified signature solution (QES) for all new agreements and offered existing staff the opportunity to re-sign their existing agreements. Identity verification by video identification was retained. The records of processing activities were updated, and an external Data Protection Officer validated GDPR compliance of the process. Within 6 months, the entire park of fixed-days agreements had been secured. The cost of the approach (around 15 to 25 € per QES signature depending on service providers on the market) was deemed far below the litigation risk covered.

Scenario 3: a local authority dematerialises its amendments and teleworking charters

A local authority with around 1,200 permanent staff wished to dematerialise the management of its teleworking amendments following the national framework agreement of 2021 on teleworking in the civil service. The volume to be processed was around 400 documents per year, with specific constraints: employees are public sector workers whose data is subject to particularly regulated processing.

The authority opted for advanced signatures (AES), with sovereign hosting by a ANSSI-certified SecNumCloud service provider. The DPIA was submitted to the authority's Data Protection Officer before deployment. Employees were informed via a memorandum published on the intranet and an information banner in the digital process. The HR department estimated a gain of 3 FTE-days per month on administrative management of amendments, representing an annual saving equivalent to around €35,000 in direct costs, consistent with the ranges published by the Observatory of Digital Transformation of Local Authorities (2025).

Conclusion

GDPR compliance of electronic signature for HR documents is not optional: it conditions both the legal value of your acts and the protection of your employees' rights. In 2026, companies that have not yet updated their processing records, signed a DPA with their service provider and adapted the signature level to each type of document are exposed to a twofold risk — employment law and administrative — whose financial consequences can be significant.

The good news: a well-chosen and well-configured solution allows you to reconcile operational fluidity, eIDAS compliance and GDPR compliance without friction for HR teams or employees.

Certyneo supports you in this endeavour: eIDAS-compliant platform, DPA available, European hosting and signature processes designed for HR. Or in a few clicks.