Electronic Signature for HR & GDPR: Complete Guide 2026

The digitalisation of human resources has accelerated considerably since 2020: employment contracts, amendments, payslips, IT policies, remote working agreements — virtually all these documents now pass through in digital form. Yet dematerialisation does not mean escaping legal obligations. Quite the opposite: electronic signature for HR documents GDPR constitutes a subject with dual regulatory entry, as it articulates the eIDAS framework on the probative value of signatures and the European regulation on the protection of personal data. If poorly managed, this dual constraint exposes the company to legal risks and CNIL sanctions. This guide presents the essential rules, best practices and points of attention you absolutely need to know in 2026.

Why does GDPR apply to electronic signature for HR?

Electronic signature necessarily processes personal data

Signing an employment contract online involves collecting, transmitting and storing personal data as defined in Article 4 of GDPR 2016/679: name, first name, professional e-mail address, sometimes mobile phone number, signature timestamp and IP address. In an HR context, this data is particularly sensitive because it directly identifies the employee and is linked to their contractual relationship with the employer.

The trusted services provider (TSP) that supplies the signature solution is qualified as a data processor under Article 28 of the GDPR. The employer remains the data controller. This distinction is fundamental: it is the company that answers to the CNIL in case of breach, not the software supplier.

Applicable legal bases in HR context

For each category of dematerialised HR documents, the employer must identify the most appropriate legal basis for processing:

• Contract performance (Article 6.1.b GDPR): signature of employment contract, salary amendment, flexible working time agreement. This is the most robust legal basis for contractual documents.

• Legal obligation (Article 6.1.c GDPR): dematerialised provision of payslips (authorised since the Macron Act of 2015 under certain conditions), personnel registers.

• Legitimate interest (Article 6.1.f GDPR): IT policies, internal regulations, internal policy documents — subject to passing the balancing test.

Consent-based processing (Article 6.1.a) should be avoided in HR context: the CNIL and EDPB (European Data Protection Board) consider that the subordination relationship between employer and employee makes consent rarely freely given. An employee who refuses to sign electronically might fear professional consequences.

Concrete obligations of the HR data controller

Update the data processing records (DPR)

Article 30 of the GDPR requires any organisation employing more than 250 employees (and SMEs processing sensitive data on a large scale) to maintain a data processing records. The introduction of an electronic signature tool for HR documents must be recorded with:

• The purpose of processing (e.g.: dematerialisation and archiving of contractual HR documents)

• The categories of data processed (identity, contact data, authentication data)

• The retention period (legal retention period of employment contract: 5 years after the end of the contract under the Labour Code, Article L. 1234-20)

• Contact details of the data processor (the signature platform)

• Security measures in place

Sign a DPA (Data Processing Agreement) with the service provider

In accordance with Article 28 of the GDPR, any use of a data processor to process personal data must be formalised by a data processing contract (DPA). This contract must specify:

• The subject matter and duration of processing

• The nature and purpose of processing

• The type of personal data and the categories of data subjects

• The obligations and rights of the data controller

• The location of data (hosting within the EU recommended to avoid transfers outside the EEA)

• Technical and organisational security measures

A reputable electronic signature provider systematically offers a GDPR-compliant DPA. Its absence constitutes a non-compliance that is immediately subject to sanctions.

Inform employees before the first signature

Article 13 of the GDPR requires prior information to people whose data is collected. Before deploying electronic signature for HR documents, the employer must inform employees:

• Of the identity of the data controller

• Of the purpose and legal basis

• Of the retention period for data

• Of their rights (access, rectification, erasure within the limits of legal retention obligations, portability)

• Contact details of the Data Protection Officer (DPO) if appointed

This information can be integrated into the signature process itself (information banner before signature), into the updated internal regulations, or via a notice issued when deploying the solution.

Level of signature required for HR documents: SES, AES or QES?

The hierarchy of eIDAS signature levels

The eIDAS regulation 910/2014 defines three levels of electronic signature, each offering increasing probative value:

• SES (Simple Electronic Signature): low probative value, suitable for documents with low stakes (acknowledgements of receipt, internal forms)

• AES (Advanced Electronic Signature): linked uniquely to the signatory, created from data under their exclusive control. Suitable for the majority of ordinary HR documents.

• QES (Qualified Electronic Signature): highest level, equivalent to handwritten signature under Article 25.2 eIDAS. Requires enhanced identity verification (face-to-face or video identification).

Which level for which HR documents?

