Electronic Signature in HR & GDPR: Complete Guide 2026

The digitalisation of human resources has accelerated significantly since 2020: employment contracts, amendments, payslips, IT policies, remote work agreements — virtually all these documents now circulate in digital form. Yet dematerialisation does not mean exemption from legal obligations. On the contrary: electronic signature of HR documents under GDPR is a subject with a dual regulatory dimension, as it articulates the eIDAS framework on the probative value of signature and the European regulation on personal data protection. If poorly managed, this dual constraint exposes the company to legal risks and CNIL (French Data Protection Authority) sanctions. This guide presents the essential rules, best practices and points of vigilance to know absolutely in 2026.

Why does GDPR apply to electronic signature in HR?

Electronic signature necessarily processes personal data

Signing an employment contract online involves collecting, transmitting and storing personal data within the meaning of Article 4 of GDPR No. 2016/679: name, first name, professional email address, sometimes mobile phone number, signature timestamp and IP address. In an HR context, this data is particularly sensitive because it directly identifies the employee and relates to their contractual relationship with the employer.

The trusted services provider (TSP) that supplies the signature solution is qualified as a processor within the meaning of Article 28 of the GDPR. The employer remains the controller. This distinction is fundamental: it is the company that answers to the CNIL in case of breach, not the software provider.

Legal bases available in HR context

For each category of dematerialised HR documents, the employer must identify the most appropriate legal basis for processing:

• Performance of contract (Art. 6.1.b GDPR): signature of employment contract, salary amendment, fixed-days convention. This is the most robust legal basis for contractual documents.

• Legal obligation (Art. 6.1.c GDPR): dematerialised delivery of payslip (authorised since the Macron law of 2015 under certain conditions), personnel registers.

• Legitimate interest (Art. 6.1.f GDPR): IT policies, internal regulations, internal policy documents — subject to passing the balancing test.

The consent basis (Art. 6.1.a) should be avoided in HR context: the CNIL and the EDPB (European Data Protection Board) consider that the subordination relationship between employer and employee makes consent rarely free. An employee refusing to sign electronically could fear professional consequences.

Concrete obligations of the HR data controller

Update the Records of Processing Activities (RPA)

Article 30 of the GDPR requires any organisation employing more than 250 employees (and SMEs processing sensitive data on a large scale) to maintain a Records of Processing Activities. The introduction of an electronic signature tool for HR documents must be included with:

• The purpose of processing (e.g. dematerialisation and archiving of contractual HR documents)

• Categories of data processed (identity, contact data, authentication data)

• Duration of retention (legal retention period for employment contract: 5 years after termination under Labour Code, Art. L. 1234-20)

• Coordinates of the processor (the signature platform)

• Security measures in place

Sign a DPA (Data Processing Agreement) with the service provider

In accordance with Article 28 of the GDPR, any use of a processor to process personal data must be formalised by a Data Processing Agreement (DPA). This agreement must specify:

• The subject matter and duration of processing

• The nature and purpose of processing

• The type of personal data and categories of data subjects

• Obligations and rights of the controller

• Data location (EU hosting recommended to avoid transfers outside EEA)

• Technical and organisational security measures

A reputable electronic signature provider systematically offers a GDPR-compliant DPA. Its absence constitutes an immediate non-compliance that is subject to sanctions.

Inform employees before first signature

Article 13 of the GDPR requires prior information of persons whose data is collected. Before deploying electronic signature for HR documents, the employer must inform employees of:

• The identity of the controller

• The purpose and legal basis

• The duration of data retention

• Their rights (access, rectification, deletion within the limits of legal retention obligations, portability)

• The coordinates of the Data Protection Officer (DPO) if appointed

This information can be integrated into the signature process itself (information banner before signature), into the updated internal regulations, or via a service note distributed during deployment.

Signature level required for HR documents: SES, AES or QES?

The hierarchy of eIDAS levels

Regulation eIDAS No. 910/2014 defines three levels of electronic signature, each offering increasing probative value:

• SES (Simple Electronic Signature): low probative value, suitable for documents with low stakes (acknowledgements of receipt, internal forms)

• AES (Advanced Electronic Signature): linked uniquely to the signatory, created from data under their exclusive control. Suitable for most common HR documents.

• QES (Qualified Electronic Signature): the highest level, equivalent to a handwritten signature under Article 25.2 eIDAS. Requires enhanced identity verification (face-to-face or video identification).

Which level for which HR documents?

