Electronic Signature in HR & GDPR: Complete Guide 2026

The digitalisation of human resources has accelerated considerably since 2020: employment contracts, amendments, pay slips, IT policies, telework agreements — almost all these documents now circulate in digital form. Yet dematerialising does not mean avoiding legal obligations. Quite the contrary: electronic signature of HR documents under GDPR constitutes a subject with dual regulatory entry points, as it articulates the eIDAS framework on the probative value of signatures and the European regulation on personal data protection. If mishandled, this double constraint exposes the company to legal risks and CNIL sanctions. This guide presents the essential rules, best practices and points of attention you must know in 2026.

Why does GDPR apply to electronic signatures in HR?

Electronic signatures necessarily process personal data

Signing an employment contract online involves collecting, transmitting and storing personal data within the meaning of Article 4 of GDPR No. 2016/679: name, first name, professional email address, sometimes mobile phone number, timestamp and signing IP address. In an HR context, this data is particularly sensitive because it directly identifies the employee and is linked to their contractual relationship with the employer.

The trusted services provider (TSP) providing the signature solution is qualified as a processor under Article 28 of the GDPR. The employer remains the controller. This distinction is fundamental: it is the company that answers to the CNIL in case of breach, not the software provider.

Legal bases available in HR context

For each category of dematerialised HR documents, the employer must identify the most appropriate legal basis for processing:

• Performance of contract (art. 6.1.b GDPR): signing of employment contract, salary amendment, forfeit-days agreement. This is the most robust legal basis for contractual documents.

• Legal obligation (art. 6.1.c GDPR): dematerialised pay slip delivery (permitted since the Macron law of 2015 under conditions), personnel records.

• Legitimate interest (art. 6.1.f GDPR): IT policies, internal regulations, internal policy documents — subject to passing the balancing test.

The consent basis (art. 6.1.a) should be avoided in HR context: the CNIL and EDPB (European Data Protection Board) consider that the relationship of subordination between employer and employee makes consent rarely free. An employee who refuses to sign electronically might fear professional consequences.

Concrete obligations of the HR data controller

Update the processing activity register (PAR)

Article 30 of the GDPR requires any organisation employing more than 250 employees (and SMEs processing sensitive data on a large scale) to maintain a record of processing activities. The introduction of an electronic signature tool for HR documents must be included with:

• The purpose of processing (e.g.: dematerialisation and archiving of HR contractual documents)

• Categories of data processed (identity, contact data, authentication data)

• Duration of storage (legal storage period for employment contract: 5 years after the end of contract under Labour Code, art. L. 1234-20)

• Details of the processor (the signature platform)

• Security measures in place

Sign a DPA (Data Processing Agreement) with the service provider

In accordance with Article 28 of the GDPR, any use of a processor to process personal data must be formalised by a data processing contract (DPA). This contract must specify:

• Object and duration of processing

• Nature and purpose of processing

• Type of personal data and categories of data subjects

• Obligations and rights of the controller

• Location of data (hosting within EU recommended to avoid transfers outside EEA)

• Technical and organisational security measures

A serious electronic signature provider systematically offers a compliant DPA. Its absence constitutes an immediate non-compliance that can be sanctioned.

Inform employees before the first signature

Article 13 of the GDPR requires prior information of persons whose data is collected. Before deploying electronic signatures for HR documents, the employer must inform employees of:

• The identity of the controller

• The purpose and legal basis

• Duration of data storage

• Their rights (access, rectification, erasure within limits of legal retention obligations, portability)

• Details of the Data Protection Officer (DPO) if appointed

This information can be integrated into the signature process itself (information banner before signing), in the updated internal regulations, or via a service notice distributed during rollout.

Required signature level for HR documents: SES, AES or QES?

The hierarchy of eIDAS levels

Regulation eIDAS No. 910/2014 defines three levels of electronic signatures, each offering increasing probative value:

• SES (Simple Electronic Signature): low probative value, suitable for low-stake documents (receipts, internal forms)

• AES (Advanced Electronic Signature): uniquely linked to the signatory, created from data under their exclusive control. Suitable for most common HR documents.

• QES (Qualified Electronic Signature): highest level, equivalent to handwritten signature under art. 25.2 eIDAS. Requires enhanced identity verification (face-to-face or video identification).

Which level for which HR documents?

