GDPR in HR: Employee Data Processing

Introduction

Since the General Data Protection Regulation (GDPR) came into effect on 25 May 2018, HR departments have been at the forefront of compliance. Human resources functions process sensitive personal data daily: CVs, payslips, health data, performance evaluations, bank details. Poor management exposes the company to penalties of up to 20 million euros or 4% of global turnover (Article 83 of GDPR). This article presents key obligations and best practices for securing the processing of employee data throughout the HR cycle.

Fundamental principles applicable to HR data

GDPR imposes six cardinal principles codified in Article 5: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation and integrity/confidentiality. In practice, this means that the HR department can only collect data strictly necessary for a determined purpose. For example, requesting a social security number from the application stage is disproportionate: it is only justified after hiring for DSN purposes.

The CNIL, through its deliberation no. 2019-160 bearing a standard relating to personnel management, specifies recommended retention periods: 2 years for unsuccessful applications (except with consent), 5 years after departure for the administrative file, 6 years for payslips in employer version.

Legal basis and information of employees

Contrary to popular belief, consent is rarely the appropriate legal basis in HR, due to the subordination relationship. The relevant bases are rather the performance of the employment contract (Article 6.1.b), legal obligation (Article 6.1.c) or legitimate interest (Article 6.1.f). For sensitive data (health, trade union), Article 9 requires a specific basis such as an obligation under labour law.

The employer must provide clear information through a GDPR notice given at hire, update the processing register (Article 30) and consult the works council before any new processing affecting employees (Article L.2312-38 of the Labour Code).

Security and employee rights

Technical and organisational security (Article 32) requires: encryption of HRIS systems, access control by profile, audit trail of consultations, confidentiality clauses with payroll or recruitment subcontractors (Article 28). In the event of a breach, notification to the CNIL within 72 hours.

Employees have enhanced rights: access, rectification, erasure (limited by legal retention obligations), portability, opposition. An internal procedure must allow responses within a maximum of one month. Refusal to access the disciplinary file must be legally justified.

Practical examples

Example 1 – Recruitment: A small business has retained CVs from all candidates for 5 years in a shared folder. Non-compliant: excessive duration, lack of security. Solution: automatic purge at 2 years, restricted access to recruiters, GDPR mention in the job advertisement.

Example 2 – Video surveillance: A logistics warehouse continuously films work stations. Possible penalty (the CNIL sanctioned Amazon France Logistics 32 M€ in 2024). Solution: limit to sensitive areas, individual information, works council consultation, maximum retention period of one month.

Example 3 – Collaborative tools: The deployment of Microsoft 365 requires an impact assessment (DPIA) if monitoring functions are enabled, as well as a compliant data processing clause with the publisher.

Compliance and penalties

Beyond CNIL fines, the employer is exposed to labour court actions for breach of privacy (Article 9 of the Civil Code, Article L.1121-1 of the Labour Code). The appointment of a DPO is mandatory for entities processing data on a large scale. An annual mapping of HR processing activities, combined with manager training, constitutes the best legal and operational protection.

Conclusion

GDPR compliance in HR is not a one-off project but a continuous improvement process. Between legal obligations, employee rights and operational performance, HR managers must govern data with rigour. Investing in a compliant HRIS system, training teams and documenting each processing transforms regulatory constraints into a lever of employee trust.