The recommended mapping in 2026, taking into account French jurisprudence positions and sectoral recommendations:

| HR Document | Recommended Level | Justification | |---|---|---| | Permanent/Fixed-term Employment Contract | AES minimum, QES recommended | Strong contractual value, labour litigation risk | | Contractual Amendment | AES minimum, QES recommended | Same logic as main contract | | Trial Period (Renewal) | AES | Short timeframe, limited formality | | Remote Work / BYOD Charter | SES or AES | Collective agreement or internal regulation | | Fixed-days Convention | QES strongly advised | Demanding employment case law | | Termination by Agreement | QES mandatory | Certified Cerfa form, high stakes | | Settlement Receipt | AES or QES | Liberatory value, Labour Code Art. L. 1234-20 |

For documents with high litigation stakes (fixed-days convention, termination by agreement), QES becomes de facto mandatory to guarantee enforceability before employment tribunals. The Court of Cassation has progressively tightened its requirements on proof of employee consent.

Retention, archiving and individual rights: pitfalls to avoid

Legal retention periods for signed HR documents

Retention of electronically signed HR documents is subject to mandatory legal periods. These periods override the right to erasure under the GDPR (Art. 17.3.b):

• Employment contract: 5 years after termination (employment tribunal prescription, Labour Code Art. L. 1471-1)

• Payslips: 5 years (wage prescription), but retention recommended until pension entitlement liquidation

• Work accident documentation: 30 years (long-term litigation risk)

• Vocational training (plans, certificates): 3 years

• Personnel registers: 5 years after the date the employee left the establishment

Long-term electronic archiving with probative value must comply with NF Z 42-013 standard and ideally with ETSI EN 319 162 standard (long-term archiving of electronic signatures). Simple server storage is insufficient: integrity, readability and qualified timestamping of documents must be guaranteed over the entire retention period.

Managing employee rights without compromising probative value

An employee may legitimately exercise their right of access (Art. 15 GDPR) to obtain a copy of signature data concerning them. They can also request rectification of inaccurate data.

By contrast, the right to erasure (Art. 17 GDPR) cannot be exercised for HR documents subject to legal retention obligations. The employer must be able to clearly explain this refusal, citing the applicable legal basis. Documenting these exchanges in the rights request register is a best practice recommended by the CNIL.

Portability (Art. 20 GDPR) applies to data provided by the employee on the basis of consent or performance of contract. Concretely, an employee can request their signature data in a structured format — an obligation to anticipate when choosing the signature solution.

Technical and organisational security: indispensable measures

Technical requirements of the signature platform

In accordance with Article 32 of the GDPR, security measures must be appropriate to the risk. For an HR electronic signature solution, this translates in particular to:

• Encryption of data in transit (TLS 1.3 minimum) and at rest (AES-256)

• Multi-factor authentication (MFA) for platform access

• Audit logs (logs) timestamped and tamper-proof, tracing each action on the document

• Hosting in the EU (or EEA) to avoid transfers outside EEA without adequate safeguards (adequacy decision or standard contractual clauses)

• Annual penetration tests and ISO 27001 certification of the provider

• Business continuity plan guaranteeing service availability and archive recovery in case of incident

Impact Assessment (DPIA): when is it mandatory?

Article 35 of the GDPR requires a Data Protection Impact Assessment (DPIA) when processing is likely to pose a high risk. The CNIL has published a list of types of processing requiring a DPIA: large-scale processing of data relating to professional life is mentioned.

Concretely, a DPIA is recommended (even mandatory for large enterprises) when deploying an HR electronic signature solution affecting all employees. It must identify risks (loss of confidentiality, identity usurpation, document alteration), assess their severity and probability, and propose mitigation measures. This analysis must be documented and reviewed in case of processing changes.

Legal framework applicable to HR electronic signature and GDPR

Founding European texts

Regulation eIDAS No. 910/2014 (and its eIDAS 2.0 revision currently being rolled out): this text defines the three levels of electronic signature (SES, AES, QES) and their legal effect throughout Member States. Article 25 provides that QES has a legal effect equivalent to a handwritten signature. Article 26 lists the technical requirements for advanced signature. Qualified trust service providers are registered on national trust lists (in France, the list is managed by ANSSI).

GDPR No. 2016/679: applicable since 25 May 2018, this regulation governs all processing of personal data within the EU. Articles 5 (principles), 6 (legal bases), 13-14 (information), 28 (processors), 30 (records), 32 (security), 35 (DPIA) and 37-39 (DPO) are directly relevant to HR electronic signature.

French law applicable

Civil Code, Articles 1366-1367: Article 1366 establishes the principle of functional equivalence between electronic and paper writing. Article 1367 recognises electronic signature as a means of proof, provided it consists of a reliable identification procedure guaranteeing the link with the act to which it is attached. Reliability is presumed for QES, but can be demonstrated for AES.

