GDPR in HR: Processing Employee Data

The General Data Protection Regulation (GDPR) does not apply solely to commercial relationships between a business and its customers: it also governs, with great precision, the processing of employees' personal data. Recruitment, payroll management, access control, performance evaluation, video surveillance… each stage of the employment contract lifecycle generates personal data that the employer must process in strict compliance with European law. With fines reaching up to €20 million or 4% of annual global turnover, the stakes are considerable. This article details the applicable legal bases, the practical obligations of HR departments and best practices for securing your processing — including when digitalising HR documents.

The legal foundations of HR data processing

Admissible legal bases in employment law

GDPR lists six legal bases for processing personal data (Article 6). In an HR context, three of these are mobilised almost systematically:

• Fulfilment of the employment contract (Art. 6.1.b): constitutes the primary basis for payroll management, working time monitoring, delivery of payslips or management of leave.

• Legal obligation (Art. 6.1.c): justifies processing required by employment law or social legislation, such as the prior declaration of employment (DPAE), the personal social declaration (DSN) or maintenance of the personnel register.

• Legitimate interest (Art. 6.1.f): can support certain IT security or internal fraud prevention processing, provided that this interest is not outweighed by employees' fundamental rights.

⚠️ The consent basis must be handled with extreme caution in an employment context. The CNIL regularly reminds us that the inherent imbalance in the employer-employee relationship makes consent rarely "free" within the meaning of Article 7 of GDPR. Relying on consent for processing that could be based on another legal basis exposes the employer to a risk of requalification.

Special categories of data: a reinforced regime

Certain data collected by HR departments fall under the "sensitive data" regime set out in Article 9 of GDPR, the processing of which is in principle prohibited except for exceptions:

• Health data: sickness absences, declarations of unfitness by occupational health services, workplace adjustments for disability.

• Trade union data: membership of a trade union, representative mandates.

• Biometric data: access control via fingerprint or facial recognition.

• Data relating to criminal offences: verification of criminal records, authorised only in regulated sectors (security, childcare, etc.).

For these categories, the employer must identify an explicit exception (Art. 9.2), conduct a data protection impact assessment (DPIA) in most cases, and often consult the CNIL before deployment.

Practical obligations of HR departments

The processing activities register

Any organisation employing more than 250 employees is required to maintain a processing activities register (Art. 30 of GDPR). Below this threshold, the obligation still applies if the processing is not occasional or involves sensitive data — which is almost always the case in HR. This register must document:

• The purpose of each processing activity (e.g. "payslip management")

• The categories of data involved

• The recipients (third parties, sub-processors)

• The retention periods

• The security measures implemented

The CNIL provides a freely downloadable template register. Its rigorous maintenance constitutes the first line of defence in the event of inspection.

Retention periods: often overlooked

Article 5.1.e of GDPR imposes the principle of storage limitation: data must not be kept for longer than necessary for the purpose for which it was collected. In HR, the reference legal retention periods are as follows:

| Type of data | Recommended retention period | |---|---| | Payslip | 5 years (civil statute of limitations) | | Employment contract | 5 years after contract termination | | Recruitment data (unsuccessful candidate) | 2 years maximum after last contact | | Disciplinary file | Variable duration depending on the sanction (max. 3 years for a warning) | | Video surveillance data | 1 month as a general rule | | DSN and personnel register | 5 years after employee departure |

These periods must be recorded in the register and applied through deletion or permanent archiving procedures.

Informing employees: an obligation often underestimated

Article 13 of GDPR requires providing a complete information notice to individuals at the time their data is collected. In HR, this notice should ideally be provided:

• At the application stage: for data collected during the recruitment process.

• At employment: incorporated into the employment contract or provided as an annex upon signature.

• During the employment relationship: for each new processing activity introduced (e.g. deployment of a biometric time-tracking system).

Digitalising the onboarding process, particularly via electronic signature for HR, facilitates proof of this information: the date of reading and signing the notice is timestamped in a probative manner, which constitutes valuable evidence in the event of dispute.

Securing HR data: technical and organisational measures

Encryption, access control and compartmentalisation

Article 32 of GDPR requires security measures appropriate to the risk. For HR data, which is by nature sensitive and targeted during breaches, minimum best practices include:

• Encryption of data at rest and in transit: payroll files, contracts and personal files must be stored encrypted (AES-256 minimum) and transmitted via secure protocols (TLS 1.3).

• Role-based access control (RBAC): only authorised HR managers access payroll data; line managers access only the data necessary for management.

• Access logging: any consultation or modification of an employee file must be traced with the user's identifier, date and time.

