Legal compliance in employment law: employer obligations

Legal compliance in employment law is one of the most complex challenges facing employers in France and Europe. Between the requirements of the Labour Code, GDPR imperatives, collective agreements and the constant evolution of digital practices, maintaining flawless compliance requires rigorous organisation and appropriate tools. This article provides a comprehensive overview of employer obligations, risks incurred in case of breach, and concrete solutions — notably electronic signature for HR — to secure your document processes.

The fundamentals of employment law compliance

Legal compliance in employment law rests on a foundation of mandatory rules that every employer must master, regardless of the size of their organisation.

Drafting and preserving employment contracts

The employment contract is the founding document of the employer-employee relationship. In France, article L. 1242-12 of the Labour Code requires written form for fixed-term contracts, failing which they will be requalified as permanent contracts. For permanent full-time contracts, written form is not legally required but constitutes a practical requirement in terms of evidence and legal security.

Since the ESSOC law of 2018 and the Macron ordinances of 2017, the dematerialisation of employment contracts is fully recognised. The employer may now resort to electronic signature compliant with eIDAS to validate contracts, amendments and HR documents, provided that the level of signature is appropriate to the legal risk associated.

The retention period for employment contracts is set at 5 years after the end of the contract by article L. 3243-4 of the Labour Code for payslips, and 30 years for certain documents relating to pensions (career records, proof of occupational exposure). These timeframes require structured and traceable document management.

Mandatory registers and maintenance of employment documents

The employer is required to maintain several mandatory registers and documents:

• The unique personnel register (art. L. 1221-13 of the Labour Code): every employee must be registered on it from their date of hire, in chronological order. Failure to maintain it correctly exposes the employer to a fine of €750 per unregistered employee.

• The single document for assessing occupational risks (DUERP): made mandatory by the decree of 5 November 2001, it must be updated at least once per year and kept for 40 years since the law of 2 August 2021.

• The internal rules: mandatory for companies with at least 50 employees (art. L. 1311-2), they must be filed with the registry of the Labour Court.

• Company agreements and minutes of representative employee bodies (CSE): their retention is essential in case of dispute.

Personal data protection of employees: GDPR obligations

Since the entry into force of the General Data Protection Regulation (GDPR) in May 2018, employers are subject to specific obligations as data controllers for their employees' personal data.

The legal basis for HR processing

The working relationship generates a multitude of data processing activities: payroll management, leave tracking, performance evaluations, access control, tracking of service vehicles, video surveillance... Each processing activity must be based on an identified legal basis among the six provided for in article 6 of the GDPR.

For HR management, the most frequent legal bases are:

• Performance of the employment contract: payroll, leave management, expense reimbursement.

• Legal obligation: social returns, occupational health.

• Legitimate interests of the employer: monitoring use of IT tools, subject to respect for employees' rights.

Employee consent is rarely a valid legal basis in a professional context, given the inherent imbalance in the employment relationship, as the French Data Protection Authority (CNIL) recalled in its guidelines.

The register of processing activities and employee rights

Any employer with at least 250 employees (and often below, where processing presents a high risk) must maintain a register of processing activities (art. 30 GDPR). This register lists each processing activity, its purpose, the data collected, recipients and retention periods.

Employees benefit from all GDPR rights: right of access, right to rectification, right to erasure (within the limits of legal retention obligations), right to restrict processing and right to data portability. The employer generally has one month to respond to any request to exercise rights.

In the event of a data breach (leak, hacking, accidental loss), the employer must notify the CNIL within 72 hours and, if the breach presents a high risk to the rights and freedoms of individuals, inform the affected employees.

Dematerialisation of HR documents: regulatory framework and best practices

The digital transformation of human resources has accelerated considerably. The dematerialised delivery of payslips, electronic signature of contracts and amendments, or even electronic management of onboarding documents are now common practices. But they are subject to specific rules.

Electronic delivery of payslips

Since the Labour Law of 8 August 2016, electronic delivery of payslips has been permitted without prior employee agreement, provided that the employer guarantees:

• Integrity of the transmitted data.

• Availability of the payslip for at least 50 years or until the employee reaches 75 years of age.

