GDPR in HR: Processing Employee Data

Human resource management generates, every day, a considerable volume of personal data: employment contracts, pay slips, health data, performance evaluations, bank details… Since the entry into force of the General Data Protection Regulation (GDPR) in May 2018, HR departments have become key players in compliance within organizations. Yet, according to CNIL's 2024 activity report, the human resources sector remains one of the three areas most frequently cited during inspections. This article guides you through the key obligations, best practices and tools available to process your employees' data in full compliance.

What personal data do HR departments process?

Common data categories

HR departments handle a very broad spectrum of personal data. Two main families can be distinguished:

Ordinary data, collected as part of the employment contract: name, surname, address, social security number, bank details, CV, qualifications, professional history, annual evaluations, working hours, attendance and absence data.

Sensitive data, subject to enhanced restrictions under Article 9 of the GDPR: health data (sick leave, workplace accident declarations, medical restrictions), trade union data (union membership, representative mandates), data relating to criminal convictions in certain recruitment contexts.

The latter can only be processed subject to an explicit exception provided for in the regulation — such as the performance of legal obligations in employment law, or the explicit consent of the data subject.

The special case of recruitment

The recruitment phase generates specific processing activities, often poorly regulated. The collection of CVs, cover letters and test results involves precise retention periods: according to CNIL recommendations, data of unsuccessful candidates must be deleted or anonymised within a maximum of two years after the last contact. Indefinitely retaining CVs in an unsecured shared directory constitutes a clear violation.

The use of tracking tools in ATS (Applicant Tracking Systems) or behavioural analysis algorithms must be expressly mentioned in the privacy policy provided to candidates, in accordance with Articles 13 and 14 of the GDPR.

Legal bases for processing in an HR context

Identifying the correct legal basis

The GDPR requires that any processing of personal data is based on one of the six legal bases defined in Article 6. In an HR context, three bases are primarily used:

• Performance of the employment contract (Art. 6.1.b): justifies the processing of data necessary for the management of payroll, leave or training.

• Legal obligation (Art. 6.1.c): applies to mandatory social declarations (DSN), personnel registers or monitoring of workplace accidents.

• Legitimate interest (Art. 6.1.f): may be invoked for processing such as access badge management or video surveillance, subject to a rigorous balancing test.

Consent (Art. 6.1.a) is, however, a fragile legal basis in a work context: CNIL and the European Data Protection Board (EDPB) recall that the structural imbalance between the employer and the employee makes it difficult to prove freely given consent. It should only be used as a last resort.

The processing register, an essential obligation

Any organization employing at least 250 people — or processing sensitive data on a smaller scale — must maintain a register of processing activities (Art. 30 of the GDPR). In HR, this register must document, for each processing: the purpose, data categories, recipients, retention periods, and security measures implemented.

This document, kept available to CNIL in case of inspection, is also a valuable management tool. Combined with an electronic signature solution dedicated to HR, it makes it possible to trace and timestamp each stage of the lifecycle of an HR document, thereby strengthening the auditability of processes.

Employee rights and employer obligations

Informing employees: an immediate obligation

Article 13 of the GDPR requires informing data subjects at the time of data collection. In practice, HR departments must provide employees — ideally at the time of signing the employment contract — with a GDPR information notice detailing: the identity of the data controller, the purposes and legal bases, the retention period, available rights and the contact details of the DPO (Data Protection Officer) if the company has one.

Digitising and securing this exchange is essential. The use of electronic signature in business for the delivery of this notice guarantees timestamped and undisputable proof of delivery, aligned with the requirements of the eIDAS regulation.

Employee rights that must be respected

Employees have extensive rights over their data:

• Right of access (Art. 15): any employee can request a copy of all data concerning them processed by the employer.

• Right to rectification (Art. 16): correction of inaccurate data (e.g.: postal address, bank details).

• Right to erasure (Art. 17): applicable in certain cases, in particular after the end of the contract and the expiry of statutory retention periods.

