GDPR in HR: Processing Employee Data

Introduction

Since the General Data Protection Regulation (GDPR) came into force on 25 May 2018, HR departments have been at the forefront of compliance. HR functions process sensitive personal data daily: CVs, payslips, health data, evaluations, bank details. Poor management exposes the company to sanctions of up to 20 million euros or 4% of global turnover (Article 83 of the GDPR). This article presents key obligations and best practices for securing the processing of employee data throughout the HR cycle.

Fundamental principles applicable to HR data

The GDPR imposes six cardinal principles codified in Article 5: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation and integrity/confidentiality. In practice, this means that the HR department can only collect data strictly necessary for a determined purpose. For example, requesting a social security number at the application stage is disproportionate: it is only justified after hiring for the DSN.

The CNIL, through its decision no. 2019-160 relating to a repository on personnel management, specifies the recommended retention periods: 2 years for rejected applications (unless consent is given), 5 years after departure for the administrative file, 6 years for payslips in employer version.

Legal basis and informing employees

Contrary to popular belief, consent is rarely the appropriate legal basis in HR, due to the relationship of subordination. The relevant bases are rather the performance of the employment contract (Article 6.1.b), legal obligation (Article 6.1.c) or legitimate interest (Article 6.1.f). For sensitive data (health, union membership), Article 9 requires a specific basis such as labour law obligations.

The employer must provide clear information via a GDPR notice delivered at recruitment, update the processing register (Article 30) and consult the Works Council before any new processing affecting employees (Article L.2312-38 of the Labour Code).

Security and employee rights

Technical and organisational security (Article 32) requires: HRIS encryption, access control by profile, traceability of consultations, confidentiality clauses with payroll or recruitment sub-processors (Article 28). In the event of a breach, notification to the CNIL within 72 hours.

Employees have enhanced rights: access, rectification, erasure (limited by legal retention obligations), portability, opposition. An internal procedure must allow responses within a maximum of one month. Refusal of access to the disciplinary file must be legally justified.

Practical examples

Example 1 – Recruitment: An SME has been keeping CVs from all candidates in a shared folder for 5 years. Non-compliant: excessive duration, lack of security. Solution: automatic deletion at 2 years, restricted access to recruiters, GDPR mention in the job advertisement.

Example 2 – Video surveillance: A logistics warehouse continuously records work stations. Possible sanction (the CNIL fined Amazon France Logistique 32 million euros in 2024). Solution: limit to sensitive areas, individual notification, Works Council consultation, retention period of a maximum of one month.

Example 3 – Collaborative tools: The deployment of Microsoft 365 requires an impact assessment (DPIA) if monitoring functions are activated, as well as a processor clause compliant with the publisher.

Compliance and sanctions

In addition to CNIL fines, the employer faces the risk of employment tribunal claims for infringement of privacy (Article 9 of the Civil Code, Article L.1121-1 of the Labour Code). The designation of a DPO is mandatory for entities processing data on a large scale. An annual mapping of HR processing, combined with manager training, constitutes the best legal and operational protection.

Conclusion

GDPR compliance in HR is not a one-off project but a continuous process of improvement. Between legal obligations, employee rights and operational performance, HR directors must steer data governance with rigour. Investing in a compliant HRIS, training teams and documenting each processing transforms regulatory constraint into a driver of employee trust.