Labour Code: Article L. 1221-1 does not require a particular form for the employment contract (except exceptions: fixed-term contract Art. L. 1242-12, apprenticeship contract, etc.). The 2015 Macron law (Law No. 2015-990) opened the way to electronic payslips. Article L. 3243-2 governs its terms.

Data Protection and Freedom Law (Law No. 78-17 of 6 January 1978): French transposition of the GDPR, it grants the CNIL its investigation and sanction powers. Fines can reach 20 million euros or 4% of annual worldwide turnover for the most serious violations.

Reference technical standards

• ETSI EN 319 132: advanced electronic signature format XAdES, applicable to XML documents

• ETSI EN 319 122: CAdES format for electronic signatures of CMS documents

• ETSI EN 319 162: long-term archiving of electronic signatures (ASiC)

• NF Z 42-013 (AFNOR): functional specifications for an evidential electronic archiving system

• ISO/IEC 27001: information security management, expected certification standard for providers

Legal risks in case of non-compliance

The cumulative risks are significant: an employment contract signed with an insufficient signature level can be contested before the employment tribunal, exposing the employer to requalification or nullity. On the GDPR side, the absence of a DPA with the provider, failure to inform employees or hosting outside the EU without adequate safeguards can lead to a CNIL enforcement notice or even a public administrative sanction.

Use scenarios: HR electronic signature compliant with GDPR

Scenario 1: a mid-sized industrial company with 600 employees digitalises its employment contracts

A mid-sized industrial enterprise, spread across four sites in France, was processing approximately 180 permanent/fixed-term hires annually, generating as many files to print, sign in duplicate, scan and archive. The average delay between the recruitment promise and actual contract signature reached 8 working days.

After deploying an advanced electronic signature solution (AES) integrated into its HRIS, with a GDPR-compliant DPA signed with the provider and a documented DPIA, the company reduced this delay to less than 24 hours. The rate of incomplete files fell by 34% (sources: ANDRH sector benchmarks 2024). French hosting was selected as a contractual criterion, eliminating any risk of transfer outside the EEA. Employees are informed of processing through an information banner integrated into the signature flow, ensuring compliance with GDPR Article 13.

Scenario 2: a retail franchise network deploys QES signature for fixed-days conventions

A distribution network specialising in retail with about sixty points of sale and one hundred fixed-days salaried executives faced an identified employment litigation risk: several fixed-days conventions could only be proven through copies of poor-quality paper. The Court of Cassation having tightened its requirements for proof of this type of convention, the litigation risk was estimated at several hundred thousand euros.

The network deployed a qualified signature solution (QES) for all new conventions and offered existing salaried executives to re-sign their existing conventions. Identity verification by video identification was selected. The Records of Processing Activities were updated, and an external DPO validated the GDPR compliance of the process. Within 6 months, the entire fixed-days conventions portfolio was secured. The cost of the initiative (approximately €15-25 per QES signature depending on market providers) was considered far lower than the litigation risk covered.

Scenario 3: a local authority dematerialises its amendments and remote work charters

A local authority with approximately 1,200 permanent staff wished to dematerialise the management of its remote work amendments following the national framework agreement of 2021 on remote work in the public service. The volume to be processed was approximately 400 documents per year, with specific constraints: staff are public-sector employees whose data are subject to particularly regulated processing.

The authority opted for advanced signatures (AES), with sovereign hosting by a provider qualified SecNumCloud by ANSSI. The DPIA was submitted to the authority's DPO before deployment. Staff were informed via a service note published on the intranet and an information banner in the digital process. The HR department estimated a saving of 3 FTE-days per month on administrative management of amendments, equivalent to approximately €35,000 in annual direct costs, consistent with ranges published by the Observatory of Digital Transformation of Local Authorities (2025).

Conclusion

GDPR compliance for electronic signature of HR documents is not optional: it conditions both the legal value of your acts and the protection of your employees' rights. In 2026, companies that have not yet updated their processing records, signed a DPA with their provider and adapted the signature level to each document type are exposed to a dual risk — employment litigation and administrative — whose financial consequences can be significant.

The good news: a well-chosen and well-configured solution allows you to combine operational fluidity, eIDAS compliance and GDPR compliance without friction for HR teams or employees.

Certyneo supports you in this approach: eIDAS-compliant platform, DPA available, European hosting and signature flows designed for HR. Discover our solution dedicated to human resources or calculate the ROI of your transition to full digitalisation in just a few clicks.