The recommended mapping in 2026, taking into account positions of French case law and sectoral recommendations:

| HR Document | Recommended Level | Justification | |---|---|---| | Permanent/fixed-term employment contract | AES minimum, QES recommended | Strong contractual value, labour dispute risk | | Contractual amendment | AES minimum, QES recommended | Same logic as main contract | | Trial period (renewal) | AES | Short timeline, limited formality | | Telework/BYOD policy | SES or AES | Collective agreement or internal regulation | | Forfeit-days agreement | QES strongly advised | Demanding employment case law | | Conventional termination | QES mandatory | Homologated Cerfa form, high stakes | | Receipt for full and final settlement | AES or QES | Discharge value, art. L. 1234-20 CT |

For documents with high litigation risk (forfeit-days agreement, conventional termination), QES becomes de facto necessary to guarantee enforceability before labour courts. The Court of Cassation has progressively tightened its requirements on proof of employee agreement.

Storage, archiving and rights of individuals: pitfalls to avoid

Legal retention periods for electronically signed HR documents

The storage of electronically signed HR documents is subject to imperative legal periods. These periods override the GDPR right to erasure (art. 17.3.b):

• Employment contract: 5 years after the end of contract (labour law limitation period, art. L. 1471-1 Labour Code)

• Pay slips: 5 years (wage limitation period), but storage recommended until retirement rights are settled

• Documents relating to workplace accidents: 30 years (long-term litigation risk)

• Vocational training (plans, certificates): 3 years

• Personnel records: 5 years after the date the employee left the establishment

Long-term electronic archiving with probative value must meet the requirements of NF Z 42-013 standard and ideally the ETSI EN 319 162 standard (long-term archiving of electronic signatures). Simple server storage is insufficient: integrity, readability and qualified timestamping of documents must be guaranteed over the entire retention period.

Managing employees' rights without compromising probative value

An employee can legitimately exercise their right of access (art. 15 GDPR) to obtain a copy of the signature data concerning them. They may also request rectification of inaccurate data.

However, the right to erasure (art. 17 GDPR) cannot be exercised on HR documents subject to legal retention obligations. The employer must be able to clearly explain this refusal, citing the applicable legal basis. Documenting these exchanges in the rights request register is a good practice recommended by the CNIL.

Portability (art. 20 GDPR) applies to data provided by the employee based on consent or contract performance. Concretely, an employee can request their signature data in a structured format — an obligation to anticipate when choosing a signature solution.

Technical and organisational security: essential measures

Technical requirements of the signature platform

In accordance with Article 32 of the GDPR, security measures must be appropriate to the risk. For an electronic signature solution in HR, this translates in particular into:

• Encryption of data in transit (TLS 1.3 minimum) and at rest (AES-256)

• Multi-factor authentication (MFA) for platform access

• Audit logs (logs) timestamped and tamper-proof, tracing each action on the document

• Hosting within the EU (or EEA) to avoid transfers outside EEA without adequate guarantees (adequacy decision or standard contractual clauses)

• Annual penetration testing and ISO 27001 certification of the provider

• Business continuity plan guaranteeing service availability and archive recovery in case of incident

Impact assessment (DPIA): when is it mandatory?

Article 35 of the GDPR requires a Data Protection Impact Assessment (DPIA) when processing is likely to present a high risk. The CNIL has published a list of types of processing requiring a DPIA: large-scale processing of data relating to working life is mentioned there.

Concretely, a DPIA is recommended (even mandatory for large enterprises) when deploying an electronic signature solution for HR affecting all employees. It must identify risks (loss of confidentiality, identity fraud, document alteration), assess their gravity and probability, and propose mitigation measures. This analysis must be documented and reviewed if processing changes.

Legal framework applicable to electronic signature in HR and GDPR

Founding European texts

Regulation eIDAS No. 910/2014 (and its eIDAS 2.0 revision currently being rolled out): this text defines the three levels of electronic signatures (SES, AES, QES) and their legal value throughout Member States. Article 25 provides that QES has a legal effect equivalent to handwritten signature. Article 26 lists the technical requirements for advanced signature. Qualified trust service providers are registered on national trust lists (in France, the list is managed by ANSSI).

GDPR No. 2016/679: applicable since 25 May 2018, this regulation governs any processing of personal data within the EU. Articles 5 (principles), 6 (legal bases), 13-14 (information), 28 (processors), 30 (register), 32 (security), 35 (DPIA) and 37-39 (DPO) are directly relevant for electronic signature in HR.

