Electronic Signature for HR & GDPR: Complete Guide 2026

The digitalisation of human resources has accelerated considerably since 2020: employment contracts, amendments, payslips, IT policies, remote working agreements — virtually all these documents now pass through digital form. Yet dematerialising does not mean escaping legal obligations. On the contrary: electronic signature document HR GDPR constitutes a subject with a dual regulatory entry point, as it articulates the eIDAS framework on the probative value of signature and the European regulation on the protection of personal data. If poorly managed, this dual constraint exposes the company to legal risks and CNIL sanctions. This guide presents the essential rules, best practices and points of caution you must know by 2026.

Why does GDPR apply to electronic signature for HR?

Electronic signature necessarily processes personal data

Signing an employment contract online involves collecting, transmitting and storing personal data within the meaning of Article 4 of GDPR n°2016/679: name, surname, professional email address, sometimes mobile telephone number, signature timestamp and IP address. In an HR context, this data is particularly sensitive as it directly identifies the employee and is linked to his or her contractual relationship with the employer.

The trust service provider (TSP) providing the signature solution is classified as a data processor within the meaning of Article 28 of the GDPR. The employer remains the data controller. This distinction is fundamental: it is the company that is accountable to the CNIL in the event of a breach, not the software supplier.

Applicable legal bases in HR context

For each category of dematerialised HR documents, the employer must identify the most appropriate legal basis for processing:

• Performance of a contract (Art. 6.1.b GDPR): signature of employment contract, salary amendment, fixed-hours convention. This is the most robust legal basis for contractual documents.

• Legal obligation (Art. 6.1.c GDPR): dematerialised payslip delivery (authorised since the Macron Act 2015 under conditions), personnel registers.

• Legitimate interest (Art. 6.1.f GDPR): IT policies, internal regulations, internal policy documents — subject to passing the balancing test.

The consent basis (Art. 6.1.a) should be avoided in HR context: the CNIL and the EDPB (European Data Protection Board) consider that the relationship of subordination between employer and employee makes consent rarely free. An employee who refuses to sign electronically could fear professional consequences.

Concrete obligations of the HR data controller

Update the Data Processing Record

Article 30 of the GDPR requires any organisation employing more than 250 employees (and SMEs processing sensitive data on a large scale) to keep a data processing record. The introduction of an electronic signature tool for HR documents must appear there with:

• The purpose of processing (e.g.: dematerialisation and archiving of HR contractual documents)

• Categories of data processed (identity, contact data, authentication data)

• Duration of retention (legal retention period for employment contract: 5 years after end of contract under Labour Code, Art. L. 1234-20)

• Details of the data processor (signature platform)

• Security measures implemented

Sign a DPA (Data Processing Agreement) with the service provider

In accordance with Article 28 of the GDPR, any use of a processor to process personal data must be formalised by a data processing agreement (DPA). This contract must specify:

• The subject matter and duration of processing

• The nature and purpose of processing

• The type of personal data and categories of data subjects

• The obligations and rights of the data controller

• The location of data (storage within the EU recommended to avoid transfers outside the EEA)

• Technical and organisational security measures

A reputable electronic signature provider systematically offers a compliant DPA. Its absence constitutes an immediate non-compliance that can be sanctioned.

Inform employees before the first signature

Article 13 of the GDPR requires prior information of persons whose data is collected. Before deploying electronic signature for HR documents, the employer must inform employees:

• Of the identity of the data controller

• Of the purpose and legal basis

• Of the data retention period

• Of their rights (access, rectification, erasure within the limits of legal retention obligations, portability)

• Of the contact details of the DPO (Data Protection Officer) if designated

This information can be integrated into the signature process itself (information banner before signature), in the updated internal regulations, or via a service note distributed upon deployment.

Level of signature required for HR documents: SES, AES or QES?

The hierarchy of eIDAS signature levels

Regulation eIDAS n°910/2014 defines three levels of electronic signature, each offering increasing probative value:

• SES (Simple Electronic Signature): low probative value, suitable for low-stakes documents (receipts, internal forms)

• AES (Advanced Electronic Signature): linked uniquely to the signatory, created using data under his/her sole control. Suitable for most standard HR documents.

• QES (Qualified Electronic Signature): the highest level, equivalent to handwritten signature under Art. 25.2 eIDAS. Requires enhanced identity verification (in-person or video identification).

Which level for which HR documents?