• Pseudonymisation for analytical processing (HR dashboards, compensation studies).

Managing HR sub-processors

HR departments use numerous sub-processors: HRIS editors, outsourced payroll providers, training platforms, online recruitment tools. Each of these third parties must be subject to a sub-processing contract compliant with Article 28 of GDPR, specifying in particular:

• The nature and purpose of sub-processed activities

• The sub-processor's obligations regarding security and confidentiality

• Prohibition on further sub-contracting without prior authorisation

• Procedures for data return or destruction at end of contract

When selecting a service provider, it is also advisable to check whether its servers are located within the European Economic Area (EEA) or whether an appropriate transfer mechanism (standard contractual clauses, adequacy decision) is in place for transfers outside the EEA.

Digitalising HR documents and GDPR compliance

The increasing digitalisation of HR processes — electronic employment contracts, dematerialised payslips, amendments signed remotely — raises specific GDPR issues. Whilst eIDAS-compliant electronic signature provides undeniable integrity and authenticity guarantees, the employer must ensure that the platform used:

• Does not collect superfluous data during the signature process (minimisation principle, Art. 5.1.c)

• Maintains signature evidence (audit trail) in secure conditions and for an appropriate period

• Enables signatories to exercise their rights (access, rectification, erasure within legal limits)

For further information on signature tool compliance, Certyneo's comprehensive guide to electronic signature details the technical and legal criteria to verify before any deployment.

Employee rights and their effective exercise

Overview of rights guaranteed by GDPR

Employees benefit from all rights provided in Articles 15 to 22 of GDPR. In an HR context, the most frequently exercised rights are:

• Right of access (Art. 15): an employee may request a copy of all data concerning them held by the employer, including professional email exchanges in certain circumstances.

• Right to rectification (Art. 16): correction of inaccurate data (error in bank details, qualification entered incorrectly, etc.).

• Right to erasure (Art. 17): limited in HR by legal retention obligations, but applicable to recruitment data for an unsuccessful candidate.

• Right to object (Art. 21): may be exercised against processing based on legitimate interest, such as certain monitoring processing.

• Right to data portability (Art. 20): applicable to data provided by the employee in the course of contract fulfilment.

Response timeframe and internal procedures

The employer has one month to respond to any request to exercise rights, extendable to three months in case of complexity or high volume of requests (Art. 12.3). To organise this processing effectively, it is recommended to:

• Designate a single point of contact (DPO or GDPR contact) to receive requests

• Set up a dedicated form accessible to employees

• Document each request and its response in a register of requests to exercise rights

• Train HR managers to identify an implicit request (an employee asking for "their personnel file" is effectively exercising their right of access)

The role of the DPO in business

GDPR requires the appointment of a Data Protection Officer (DPO) in three cases (Art. 37): public authority, large-scale processing of sensitive data, or systematic large-scale monitoring. Many companies whose HR processing is significant fall within this obligation. The DPO may be internal or external; they must have functional independence and be involved in all decisions affecting data protection, including the deployment of new digital HR tools. Their role is advisory and not decision-making: final responsibility remains that of the controller, i.e. the employer.

Legal framework applicable to HR data processing

GDPR: foundational text

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) constitutes the regulatory foundation for personal data processing in Europe. Directly applicable in all member states since 25 May 2018, it applies to any employer processing data of employees resident in the EU, regardless of the company's nationality. The main articles applicable in an HR context are:

• Art. 5: fundamental principles (lawfulness, fairness, transparency, minimisation, accuracy, storage limitation, integrity and confidentiality, accountability)

• Art. 6: legal bases for processing

• Art. 9: sensitive data regime

• Art. 12 to 22: rights of data subjects

• Art. 24 to 32: obligations of controllers and processors

• Art. 33-34: notification of data breaches (72 hours to the CNIL, and notification of individuals if high risk)

• Art. 35: impact assessment (DPIA) mandatory for high-risk processing

• Art. 83: administrative penalties (up to €20 million or 4% of global turnover)

The amended Data Protection Act

Under French law, Act no. 78-17 of 6 January 1978 on data protection, amended by Act no. 2018-493 of 20 June 2018 and Ordinance no. 2018-1125 of 12 December 2018, complements GDPR by opening national manoeuvring room ("opening clauses"). Among the most important in HR: the possibility of processing trade union data in the context of managing staff representation bodies (Art. 9 of the Act), or specific rules for processing occupational health data.