• Confidentiality: only the concerned employee can access their payslip.

The employee may at any time object to electronic delivery and request a paper version.

Electronic signature of employment contracts and HR documents

The use of electronic signature in the workplace has become widespread for employment contracts, amendments, engagement letters and onboarding documents. The eIDAS regulation distinguishes three levels of electronic signature:

• Simple electronic signature (SES): sufficient for low-risk documents (acknowledgments of receipt, internal forms).

• Advanced electronic signature (AES): recommended for standard employment contracts, fixed-term contracts, amendments.

• Qualified electronic signature (QES): equivalent to handwritten signature, required for the most sensitive acts.

For employment contracts, advanced or qualified signature provides optimal legal security. A compliant electronic signature solution not only accelerates recruitment processes but also guarantees traceability and integrity of signed documents, elements that are decisive in case of labour law disputes.

Electronic document management (EDM) and probative archiving

Electronic archiving with probative value is based on several technical requirements: qualified timestamping, document sealing, traceability of access and guaranteed integrity over time. These requirements are defined by standard NF Z 42-020 and ANSSI recommendations.

An employer who cannot produce before the Labour Court a properly signed employment contract or amendment faces the risk of having their arguments weakened. Probative archiving is therefore an investment in legal security, not just a technical cost.

Health and safety, harassment and discrimination: proactive obligations

Compliance in employment law is not limited to document management. It encompasses substantive obligations in terms of risk prevention and employee protection.

The obligation of safety, revised

Since the Asbestos rulings of 2002, the Court of Cassation had established an obligation of safety as a matter of result on the employer. Since 2015, case law has evolved towards a strengthened obligation of safety as a matter of means: an employer who proves that they have taken all necessary measures provided for in articles L. 4121-1 et seq. of the Labour Code may exonerate themselves from liability.

In practical terms, this implies:

• Regular and documented assessment of risks (DUERP).

• Implementation of prevention and training actions.

• Organisation of emergency procedures and designation of a competent employee or prevention service.

Prevention of moral and sexual harassment

Since the law of 5 September 2018, any employer with at least 250 employees must appoint a sexual harassment representative within the employee representative body (CSE). Furthermore, the employer is required to take preventive measures (information, training) and corrective measures (internal investigation, disciplinary sanctions) as soon as they become aware of facts that could constitute harassment.

Article L. 1153-5 of the Labour Code requires the employer to take all necessary measures to prevent sexual harassment. The absence of internal procedures or training may engage the employer's civil and criminal liability, regardless of their good faith.

Non-discrimination and professional equality

Article L. 1132-1 of the Labour Code lists 25 prohibited discrimination criteria (origin, gender, age, disability, union affiliations, etc.). The employer must ensure that their recruitment, evaluation and promotion processes are free from any discriminatory bias, including in selection algorithms if AI tools are used.

The professional equality index between men and women, established by the Professional Future law of 5 September 2018, is mandatory for companies with at least 50 employees since 2020. Its calculation, publication and any corrective measures must be documented and traceable.

Legal framework applicable to employment law compliance

Employer compliance falls within a dense and hierarchical set of norms, combining national and European law.

French Labour Code: articles L. 1221-1 et seq. govern the formation and performance of the employment contract. Article L. 1242-12 requires written form for fixed-term contracts. Articles L. 4121-1 to L. 4121-5 define the general obligation to prevent occupational risks. Article L. 3243-4 sets retention periods for payslips.

Civil Code: articles 1366 and 1367 of the Civil Code, resulting from the ordinance of 10 February 2016, recognise the legal value of electronic writings and electronic signatures. Article 1366 provides that "an electronic writing has the same probative force as writing on paper, provided that the person from whom it emanates can be duly identified and that it is established and preserved in such a way as to guarantee its integrity". Article 1367 specifies that "the signature necessary for the perfection of a legal act identifies its author" and that "when it is electronic, it consists of the use of a reliable identification procedure guaranteeing its link to the act to which it is attached".

eIDAS Regulation No 910/2014/EU: this European regulation, directly applicable in all Member States since 1 July 2016, defines the three levels of electronic signature (simple, advanced, qualified) and their legal value. Qualified signature benefits from a legal presumption of reliability equivalent to handwritten signature. eIDAS 2.0 Regulation, which entered into force in May 2024, strengthens the framework with the introduction of the European digital identity wallet (EUDIW).