The recommended mapping in 2026, taking into account positions from French case law and sectoral recommendations:

| HR Document | Recommended Level | Justification | |---|---|---| | Permanent/Fixed-term employment contract | AES minimum, QES recommended | Strong contractual value, employment law dispute risk | | Contractual amendment | AES minimum, QES recommended | Same logic as main contract | | Probationary period (renewal) | AES | Short timeframe, limited formality | | Remote working / BYOD charter | SES or AES | Collective agreement or internal regulation | | Flexible working time agreement | QES strongly recommended | Demanding case law, employment disputes | | Severance agreement | QES mandatory | Approved Cerfa form, high stakes | | Final settlement receipt | AES or QES | Discharge value, Labour Code Article L. 1234-20 |

For documents with high litigation stakes (flexible working time agreement, severance agreement), QES is de facto required to guarantee enforceability before employment courts. The Court of Cassation has progressively tightened its requirements for proving employee agreement.

Retention, archiving and individuals' rights: pitfalls to avoid

Legal retention periods for electronically signed HR documents

The retention of electronically signed HR documents is subject to mandatory legal retention periods. These periods take precedence over the right to erasure under the GDPR (Article 17.3.b):

• Employment contract: 5 years after the end of the contract (employment law prescription, Labour Code Article L. 1471-1)

• Payslips: 5 years (salary prescription), but retention recommended until the employee's pension rights are settled

• Documents relating to workplace accidents: 30 years (long-term litigation risk)

• Professional training (plans, certificates): 3 years

• Personnel registers: 5 years after the date the employee left the establishment

Long-term electronic archiving with probative value must meet the requirements of standard NF Z 42-013 and ideally the ETSI EN 319 162 standard (long-term archiving of electronic signatures). Simple server storage is not sufficient: integrity, readability and qualified timestamping of documents must be guaranteed for the entire retention period.

Managing employees' rights without compromising probative value

An employee can legitimately exercise their right of access (Article 15 GDPR) to obtain a copy of signature data concerning them. They may also request rectification of inaccurate data.

However, the right to erasure (Article 17 GDPR) cannot be exercised for HR documents subject to legal retention obligations. The employer must be able to clearly explain this refusal by citing the applicable legal basis. Documenting these exchanges in a register of rights requests is a good practice recommended by the CNIL.

Portability (Article 20 GDPR) applies to data provided by the employee on the basis of consent or contract performance. In practice, an employee can request their signature data in a structured format — an obligation to anticipate when choosing a signature solution.

Technical and organisational security: essential measures

Technical requirements for the signature platform

In accordance with Article 32 of the GDPR, security measures must be appropriate to the risk. For an electronic signature solution for HR, this translates in particular to:

• Encryption of data in transit (TLS 1.3 minimum) and at rest (AES-256)

• Multi-factor authentication (MFA) for platform access

• Audit logs (logs) with timestamps and tamper-proof, tracing every action on the document

• Hosting in the EU (or EEA) to avoid transfers outside the EEA without adequate safeguards (adequacy decision or standard contractual clauses)

• Annual penetration testing and ISO 27001 certification of the service provider

• Business continuity plan guaranteeing service availability and archive recovery in case of incident

Impact Assessment (DPIA): when is it mandatory?

Article 35 of the GDPR requires a Data Protection Impact Assessment (DPIA) when processing is likely to result in high risk. The CNIL has published a list of types of processing requiring a DPIA: large-scale processing of data relating to professional life is mentioned there.

In practical terms, a DPIA is recommended (or even mandatory for large companies) when deploying an electronic signature solution for HR affecting all employees. It must identify risks (loss of confidentiality, identity theft, document tampering), assess their severity and probability, and propose mitigation measures. This analysis must be documented and reviewed if the processing changes.

Legal framework applicable to electronic signature for HR and GDPR

Foundational European texts

eIDAS regulation 910/2014 (and its eIDAS 2.0 revision currently being rolled out): this text defines the three levels of electronic signature (SES, AES, QES) and their legal value throughout the Member States. Article 25 provides that QES has legal effect equivalent to a handwritten signature. Article 26 lists the technical requirements for advanced signature. Qualified trust service providers are listed on national trust lists (in France, the list is managed by ANSSI).

GDPR 2016/679: applicable since 25 May 2018, this regulation governs any processing of personal data within the EU. Articles 5 (principles), 6 (legal bases), 13-14 (information), 28 (processors), 30 (records), 32 (security), 35 (DPIA) and 37-39 (DPO) are directly relevant to electronic signature for HR.

Applicable French law

Civil Code, Articles 1366-1367: Article 1366 establishes the principle of functional equivalence between electronic and paper documents. Article 1367 recognises electronic signature as a means of proof, provided it consists of a reliable means of identification guaranteeing the link with the act to which it is attached. Reliability is presumed for QES, but can be demonstrated for AES.