Employment Code and social case law

The Employment Code requires information and prior consultation of the Social and Economic Committee (CSE) before any deployment of employee monitoring or control measures (Art. L. 2312-38). Failure to consult exposes the employer to exclusion of evidence collected and criminal penalties.

The Court of Cassation regularly reminds us that monitoring tools (geolocation, badge systems, activity tracking software) must be proportionate to the objective pursued and cannot be repurposed for uses other than those declared to employees and the CNIL.

Electronic signature of HR documents: eIDAS and Civil Code

When digitalising employment contracts, amendments or disciplinary documents, the employer must comply with Regulation (EU) no. 910/2014 eIDAS, which defines three levels of electronic signature. For documents as significant as a permanent employment contract or severance agreement, an advanced electronic signature (or even qualified) is recommended to guarantee the identity of the signatory and document integrity. The Civil Code at Articles 1366 and 1367 establishes the probative value of electronic records and electronic signatures, subject to reliable identification of the signatory and assurance of integrity.

CNIL sanctions in HR matters

The CNIL has imposed several significant sanctions regarding HR data processing: in 2022, a company was fined €400,000 for excessive monitoring of remote working employees through screen capture software. In 2023, a security company was penalised €200,000 for excessive collection of biometric data without a valid legal basis. These decisions illustrate the regulator's growing vigilance in this area.

Usage scenarios: GDPR HR in practice

Scenario 1 — A mid-sized industrial company employing 450 people brings its recruitment process into compliance

A mid-sized industrial company employing approximately 450 people across three sites received over 3,000 unsolicited applications per year and responded to around sixty job postings. CVs and cover letters were stored indefinitely in a shared email mailbox between six department managers. No information notice was provided to candidates on the use of their data.

Following a GDPR audit, the following actions were deployed over six months:

• Migration to an ATS (Applicant Tracking System) certified GDPR-compliant, with automatic purge of files after 24 months of inactivity

• Addition of a GDPR information notice in each online application form

• Electronic signature of employment letters and employment contracts via an eIDAS-compliant platform, reducing the average time for returned signed contracts from 8 days to less than 48 hours

• Update of the processing activities register with 12 new HR processing records

Result: no CNIL requests received in the following 18 months; estimated saving of 1.2 FTE on recruitment administration management thanks to digitalisation.

Scenario 2 — A retail group with 1,200 employees regulates its video surveillance policy

A group specialised in food retail had deployed a video surveillance system covering 34 stores. Images were retained for 45 days on some sites, with no notice displayed for employees. Several cameras covered till positions continuously, creating a risk of disproportionate monitoring.

Following a complaint from an employee to the CNIL, the company initiated a compliance process including:

• Reduction of retention period to 30 days maximum across all sites

• Repositioning of cameras to exclude continuous monitoring of individual work positions

• Consultation and agreement of the central CSE before any new deployment

• Systematic information of employees through employment contracts and an internal notice displayed on-site

Result: closure of the CNIL complaint without penalty; improvement in workplace climate measured in the following annual satisfaction survey (+11 points on the "trust in employer" item).

Scenario 3 — An outsourced HR consultancy secures data transfers with its clients

A consultancy specialising in payroll and personnel administration outsourcing managed employee files for twenty SME clients, representing approximately 1,800 payslips monthly. Payroll files were transmitted by unencrypted email, without a sub-processing contract formalised under Article 28 of GDPR.

The consultancy undertook a complete overhaul of its practices:

• Signature of Data Processing Agreements (DPA) compliant with Article 28 with each client, via an advanced electronic signature platform enabling traceability

• Implementation of a secure client portal (TLS encryption + two-factor authentication) for deposit and retrieval of payroll files

• Data hosting on servers located in France, certified HDS for occupational health data

• Drafting of a sub-processing policy governing recourse to third parties (payroll software editor, data archiver)

Result: 100% reduction in HR data transmissions via unsecured email; acquisition of two new client contracts that made GDPR compliance a mandatory selection criterion in their tender process.

Conclusion

GDPR in HR is not merely an additional administrative burden: it is a lever of trust between employer and employees, and a competitive factor in a labour market where transparency is increasingly valued. An up-to-date processing activities register, controlled retention periods, formalised employee information, enhanced security of sensitive data and contracted sub-processors: each of these pillars contributes to building an HR policy that is both lawful and responsible.

Digitalising HR documents — contracts, amendments, payslips, information notices — offers a unique opportunity to combine GDPR compliance and operational efficiency, provided you rely on certified tools. Certyneo supports you in this approach with an eIDAS-compliant electronic signature solution, designed for HR teams. Discover our pricing and start your free trial on Certyneo to secure your HR documents today.