The recommended mapping in 2026, taking into account positions of French case law and sectoral recommendations:

| HR Document | Recommended Level | Justification | |---|---|---| | Permanent/Fixed-term Employment Contract | AES minimum, QES recommended | Strong contractual value, employment dispute risk | | Contractual Amendment | AES minimum, QES recommended | Same logic as main contract | | Trial Period (renewal) | AES | Short timeframe, limited formalities | | Remote Work / BYOD Charter | SES or AES | Collective agreement or internal regulation | | Fixed-hours Convention | QES strongly advised | Demanding employment law case law | | Agreed Termination | QES mandatory | Approved Cerfa form, high stakes | | Receipt for Final Settlement | AES or QES | Quittance value, Art. L. 1234-20 Labour Code |

For high-stakes contentious documents (fixed-hours convention, agreed termination), QES is de facto necessary to guarantee enforceability before employment tribunals. The Court of Cassation has progressively tightened its requirements on proof of employee agreement.

Storage, archiving and individual rights: pitfalls to avoid

Legal retention periods for signed HR documents

The storage of electronically signed HR documents is subject to mandatory legal periods. These periods take precedence over the GDPR right to erasure (Art. 17.3.b):

• Employment contract: 5 years after the end of the contract (employment dispute limitation period, Art. L. 1471-1 Labour Code)

• Payslips: 5 years (salary limitation period), but retention recommended until pension rights settlement

• Occupational accident documents: 30 years (long-term litigation risk)

• Vocational training (plans, certificates): 3 years

• Personnel registers: 5 years after the date the employee left the establishment

Long-term electronic archiving must meet the requirements of the NF Z 42-013 standard and ideally the ETSI EN 319 162 standard (long-term archiving of electronic signatures). A simple server storage is insufficient: it is necessary to guarantee the integrity, readability and qualified timestamping of documents for the entire retention period.

Managing employee rights without compromising probative value

An employee can legitimately exercise the right of access (Art. 15 GDPR) to obtain a copy of the signature data concerning him/her. They can also request the rectification of inaccurate data.

However, the right to erasure (Art. 17 GDPR) cannot be exercised on HR documents subject to legal retention obligations. The employer must be able to clearly explain this refusal by citing the applicable legal basis. Documenting these exchanges in the rights request register is a good practice recommended by the CNIL.

Portability (Art. 20 GDPR) applies to data provided by the employee on the basis of consent or contract performance. Concretely, an employee can request their signature data in a structured format — an obligation to anticipate when choosing the signature solution.

Technical and organisational security: essential measures

Technical requirements of the signature platform

In accordance with Article 32 of the GDPR, security measures must be appropriate to the risk. For an electronic HR signature solution, this translates notably into:

• Encryption of data in transit (TLS 1.3 minimum) and at rest (AES-256)

• Multi-factor authentication (MFA) for platform access

• Audit logs (logs) timestamped and tamper-proof, tracing each action on the document

• Storage within the EU (or EEA) to avoid transfers outside the EEA without adequate guarantees (adequacy decision or standard contractual clauses)

• Annual penetration testing and ISO 27001 certification of the provider

• Business continuity plan guaranteeing service availability and archive recovery in case of incident

Impact Assessment (DPIA): when is it mandatory?

Article 35 of the GDPR requires a Data Protection Impact Assessment (DPIA) when processing is likely to present a high risk. The CNIL has published a list of processing types requiring a DPIA: large-scale processing of data relating to professional life is mentioned there.

Concretely, a DPIA is recommended (or even mandatory for large enterprises) when deploying an electronic HR signature solution affecting all employees. It must identify risks (loss of confidentiality, identity theft, document alteration), assess their severity and likelihood, and propose mitigation measures. This assessment must be documented and reviewed if the processing changes.

Legal framework applicable to electronic HR signature and GDPR

Founding European texts

Regulation eIDAS n°910/2014 (and its eIDAS 2.0 revision currently being rolled out): this text defines the three levels of electronic signature (SES, AES, QES) and their legal value across all Member States. Article 25 states that QES has a legal effect equivalent to handwritten signature. Article 26 enumerates the technical requirements of advanced signature. Qualified trust service providers are listed on national trust lists (in France, the list is managed by ANSSI).

GDPR n°2016/679: applicable since 25 May 2018, this regulation governs all processing of personal data within the EU. Articles 5 (principles), 6 (legal bases), 13-14 (information), 28 (processors), 30 (record), 32 (security), 35 (DPIA) and 37-39 (DPO) are directly relevant to electronic HR signature.

Applicable French law

Civil Code, Articles 1366-1367: Article 1366 establishes the principle of functional equivalence between electronic and paper writing. Article 1367 recognises electronic signature as a means of proof, provided it consists of a reliable process of identification guaranteeing the link with the act to which it is attached. Reliability is presumed for QES, but can be demonstrated for AES.