Labour Code: Article L. 1221-1 does not impose any particular form for the employment contract (except exceptions: fixed-term contracts Article L. 1242-12, apprenticeship contracts, etc.). The Macron Act of 2015 (Act No. 2015-990) opened the way to electronic payslips. Article L. 3243-2 regulates the procedures.

Data Protection Act modified (Act No. 78-17 of 6 January 1978): French transposition of the GDPR, it gives the CNIL its powers of investigation and sanctions. Fines can reach €20 million or 4% of annual global turnover for the most serious violations.

Reference technical standards

• ETSI EN 319 132: advanced electronic signature format XAdES, applicable to XML documents

• ETSI EN 319 122: CAdES format for electronic signatures of CMS documents

• ETSI EN 319 162: long-term archiving of electronic signatures (ASiC)

• NF Z 42-013 (AFNOR): functional specifications for a reliable electronic archiving system

• ISO/IEC 27001: information security management, certification framework expected from providers

Legal risks in case of non-compliance

The cumulative risks are significant: an employment contract signed with an insufficient signature level can be contested before the Employment Tribunal, exposing the employer to reclassification or nullity. On the GDPR side, the absence of a DPA with the service provider, failure to inform employees or hosting outside the EU without adequate safeguards can lead to a CNIL order to comply, or even a public administrative fine.

Usage scenarios: electronic signature for HR compliant with GDPR

Scenario 1: a mid-sized industrial company with 600 employees digitises its employment contracts

A medium-sized industrial company, spread across four sites in France, processed approximately 180 permanent and fixed-term hirings each year, generating as many paper files to be printed, signed in duplicate, scanned and archived. The delays between the employment offer and the effective signing of the contract averaged 8 working days.

After deploying an advanced electronic signature solution (AES) integrated into its HRIS, with a GDPR-compliant DPA signed with the service provider and a documented DPIA, the company reduced this delay to less than 24 hours. The rate of incomplete files dropped by 34% (sources: ANDRH sector benchmarks 2024). Data hosting in France was chosen as a contractual criterion, eliminating any risk of transfer outside the EEA. Employees are informed of the processing via an information banner integrated into the signature process, ensuring compliance with Article 13 of the GDPR.

Scenario 2: a retail franchise network deploys QES signature for flexible working time agreements

A retail distribution network with approximately sixty points of sale and around a hundred managers on flexible working time faced an identified employment law risk: several flexible working time agreements could only be proved through poor-quality paper copies. The Court of Cassation having tightened its requirements for proof on this type of agreement, the litigation risk was estimated at several hundred thousand euros.

The network deployed a qualified signature solution (QES) for all new agreements and offered existing managers the opportunity to re-sign their existing agreements. Video identification was chosen for identity verification. The data processing records were updated, and an external DPO validated the GDPR compliance of the process. Within 6 months, the entire flexible working time agreement portfolio had been secured. The cost of the initiative (approximately €15 to €25 per QES signature depending on market providers) was deemed far less than the litigation risk covered.

Scenario 3: a local authority dematerialises its amendments and remote working charters

A local authority with approximately 1,200 permanent employees wished to dematerialise the management of its remote working amendments following the 2021 national framework agreement on remote working in the public service. The volume to be handled was approximately 400 documents per year, with specific constraints: employees are public employees whose data is subject to particularly strict processing rules.

The authority opted for advanced signatures (AES), with sovereign hosting by a SecNumCloud-qualified provider through ANSSI. The DPIA was submitted to the authority's DPO before deployment. Employees were informed via a service notice published on the intranet and an information banner in the digital process. The HR department estimated a saving of 3 FTE-days per month on the administrative management of amendments, equivalent to an annual saving of approximately €35,000 in direct costs, consistent with the ranges published by the Observatory of Digital Transformation in Local Authorities (2025).

Conclusion

GDPR compliance for electronic signature for HR documents is not an option: it conditions both the legal value of your acts and the protection of your employees' rights. In 2026, companies that have not yet updated their processing records, signed a DPA with their service provider and adapted the signature level to each type of document are exposed to a dual risk — employment and administrative — whose financial consequences can be significant.

The good news: a well-chosen and well-configured solution makes it possible to reconcile operational fluidity, eIDAS compliance and GDPR compliance without friction for HR teams or employees.

Certyneo supports you in this approach: eIDAS-compliant platform, DPA available, European hosting and signature processes designed for HR. Launch in a few clicks.