GDPR in HR: Employee Data Processing

Human resource management generates, every day, a considerable volume of personal data: employment contracts, pay slips, health data, performance evaluations, bank details… Since the General Data Protection Regulation (GDPR) came into force in May 2018, HR departments have become central actors in compliance within organizations. Yet, according to CNIL's 2024 activity report, the human resources sector remains one of the three fields most frequently cited during audits. This article guides you through key obligations, best practices and available tools to process your employees' data in full compliance.

What personal data do HR departments process?

Common data categories

HR departments handle a very wide spectrum of personal data. Two main families can be distinguished:

Ordinary data, collected as part of the employment contract: name, first name, address, social security number, bank details, CV, qualifications, professional history, annual evaluations, work schedules, attendance and absence data.

Sensitive data, subject to enhanced restrictions under article 9 of GDPR: health data (sick leave, workplace accident declarations, medical restrictions), union data (union membership, representative mandates), data relating to criminal convictions in certain recruitment contexts.

These can only be processed under an explicit exception provided by the regulation — such as the performance of legal obligations in employment law, or explicit consent from the person concerned.

The particular case of recruitment

The recruitment phase generates specific processing, often poorly regulated. The collection of CVs, cover letters and test results involves precise retention periods: according to CNIL's recommendations, data for rejected candidates must be deleted or anonymized within a maximum period of two years after last contact. Indefinitely retaining CVs in an unsecured shared directory constitutes a clear violation.

The use of tracking tools in ATS (Applicant Tracking Systems) or behavioral analysis algorithms must be explicitly mentioned in the privacy policy transmitted to candidates, in accordance with articles 13 and 14 of GDPR.

Legal bases for processing in HR context

Identifying the correct legal basis

GDPR requires that all processing of personal data be based on one of six legal bases defined in article 6. In HR context, three bases are mainly used:

• Performance of the employment contract (art. 6.1.b): justifies the processing of data necessary for managing payroll, leave or training.

• Legal obligation (art. 6.1.c): applies to mandatory social declarations (DSN), personnel registers or workplace accident monitoring.

• Legitimate interest (art. 6.1.f): can be invoked for processing such as access badge management or video surveillance, subject to a rigorous balancing test.

Consent (art. 6.1.a) is conversely a fragile legal basis in the employment context: CNIL and the European Data Protection Board (EDPB) recall that the structural imbalance between employer and employee makes it difficult to prove free consent. It should only be used as a last resort.

The processing register, an unavoidable obligation

Any organization employing at least 250 people — or processing sensitive data on a smaller scale — must maintain a record of processing activities (art. 30 of GDPR). In HR, this register must document, for each processing: the purpose, data categories, recipients, retention periods, and security measures implemented.

This document, available to CNIL in the event of an audit, is also a valuable management tool. Combined with a HR-dedicated electronic signature solution, it makes it possible to trace and timestamp each stage of the lifecycle of an HR document, thus strengthening the auditability of processes.

Employee rights and employer obligations

Informing employees: an immediate obligation

Article 13 of GDPR requires informing individuals at the time of data collection. In practice, HR departments must provide employees — ideally at the time of signing the employment contract — with a GDPR information notice detailing: the identity of the data controller, purposes and legal bases, retention period, available rights and contact details of the DPO (Data Protection Officer) if the company has one.

Digitizing and securing this exchange is essential. Using electronic signature in the enterprise to deliver this notice ensures timestamped and incontestable proof of delivery, aligned with eIDAS regulation requirements.

Employee rights to respect imperatively

Employees have extensive rights over their data:

• Right of access (art. 15): any employee can request a copy of all data concerning them processed by the employer.

• Right to rectification (art. 16): correction of inaccurate data (e.g., postal address, bank details).

• Right to erasure (art. 17): applicable in certain cases, particularly after termination of employment and expiration of legal retention periods.

• Right to object (art. 21): the employee can object to processing based on legitimate interest.

• Right to restrict processing (art. 18): temporary freeze of contested processing.

The employer has one month to respond to any request to exercise rights, extendable to three months in case of complexity (art. 12 of GDPR).

Security of HR data and subcontractor management

Technical and organizational measures

Article 32 of GDPR requires the implementation of security measures "appropriate to the risk". For HR data, best practices include:

• Encryption of files containing sensitive data (pay slips, medical files).

• Access control: principle of least privilege — a payroll manager does not have access to disciplinary data.

• Logging of access to HR systems (HRIS, payroll tools).

• Breach response plan: in the event of a data leak, the employer has 72 hours to notify CNIL (art. 33), and potentially the individuals concerned if the risk is high (art. 34).

A complete audit via the electronic signature guide can help HR teams identify unsecured processing persisting on paper and digitize them in a compliant manner.

Regulate HR service providers through DPA

HR departments use many subcontractors: payroll software, training platforms, time management tools. Each service provider accessing personal data must be subject to a data processing agreement (DPA), in accordance with article 28 of GDPR. This contract must specify processing instructions, security guarantees, data return or destruction terms, and obligations in case of a breach.

Selecting service providers hosting their infrastructure in the European Union, or governed by standard contractual clauses (SCCs) approved by the Commission, remains a fundamental requirement to avoid any unlawful transfer outside the EU.

Retention periods: a structuring issue

Legal retention periods applicable to employee records

The retention period of HR data is governed by a layering of texts: GDPR (principle of storage limitation, art. 5.1.e), Labor Code, and various tax and social provisions. In practice, the main deadlines to observe are:

| Document type | Minimum retention period | |---|---| | Pay slip | 5 years (social limitation period) | | Employment contract | 5 years after end of contract | | Payroll data (DSN) | 3 years (URSSAF audit) | | Personnel register | 5 years after employee departure | | Disciplinary data | Duration proportionate to the measure | | Medical file (occupational medicine) | 50 years (specific regulation) |

Implementation of an automated archiving and deletion policy in the HRIS, combined with electronic signature workflows that timestamp document creation, is today the best practice for demonstrating compliance to CNIL.

