GDPR in HR: Employee Data Processing
GDPR and human resources: legal bases, processing register, retention periods and employee rights in 2026.
Certyneo Team
Writer — Certyneo · About Certyneo

Introduction
Since the General Data Protection Regulation (GDPR) came into effect on 25 May 2018, HR departments have been at the forefront of compliance. Human resources functions process sensitive personal data daily: CVs, payslips, health data, performance evaluations, bank details. Poor management exposes the company to penalties of up to 20 million euros or 4% of global turnover (Article 83 of GDPR). This article presents key obligations and best practices for securing the processing of employee data throughout the HR cycle.
Fundamental principles applicable to HR data
GDPR imposes six cardinal principles codified in Article 5: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation and integrity/confidentiality. In practice, this means that the HR department can only collect data strictly necessary for a determined purpose. For example, requesting a social security number from the application stage is disproportionate: it is only justified after hiring for DSN purposes.
The CNIL, through its deliberation no. 2019-160 bearing a standard relating to personnel management, specifies recommended retention periods: 2 years for unsuccessful applications (except with consent), 5 years after departure for the administrative file, 6 years for payslips in employer version.
Legal basis and information of employees
Contrary to popular belief, consent is rarely the appropriate legal basis in HR, due to the subordination relationship. The relevant bases are rather the performance of the employment contract (Article 6.1.b), legal obligation (Article 6.1.c) or legitimate interest (Article 6.1.f). For sensitive data (health, trade union), Article 9 requires a specific basis such as an obligation under labour law.
The employer must provide clear information through a GDPR notice given at hire, update the processing register (Article 30) and consult the works council before any new processing affecting employees (Article L.2312-38 of the Labour Code).
Security and employee rights
Technical and organisational security (Article 32) requires: encryption of HRIS systems, access control by profile, audit trail of consultations, confidentiality clauses with payroll or recruitment subcontractors (Article 28). In the event of a breach, notification to the CNIL within 72 hours.
Employees have enhanced rights: access, rectification, erasure (limited by legal retention obligations), portability, opposition. An internal procedure must allow responses within a maximum of one month. Refusal to access the disciplinary file must be legally justified.
Practical examples
Example 1 – Recruitment: A small business has retained CVs from all candidates for 5 years in a shared folder. Non-compliant: excessive duration, lack of security. Solution: automatic purge at 2 years, restricted access to recruiters, GDPR mention in the job advertisement.
Example 2 – Video surveillance: A logistics warehouse continuously films work stations. Possible penalty (the CNIL sanctioned Amazon France Logistics 32 M€ in 2024). Solution: limit to sensitive areas, individual information, works council consultation, maximum retention period of one month.
Example 3 – Collaborative tools: The deployment of Microsoft 365 requires an impact assessment (DPIA) if monitoring functions are enabled, as well as a compliant data processing clause with the publisher.
Compliance and penalties
Beyond CNIL fines, the employer is exposed to labour court actions for breach of privacy (Article 9 of the Civil Code, Article L.1121-1 of the Labour Code). The appointment of a DPO is mandatory for entities processing data on a large scale. An annual mapping of HR processing activities, combined with manager training, constitutes the best legal and operational protection.
Conclusion
GDPR compliance in HR is not a one-off project but a continuous improvement process. Between legal obligations, employee rights and operational performance, HR managers must govern data with rigour. Investing in a compliant HRIS system, training teams and documenting each processing transforms regulatory constraints into a lever of employee trust.
Try Certyneo for free
Send your first signature envelope in less than 5 minutes. 5 free envelopes per month, no credit card required.
Dive deeper
Reference articles on this topic.
Dive deeper
Our comprehensive guides to master electronic signatures.
Recommended articles
Deepen your knowledge with these articles related to the topic.
Construction Compliance Certificates: Sign Them Online in 2026
Compliance certificates in the construction sector concentrate major legal and operational challenges. Discover how certified electronic signature transforms their management.
Site handover report: sign electronically on construction site
The site handover report (PV) is a major legal document in construction. Electronic signature secures it, accelerates it and eliminates postal delays.
Digital Site Quotations: Sign with Your Clients in 2026
The dematerialisation of site quotations is transforming client relationships in construction. Discover how electronic signature secures and accelerates every field validation.