GDPR in HR: Processing Employee Data

Human resources management generates a considerable volume of personal data daily: employment contracts, payslips, health data, performance evaluations, bank details… Since the General Data Protection Regulation (GDPR) came into force in May 2018, HR departments have become central actors in compliance within organisations. Yet according to the CNIL's 2024 activity report, the human resources sector remains one of the three areas most frequently cited during inspections. This article guides you through the key obligations, best practices and available tools to process your employees' data in full compliance.

What personal data do HR departments process?

Common data categories

HR departments handle a very broad spectrum of personal data. Two main categories can be distinguished:

Ordinary data, collected as part of the employment contract: name, surname, address, social security number, bank details, CV, qualifications, employment history, annual appraisals, working hours, attendance and absence records.

Sensitive data, subject to enhanced restrictions under Article 9 of the GDPR: health data (sick leave, work accident reports, medical restrictions), union-related data (union membership, representative roles), data relating to criminal convictions in certain recruitment contexts.

The latter can only be processed subject to an explicit exception provided for by the regulation — such as the performance of legal obligations in labour law, or explicit consent from the data subject.

The particular case of recruitment

The recruitment phase generates specific processing, often poorly regulated. The collection of CVs, cover letters and test results involves precise retention periods: according to CNIL recommendations, data for unsuccessful candidates must be deleted or anonymised within a maximum period of two years following the last contact. Indefinitely retaining CVs in an unsecured shared folder constitutes a clear violation.

The use of tracking tools in ATS (Applicant Tracking Systems) or behavioural analysis algorithms must be explicitly mentioned in the privacy policy provided to candidates, in accordance with Articles 13 and 14 of the GDPR.

Legal bases for processing in an HR context

Identifying the correct legal basis

The GDPR requires that any processing of personal data be based on one of the six legal bases defined in Article 6. In an HR context, three bases are primarily used:

• Performance of an employment contract (art. 6.1.b): justifies the processing of data necessary for payroll management, leave or training.

• Legal obligation (art. 6.1.c): applies to mandatory social declarations (DSN), personnel registers or workplace accident monitoring.

• Legitimate interest (art. 6.1.f): may be invoked for processing such as access badge management or video surveillance, subject to a rigorous balancing test.

Consent (art. 6.1.a) is, however, a fragile legal basis in the workplace: the CNIL and the European Data Protection Board (EDPB) remind us that the structural imbalance between employer and employee makes it difficult to prove free consent. It should only be used as a last resort.

The processing register, an unavoidable obligation

Any organisation employing at least 250 people — or processing sensitive data on a smaller scale — must maintain a record of processing activities (art. 30 of the GDPR). In HR, this register must document, for each processing activity: the purpose, data categories, recipients, retention periods, and security measures implemented.

This document, held at the disposal of the CNIL in the event of an inspection, is also a valuable management tool. Combined with a electronic signature solution dedicated to HR, it allows you to trace and timestamp each stage of the HR document lifecycle, thereby strengthening the auditability of processes.

Employee rights and employer obligations

Informing employees: an immediate obligation

Article 13 of the GDPR requires that data subjects be informed at the time of data collection. In practice, HR departments must provide employees — ideally when the employment contract is signed — with a GDPR information notice detailing: the identity of the data controller, the purposes and legal bases, the retention period, available rights and the contact details of the DPO (Data Protection Officer) if the company has one.

Digitising and securing this exchange is essential. The use of electronic signature in the workplace for the delivery of this notice guarantees timestamped and incontestable proof of delivery, aligned with the requirements of the eIDAS regulation.

Employee rights that must be respected imperatively

Employees have extensive rights over their data:

• Right of access (art. 15): any employee may request a copy of all data concerning them processed by the employer.

• Right to rectification (art. 16): correction of inaccurate data (e.g. postal address, bank details).

• Right to erasure (art. 17): applicable in certain cases, in particular after the end of the employment contract and the expiry of statutory retention periods.