Pitfalls to avoid

The most frequent errors observed during CNIL audits regarding HR data are: indefinite retention of CVs from rejected candidates, maintaining IT access for former employees, lack of encryption for exported payroll files, and non-deletion of badge data beyond regulatory deadlines. To secure these points, consulting the comparison of electronic signature solutions helps identify tools natively integrating proven archiving functions and document lifecycle management.

Legal framework applicable to employee data processing

The processing of employee personal data is part of a dense regulatory framework, articulating several levels of regulation.

Regulation (EU) 2016/679 — GDPR constitutes the cornerstone. Its articles 5 to 11 define fundamental principles (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality). Article 9 establishes strict conditions applicable to special categories of data, including health and union data, particularly frequent in HR. Article 83 provides for fines of up to €20 million or 4% of global annual turnover in case of serious violation.

The amended Data Protection Act (Law n° 78-17 of January 6, 1978), in its consolidated version, adapts GDPR to French law. It grants CNIL its supervisory and enforcement powers, and notably provides for sectoral exemptions for health data in occupational medicine.

The Labor Code governs processing related to employee surveillance (art. L. 1121-1 on respect for privacy), consultation of employee representatives on digital tools (art. L. 2312-38), and mandatory registers.

The eIDAS Regulation (n° 910/2014), supplemented by eIDAS 2.0 (EU Regulation 2024/1183), governs the legal value of electronic signatures appended to HR documents. A qualified electronic signature (QES), compliant with Annex I of eIDAS and standards ETSI EN 319 132 and ETSI EN 319 122, offers the presumption of equivalence to handwritten signature under article 1367 of the French Civil Code.

Article 1366 of the Civil Code states that "electronic writing has the same probative force as writing on paper, provided that the person from whom it emanates can be duly identified and that it is established and kept in conditions to guarantee its integrity". This provision is directly applicable to employment contracts, amendments, confidentiality agreements and other dematerialized HR documents.

Directive NIS2 (EU 2022/2555), transposed into French law by the Law of February 26, 2025, imposes on essential and important entities (notably large industrial companies and digital service operators) enhanced requirements for managing risks related to information security, including the protection of sensitive HR data.

CNIL penalties are on the rise: in 2024, the total amount of fines exceeds €100 million, with several decisions directly involving failures in employee data management. Non-compliance with retention periods, absence of DPA with HR subcontractors, and insufficient security measures are among the most frequently cited grievances.

Use cases: GDPR compliance in HR in practice

Scenario 1 — A mid-sized industrial company with 450 employees digitalizes its onboarding processes

A mid-sized industrial company, spread over three sites in France, managed its employment contracts and amendments on paper. Files for new hires were transferred to the payroll department only after an average delay of 12 business days, generating payroll errors in approximately 8% of cases. Furthermore, no formal GDPR notice was provided to new hires: information only appeared at the bottom of the internal regulations, not signed separately.

After deploying an electronic signature solution integrated into its HRIS, with simultaneous delivery of a co-signed GDPR notice by the employee and HR director, the company reduced the documentary onboarding deadline to 2 business days (83% reduction). Payroll errors related to missing data dropped to less than 1%. Each signed document is archived with qualified timestamping, providing evidence in case of CNIL audit or employment litigation.

Scenario 2 — A distribution group of 1,200 employees brings its retention policy into compliance

A group operating in specialized distribution underwent a CNIL audit following a complaint from a former employee. The inspection revealed that Excel files containing payroll data for employees who had left over 8 years ago were still accessible on an unsecured shared server, without encryption. A formal warning was issued, accompanied by an injunction to comply within 3 months.

The group then undertook a complete audit of its HR processing, mapped its 23 processing activities, and implemented an automated purge plan triggered by the HRIS. Electronically signed documents were migrated to a digital safe with retention periods configured according to legal obligations. The DPO produced a complete HR processing register, presented during a second CNIL audit 18 months later, which concluded without further action. The cost of bringing into compliance was estimated at less than 60% of the amount of a potential fine.

Scenario 3 — An HR consulting firm of 35 people secures the data of its own consultants and its clients

A consulting firm specializing in human resources manages both data for its own consultants and that of candidates and employees of its client companies (as part of assessment or outplacement missions). It thus finds itself in a dual role: data controller for its own HR, and subprocessor (or co-controller) for third-party data.

The firm implemented a differentiated documentary architecture: simple electronic signatures for routine internal exchanges, advanced signatures for mission contracts with clients, and data processing agreements (DPA) systematically integrated into engagement letters. All consultants received an updated GDPR charter, signed electronically and kept in a dedicated register. This organization allowed the firm to display its compliance as a commercial argument with large accounts subject to strict vendor audits, reducing the average contracting time from 7 to 2 weeks.

Conclusion

GDPR imposes a profound transformation of HR practices: rigorous identification of legal bases, effective information of employees, management of rights, contractual regulation of subcontractors, data security and compliance with retention periods. These obligations are not merely administrative formalities — they determine the company's ability to avoid penalties potentially reaching several million euros and to maintain the trust of its teams.

The digitization of HR processes, through eIDAS-compliant electronic signature solutions, is one of the most effective levers for reconciling operational efficiency and regulatory compliance. Certyneo supports HR teams in this transition, from signing the employment contract to secure archiving of employee files.

Discover how Certyneo can secure your HR processes by consulting our HR-dedicated offering or by starting free to test the solution without commitment.