• Right to object (Art. 21): the employee can object to processing based on legitimate interest.

• Right to restrict processing (Art. 18): temporary freeze of disputed processing.

The employer has one month to respond to any request to exercise rights, extendable to three months in case of complexity (Art. 12 of the GDPR).

Security of HR data and management of sub-processors

Technical and organisational measures

Article 32 of the GDPR requires the implementation of security measures "appropriate to the risk". For HR data, best practices include:

• Encryption of files containing sensitive data (pay slips, medical files).

• Access controls: principle of least privilege — a payroll manager does not have access to disciplinary data.

• Logging of access to HR systems (HRIS, payroll tools).

• Data breach response plan: in case of a data leak, the employer has 72 hours to notify CNIL (Art. 33), and potentially the persons concerned if the risk is high (Art. 34).

A complete audit via the electronic signature guide can help HR teams identify unsecured processing persisting on paper and digitise them in a compliant manner.

Overseeing HR service providers through DPAs

HR departments rely on many sub-processors: payroll software, training platforms, time management tools. Each service provider accessing personal data must be the subject of a data processing agreement (DPA), in accordance with Article 28 of the GDPR. This contract must specify the processing instructions, security guarantees, terms of data return or destruction, and obligations in case of breach.

Selecting service providers hosting their infrastructure in the European Union, or governed by standard contractual clauses (SCCs) approved by the Commission, remains a fundamental requirement to prevent any unlawful transfer outside the EU.

Retention periods: a key issue

Statutory retention periods applicable to employee files

The retention period for HR data is governed by a layering of texts: the GDPR (principle of storage limitation, Art. 5.1.e), the Labour Code, and various fiscal and social provisions. In practice, the main periods to be observed are:

| Type of document | Minimum retention period | |---|---| | Pay slip | 5 years (social limitation period) | | Employment contract | 5 years after end of contract | | Payroll data (DSN) | 3 years (URSSAF audit) | | Personnel register | 5 years after employee departure | | Disciplinary data | Duration proportional to the measure | | Medical file (occupational health) | 50 years (specific regulation) |

Implementation of an automated archiving and purge policy in the HRIS, coupled with electronic signature workflows that timestamp the creation of documents, is today the best practice to demonstrate compliance to CNIL.

Pitfalls to avoid

The most common errors observed during CNIL inspections regarding HR data are: indefinite retention of CVs of unsuccessful candidates, maintenance of computer access for former employees, lack of encryption of exported payroll files, and failure to delete badge data beyond regulatory periods. To secure these points, consulting the comparison of electronic signature solutions makes it possible to identify tools natively integrating probative archiving and document lifecycle management functions.

Legal framework applicable to the processing of HR data

The processing of employees' personal data falls within a dense regulatory framework, articulating several levels of regulation.

Regulation (EU) 2016/679 — GDPR is the cornerstone. Its Articles 5 to 11 define fundamental principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality). Article 9 establishes strict conditions applicable to special categories of data, including health and trade union data, particularly common in HR. Article 83 provides for fines up to €20 million or 4% of global annual turnover in case of serious violation.

The modified Data Protection and Freedoms Act (Law No. 78-17 of 6 January 1978), in its consolidated version, adapts the GDPR to French law. It grants CNIL its powers of inspection and sanction, and provides in particular sectoral exemptions for health data in occupational health.

The Labour Code regulates processing related to employee monitoring (Art. L. 1121-1 on respect for privacy), consultation of staff representatives on digital tools (Art. L. 2312-38), and mandatory registers.

The eIDAS Regulation (No. 910/2014), supplemented by eIDAS 2.0 (Regulation EU 2024/1183), governs the legal value of electronic signatures affixed to HR documents. A qualified electronic signature (QES), compliant with Annex I of eIDAS and standards ETSI EN 319 132 and ETSI EN 319 122, provides the presumption of equivalence to a handwritten signature within the meaning of Article 1367 of the French Civil Code.