• Right to object (art. 21): the employee may object to processing based on legitimate interest.

• Right to restrict processing (art. 18): temporary freezing of disputed processing.

The employer has one month to respond to any request to exercise rights, extendable to three months in cases of complexity (art. 12 of the GDPR).

Security of HR data and management of subprocessors

Technical and organisational measures

Article 32 of the GDPR requires the implementation of security measures "appropriate to the risk". For HR data, best practices include:

• Encryption of files containing sensitive data (payslips, medical files).

• Access control: principle of least privilege — a payroll manager does not have access to disciplinary records.

• Logging of access to HR systems (HRIS, payroll tools).

• Data breach response plan: in the event of a data leak, the employer has 72 hours to notify the CNIL (art. 33), and potentially the data subjects if the risk is high (art. 34).

A complete audit via the electronic signature guide can help HR teams identify non-secure processing persisting on paper and digitise it in a compliant manner.

Managing HR service providers through DPAs

HR departments rely on numerous subprocessors: payroll software, training platforms, time management tools. Each subprocessor accessing personal data must be subject to a data processing agreement (DPA), in accordance with Article 28 of the GDPR. This contract must specify the processing instructions, security guarantees, the methods for data return or destruction, and obligations in the event of a breach.

Selecting subprocessors hosting their infrastructure within the European Union, or governed by standard contractual clauses (SCCs) approved by the Commission, remains a fundamental requirement to prevent any unlawful transfer outside the EU.

Retention periods: a structuring issue

Legal retention periods applicable to the employee file

The retention period for HR data is governed by a series of texts: the GDPR (principle of storage limitation, art. 5.1.e), the Labour Code, and various tax and social provisions. In practice, the main periods to be observed are:

| Type of document | Minimum retention period | |---|---| | Payslip | 5 years (social limitation period) | | Employment contract | 5 years after the end of the contract | | Payroll data (DSN) | 3 years (URSSAF inspection) | | Personnel register | 5 years after employee departure | | Disciplinary data | Period proportional to the measure | | Medical file (occupational health) | 50 years (specific regulations) |

Implementation of an automated archiving and purge policy in the HRIS, combined with electronic signature workflows that timestamp document creation, is now best practice for demonstrating compliance with the CNIL.

Pitfalls to avoid

The most common errors observed during CNIL inspections regarding HR data are: indefinite retention of CVs of unsuccessful candidates, maintenance of computer access for former employees, lack of encryption of exported payroll files, and failure to delete badge data beyond regulatory periods. To secure these points, consulting the comparison of electronic signature solutions allows you to identify tools that natively integrate probative archiving and document lifecycle management functions.

Legal framework applicable to HR data processing

The processing of employees' personal data falls within a dense normative framework, articulating several levels of regulation.

Regulation (EU) 2016/679 — GDPR is the cornerstone. Its Articles 5 to 11 define the fundamental principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality). Article 9 establishes the strict conditions applicable to special categories of data, including health and union-related data, which are particularly common in HR. Article 83 provides for fines of up to EUR 20 million or 4% of global annual turnover in the event of a serious breach.

The amended Data Protection Act (Law No. 78-17 of 6 January 1978), in its consolidated version, adapts the GDPR to French law. It grants the CNIL its powers of inspection and sanction, and provides in particular sectoral exemptions for health data in occupational medicine.

The Labour Code regulates processing related to employee surveillance (art. L. 1121-1 on respect for privacy), consultation of staff representatives on digital tools (art. L. 2312-38), and mandatory registers.

The eIDAS Regulation (No. 910/2014), supplemented by eIDAS 2.0 (EU Regulation 2024/1183), governs the legal effect of electronic signatures appended to HR documents. A qualified electronic signature (QES), compliant with Annex I of eIDAS and standards ETSI EN 319 132 and ETSI EN 319 122, provides a presumption of equivalence to handwritten signature within the meaning of Article 1367 of the French Civil Code.