GDPR No 2016/679/EU: articles 5 to 11 define the principles of lawfulness, fairness, transparency and purpose limitation applicable to all employee data processing. Article 83 provides for fines of up to €20 million or 4% of global annual turnover in case of serious breach. In France, the Data Protection and Computing Freedom Act of 6 January 1978, as amended in 2018, completes this framework.

ETSI standards: the ETSI EN 319 132 standard defines advanced electronic signature formats XAdES, PAdES and CAdES used in eIDAS-compliant solutions. ETSI EN 319 401 standard sets general policies applicable to trust service providers.

Labour Law of 8 August 2016: it legalised electronic delivery of payslips and paved the way for dematerialisation of HR documents within a secure framework.

Legal risks in case of non-compliance: the employer faces criminal penalties (obstruction offences, breaches of health and safety rules), civil liability (damages to employees), administrative sanctions (CNIL fines, social contribution authority adjustments) and requalification of precarious contracts as permanent contracts. The personal liability of company leaders may be engaged in case of serious fault or proven criminal offence.

Concrete usage scenarios

Scenario 1: an SME in digital services in rapid growth

An SME providing digital services with around 80 employees, in a strong recruitment phase, was previously signing its employment contracts and amendments by post. The average time between sending the contract and receiving it signed exceeded 12 working days, considerably extending the onboarding process and creating legal risks (employees beginning work without a signed contract returned).

By deploying an advanced electronic signature solution compliant with eIDAS for all its HR flows (permanent/fixed-term contracts, amendments, IT charters, DUERP documents), this SME reduced this timeframe to less than 24 hours in 90% of cases. Complete traceability of signatures — timestamping, audit trail, secure storage — strengthened its legal position in case of labour law dispute. The estimated time saving represents approximately 40% reduction in time devoted to HR document management.

Scenario 2: a multi-site industrial group subject to complex GDPR obligations

A mid-sized industrial group (mid-cap), operating several production sites with around 600 employees, faced complex GDPR obligations: sensitive data processing related to occupational health, vehicle tracking, access video surveillance, management of mandatory certifications and training.

Following a compliance audit, the group's Data Protection Officer identified more than 35 HR data processing activities that were undocumented or poorly documented in the register of processing activities. By structuring its dematerialisation processes and adopting a probative electronic document management tool, the group was able to:

• Document all processing activities and their legal bases.

• Automate response procedures to employees' access rights requests.

• Reduce by 60% the time to process internal GDPR requests.

• Secure contract archiving with a contractually guaranteed retention period.

Scenario 3: a restaurant franchise network

A quick-service restaurant franchise network, comprising around fifty outlets and approximately 900 employees in total, had to manage a very high volume of seasonal fixed-term contracts and temporary workers, with contracts sometimes concluded urgently. The failure to formalise them in writing beforehand exposed the network head and franchisees to a systemic risk of requalification as permanent contracts.

By standardising the use of pre-filled contract templates signed electronically via mobile — the employee being able to sign from their smartphone in less than 5 minutes — the network reduced its requalification risks and reduced by three its rate of unsigned returned contracts. The use of compliant contract templates combined with traceable electronic signature was a decisive advantage during a labour inspection audit.

Conclusion

Legal compliance in employment law is a non-negotiable requirement for any employer, regardless of organisation size. It covers multiple and interdependent obligations: drafting and retention of contracts, protection of employee personal data, prevention of occupational risks, professional equality and non-discrimination. Failures expose employers to financial, criminal and reputational sanctions whose impact can be considerable.

Dematerialisation of HR processes, and in particular the use of qualified or advanced electronic signature, represents today one of the most effective ways to secure document compliance whilst gaining operational efficiency. Certyneo supports you in this transformation with an eIDAS-compliant solution, designed for the needs of HR and legal teams.

Ready to secure your HR processes? Discover Certyneo and start for free today.