Labour Code: Article L. 1221-1 does not require a particular form for the employment contract (except exceptions: fixed-term Art. L. 1242-12, apprenticeship contract, etc.). The Macron Act 2015 (Law n°2015-990) opened the way to electronic payslips. Article L. 3243-2 governs the modalities.

Data Protection Act modified (Law n°78-17 of 6 January 1978): French transposition of the GDPR, it grants the CNIL its powers of investigation and sanction. Fines can reach 20 million euros or 4% of annual worldwide turnover for the most serious violations.

Reference technical standards

• ETSI EN 319 132: XAdES advanced electronic signature format, applicable to XML documents

• ETSI EN 319 122: CAdES format for CMS electronic signatures

• ETSI EN 319 162: long-term archiving of electronic signatures (ASiC)

• NF Z 42-013 (AFNOR): functional specifications of a probative electronic archiving system

• ISO/IEC 27001: information security management, certification framework expected from providers

Legal risks in case of non-compliance

The cumulative risks are significant: an employment contract signed with an insufficient signature level can be challenged before the Employment Tribunal, exposing the employer to reclassification or nullity. On the GDPR side, the absence of a DPA with the provider, failure to inform employees or storage outside the EU without adequate guarantees can lead to a CNIL notice of corrective action, or even administrative sanction.

Use scenarios: GDPR-compliant electronic HR signature

Scenario 1: an SME of 600 employees digitises its employment contracts

An industrial mid-sized company, distributed across four sites in France, processed approximately 180 permanent/fixed-term hires annually, generating as many paper files to print, sign in duplicate, scan and archive. The delays between the recruitment promise and effective contract signature averaged 8 working days.

After deploying an advanced electronic signature solution (AES) integrated with its HRIS, with a GDPR-compliant DPA signed with the provider and a documented DPIA, the company reduced this delay to less than 24 hours. The rate of incomplete files fell by 34% (sources: ANDRH sectoral benchmarks 2024). Storage of data in France was retained as a contractual criterion, eliminating any risk of transfer outside the EEA. Employees are informed of the processing via an information banner integrated into the signature journey, ensuring compliance with Article 13 of the GDPR.

Scenario 2: a retail franchise network deploys QES signature for fixed-hours conventions

A distribution network specialising in retail with around sixty points of sale and one hundred fixed-hours executives faced an identified employment law risk: several fixed-hours conventions could only be evidenced by poor-quality paper copies. The Court of Cassation having tightened its proof requirements for this type of convention, the litigation risk was estimated at several hundred thousand euros.

The network deployed a qualified signature solution (QES) for all new conventions and offered existing executives to re-sign their current conventions. Video identification was retained for identity verification. The data processing record was updated, and an external DPO validated GDPR compliance of the journey. Within 6 months, the entire portfolio of fixed-hours conventions was secured. The cost of the initiative (approximately 15 to 25 € per QES signature depending on market providers) was deemed far below the litigation risk covered.

Scenario 3: a local authority dematerialises its amendments and remote work charters

A local authority with approximately 1,200 permanent employees wished to dematerialise the management of its remote work amendments following the national framework agreement of 2021 on remote work in the public service. The volume to be processed was approximately 400 documents per year, with specific constraints: employees are public persons whose data is subject to particularly regulated processing.

The authority opted for advanced signatures (AES), with sovereign storage at a provider qualified SecNumCloud by ANSSI. The DPIA was submitted to the authority's DPO before deployment. Employees were informed via a service note published on the intranet and an information banner in the digital journey. The HR department estimated a gain of 3 FTE-days per month on the administrative management of amendments, representing an annual saving equivalent to approximately 35,000 € in direct costs, consistent with ranges published by the Observatory of Digital Transformation of Local Authorities (2025).

Conclusion

GDPR compliance of electronic signature for HR documents is not optional: it conditions both the legal value of your acts and the protection of your employees' rights. In 2026, companies that have not yet updated their processing record, signed a DPA with their provider and adapted the signature level to each document type face a double risk — employment tribunal and administrative — whose financial consequences can be significant.

The good news: a well-chosen and well-configured solution allows you to reconcile operational fluidity, eIDAS compliance and GDPR respect without friction for HR teams or employees.

Certyneo supports you in this approach: eIDAS-compliant platform, DPA available, European storage and signature journey designed for HR. Discover our dedicated HR solution or calculate the ROI of your transition to full digitalisation in just a few clicks.