Article 1366 of the French Civil Code provides that "electronic writing has the same probative force as writing on paper, provided that the person from whom it emanates can be duly identified and that it is established and retained under conditions such as to guarantee its integrity". This provision is directly applicable to employment contracts, amendments, confidentiality agreements and other digitised HR documents.

Directive NIS2 (EU 2022/2555), transposed into French law by the law of 26 February 2025, imposes enhanced requirements on essential and important entities (in particular large industrial companies and digital service operators) in terms of managing risks related to information security, including the protection of sensitive HR data.

CNIL's sanctions are increasing sharply: in 2024, the total amount of fines exceeded EUR 100 million, with several decisions directly involving breaches in the management of employee data. Non-compliance with retention periods, absence of DPA with HR subprocessors, and insufficient security measures are among the most frequently cited grievances.

Use scenarios: GDPR compliance in HR in practice

Scenario 1 — An SME of 450 employees digitises its onboarding processes

A mid-sized industrial company, spread across three sites in France, managed its employment contracts and amendments on paper. New employee files were only passed to the payroll department after an average delay of 12 working days, generating payroll errors in approximately 8% of cases. Moreover, no formal GDPR notice was given to new employees: information only appeared at the bottom of the staff handbook, which was not signed separately.

After implementing an electronic signature solution integrated into its HRIS, with simultaneous delivery of a GDPR notice co-signed by the employee and the HR director, the company reduced the documentary onboarding period to 2 working days (83% reduction). Payroll errors due to missing data dropped to less than 1%. Each signed document is archived with qualified timestamping, providing proof that can be cited in the event of a CNIL inspection or employment tribunal dispute.

Scenario 2 — A distribution group of 1,200 employees brings its retention policy into compliance

A group operating in specialised distribution underwent a CNIL inspection following a complaint from a former employee. The inspection revealed that Excel files containing payroll data for employees who had left more than 8 years ago were still accessible on an unsecured shared server, without encryption. A formal warning was issued, together with an order for compliance within 3 months.

The group then undertook a complete audit of its HR processing, mapped its 23 processing activities, and implemented an automated purge plan triggered by the HRIS. Electronically signed documents were migrated to a digital vault with retention periods configured according to legal obligations. The DPO produced a complete HR processing register, presented during a follow-up CNIL inspection 18 months later, which concluded without further action. The cost of bringing into compliance was estimated at less than 60% of the amount of a potential fine.

Scenario 3 — An HR consulting firm of 35 people secures the data of its own consultants and clients

An HR consulting firm manages both the data of its own consultants and that of candidates and employees of its client companies (as part of assessment or outplacement missions). It thus finds itself in a dual role: data controller for its own HR, and subprocessor (or even joint controller) for third-party data.

The firm has implemented a differentiated documentary architecture: simple electronic signatures for routine internal exchanges, advanced signatures for mission contracts with clients, and data processing agreements (DPAs) systematically integrated into engagement letters. All consultants received an updated GDPR charter, signed electronically and kept in a dedicated register. This organisation allowed the firm to advertise its compliance as a sales argument to large accounts subject to strict supplier audits, reducing the average contracting period from 7 to 2 weeks.

Conclusion

The GDPR imposes a profound transformation of HR departments' practices: rigorous identification of legal bases, effective information of employees, management of rights, contractual governance of subprocessors, data security and compliance with retention periods. These obligations are not mere administrative formalities — they determine the company's ability to avoid sanctions that could reach several million euros and to maintain the trust of its teams.

The digitalisation of HR processes, via eIDAS-compliant electronic signature solutions, is one of the most effective levers for reconciling operational efficiency and regulatory compliance. Certyneo supports HR teams through this transition, from the signing of the employment contract to the secure archiving of employee files.

Discover how Certyneo can secure your HR processes by consulting our dedicated HR offering or by starting for free to test the solution without commitment.