Applicable French law

Civil Code, articles 1366-1367: Article 1366 lays down the principle of functional equivalence between electronic and paper writing. Article 1367 recognises electronic signature as a method of proof, provided that it consists of a reliable identification process guaranteeing the link with the act to which it attaches. Reliability is presumed for QES, but may be demonstrated for AES.

Labour Code: Article L. 1221-1 does not require any particular form for the employment contract (except exceptions: fixed-term contract art. L. 1242-12, apprenticeship contract, etc.). The Macron law of 2015 (law No. 2015-990) opened the way for electronic pay slip. Article L. 3243-2 governs its terms.

Data Protection Act amended (law No. 78-17 of 6 January 1978): French transposition of the GDPR, it grants the CNIL its investigative and sanctioning powers. Fines can reach €20 million or 4% of annual global turnover for the most serious violations.

Reference technical standards

• ETSI EN 319 132: advanced electronic signature format XAdES, applicable to XML documents

• ETSI EN 319 122: CAdES format for electronic signatures of CMS documents

• ETSI EN 319 162: long-term archiving of electronic signatures (ASiC)

• NF Z 42-013 (AFNOR): functional specifications of a probative electronic archiving system

• ISO/IEC 27001: information security management, certification framework expected from providers

Legal risks in case of non-compliance

The cumulative risk is significant: an employment contract signed with insufficient signature level can be challenged before the Labour Court, exposing the employer to requalification or nullity. On the GDPR side, absence of DPA with the provider, failure to inform employees or hosting outside EU without adequate safeguards can lead to a CNIL order, or even administrative sanction.

Use scenarios: electronic signature in HR compliant with GDPR

Scenario 1: a mid-size industrial company with 600 employees digitalises its employment contracts

A mid-size industrial company, distributed across four sites in France, processed approximately 180 permanent/fixed-term hires per year, generating that many paper files to print, sign in duplicate, scan and archive. The delays between the hiring promise and effective contract signature averaged 8 working days.

After deploying an advanced electronic signature solution (AES) integrated into its HRIS, with a GDPR-compliant DPA signed with the provider and a documented DPIA, the company reduced this delay to less than 24 hours. The rate of incomplete files fell by 34% (sources: ANDRH sector benchmarks 2024). Hosting data in France was retained as a contractual criterion, eliminating any risk of transfer outside the EEA. Employees are informed of the processing through an information banner integrated into the signing process, ensuring compliance with Article 13 of the GDPR.

Scenario 2: a retail franchise network deploys QES signature for forfeit-days agreements

A distribution network with about sixty retail locations and a hundred salaried staff on forfeit-days agreements faced an identified labour risk: several forfeit-days agreements could only be proven by poor quality paper copies. The Court of Cassation having tightened its requirements for proof of this type of agreement, the litigation risk was estimated at several hundred thousand euros.

The network deployed a qualified signature solution (QES) for all new agreements and offered existing staff to re-sign their existing agreements. Video identification was retained for identity verification. The processing activity register was updated, and an external DPO validated the GDPR compliance of the process. Within 6 months, the entire portfolio of forfeit-days agreements was secured. The cost of the initiative (approximately €15 to €25 per QES signature depending on market providers) was considered far below the litigation risk covered.

Scenario 3: a local authority dematerialises its amendments and telework policies

A local authority with approximately 1,200 permanent employees wished to dematerialise the management of its telework amendments following the 2021 national framework agreement on telework in public service. The volume to process was approximately 400 documents per year, with specific constraints: employees are public persons whose data falls under particularly regulated processing.

The authority opted for advanced signatures (AES), with sovereign hosting by a SecNumCloud-qualified provider by ANSSI. The DPIA was submitted to the authority's DPO before rollout. Employees were informed via a service notice published on the intranet and an information banner in the digital process. The HR department estimated a gain of 3 FTE-days per month on administrative management of amendments, equivalent to an annual saving of approximately €35,000 in direct costs, consistent with ranges published by the Observatory for Digital Transformation of Local Authorities (2025).

Conclusion

GDPR compliance for electronic signatures in HR documents is not optional: it conditions both the legal value of your acts and the protection of your employees' rights. In 2026, companies that have not yet updated their processing register, signed a DPA with their provider and adapted the signature level to each document type face double risk — labour and administrative — whose financial consequences can be significant.

The good news: a well-chosen and well-configured solution allows you to reconcile operational fluidity, eIDAS compliance and GDPR compliance without friction for HR teams or employees.

Certyneo supports you in this approach: eIDAS-compliant platform, DPA available, European hosting and signature processes designed for HR. or in a few clicks.