Article 1366 of the Civil Code provides that "an electronic document has the same probative force as a document on paper, provided that the person from whom it emanates can be duly identified and it is established and kept in conditions to guarantee its integrity". This provision is directly applicable to employment contracts, amendments, confidentiality agreements and other dematerialised HR documents.

The NIS2 Directive (EU 2022/2555), transposed into French law by the law of 26 February 2025, imposes on essential and important entities (in particular large industrial companies and digital service operators) enhanced requirements for managing risks related to information security, including the protection of sensitive HR data.

Penalties imposed by CNIL are on the rise: in 2024, the total amount of fines exceeds €100 million, with several decisions directly involving failures in the management of employee data. Non-compliance with retention periods, absence of DPA with HR sub-processors, and insufficient security measures are among the most frequently cited complaints.

Use scenarios: GDPR compliance in HR in practice

Scenario 1 — A mid-sized industrial company with 450 employees digitises its onboarding processes

An industrial company of intermediate size, spread across three sites in France, managed its employment contracts and amendments on paper. New employee files were only transmitted to the payroll department after an average of 12 working days, generating payroll errors in approximately 8% of cases. Moreover, no GDPR notice was formally provided to new employees: information appeared only at the bottom of the staff regulations, not signed separately.

Following deployment of an electronic signature solution integrated with its HRIS, with simultaneous delivery of a GDPR notice co-signed by the employee and the HR manager, the company reduced the documentary onboarding period to 2 working days (an 83% reduction). Payroll errors due to missing data fell to less than 1%. Each signed document is archived with qualified timestamping, providing evidence that can be produced in the event of CNIL inspection or employment tribunal proceedings.

Scenario 2 — A distribution group with 1,200 employees implements its retention policy

A group operating in specialised distribution underwent a CNIL inspection following a complaint from a former employee. The inspection revealed that Excel files containing payroll data for employees who had left more than 8 years ago were still accessible on an unsecured shared server, without encryption. A formal warning was issued, along with an order to comply within 3 months.

The group then undertook a complete audit of its HR processing, mapped its 23 processing activities, and implemented an automated purge plan triggered by the HRIS. Electronically signed documents were migrated to a digital vault with retention periods configured in accordance with legal obligations. The DPO produced a complete HR processing register, presented during a second CNIL inspection 18 months later, which concluded without further action. The cost of compliance was estimated at less than 60% of the amount of a potential fine.

Scenario 3 — An HR consulting firm with 35 people secures the data of its own consultants and its clients

A firm specialising in human resources manages both the data of its own consultants and that of candidates and employees of its client companies (in the context of assessment or outplacement missions). It thus finds itself in a dual role: data controller for its own HR, and processor (or even joint controller) for third-party data.

The firm has implemented a differentiated document architecture: simple electronic signatures for routine internal exchanges, advanced signatures for mission contracts with clients, and data processing agreements (DPAs) systematically integrated into engagement letters. All consultants received an updated GDPR charter, electronically signed and kept in a dedicated register. This organisation allowed the firm to display its compliance as a commercial argument to large accounts subject to strict supplier audits, reducing the average contracting period from 7 to 2 weeks.

Conclusion

The GDPR imposes on human resource departments a profound transformation of their practices: rigorous identification of legal bases, effective information of employees, management of rights, contractual oversight of sub-processors, data security and respect of retention periods. These obligations are not mere administrative formalities — they determine the company's ability to avoid penalties that can reach several million euros and to maintain the trust of its teams.

The digitalisation of HR processes, through eIDAS-compliant electronic signature solutions, is one of the most effective levers for reconciling operational efficiency and regulatory compliance. Certyneo supports HR teams in this transition, from the signing of the employment contract to the secure archiving of employee files.

Discover how Certyneo can secure your HR processes by consulting our offer dedicated to HR teams or by starting for free to test the solution without commitment.