GDPR in HR: Employee Data Processing

The General Data Protection Regulation (GDPR) applies not only to commercial relationships between a company and its customers: it also governs, very precisely, the processing of personal data of employees. Recruitment, payroll management, access control, performance evaluation, video surveillance… each stage of the employment contract lifecycle generates personal data that the employer must process in strict compliance with European law. With fines reaching up to €20 million or 4% of annual global turnover, the stakes are considerable. This article details the applicable legal bases, the practical obligations of HR departments and best practices for securing your processing — including when dematerializing HR documents.

The Legal Foundations of HR Data Processing

Legal bases admissible under labor law

GDPR lists six legal bases for processing personal data (Article 6). In an HR context, three are used almost systematically:

• Performance of an employment contract (Art. 6.1.b): constitutes the primary basis for payroll management, time tracking, payslip delivery or leave management.

• Legal obligation (Art. 6.1.c): justifies processing required by labor law or social legislation, such as the pre-employment declaration (DPAE), the declaration of social data (DSN) or the maintenance of the staff register.

• Legitimate interest (Art. 6.1.f): may support certain information security or internal fraud prevention processing, provided that this interest is not superseded by employees' fundamental rights.

⚠️ The consent basis must be handled with extreme caution in a salaried context. The CNIL regularly reminds that the imbalance inherent in the employer-employee relationship makes consent rarely "free" in the sense of Article 7 of GDPR. Relying on consent for processing that could be based on another legal basis exposes the employer to a recharacterization risk.

Special categories of data: a reinforced regime

Some data collected by HR fall under the regime of "sensitive data" referred to in Article 9 of GDPR, whose processing is in principle prohibited except for exceptions:

• Health data: sick leave, unfitness pronouncements by occupational medicine, job adjustments for disability.

• Trade union data: union membership, representative mandates.

• Biometric data: access control by fingerprint or facial recognition.

• Offence-related data: verification of criminal records, only authorized in regulated sectors (security, child protection, etc.).

For these categories, the employer must identify an explicit exception (Art. 9.2), conduct a Data Protection Impact Assessment (DPIA) in most cases, and often consult the CNIL before deployment.

Practical Obligations of HR Departments

The processing activities register

Any organization employing more than 250 employees is required to maintain a processing activities register (Art. 30 of GDPR). Below this threshold, the obligation remains if processing is not occasional or concerns sensitive data — which is almost always the case in HR. This register must document:

• The purpose of each processing activity (e.g., "payroll management")

• The categories of data involved

• The recipients (third parties, processors, authorities)

• Retention periods

• The security measures implemented

The CNIL provides a freely downloadable register template. Its rigorous maintenance constitutes the first line of defense in case of inspection.

Retention periods: an often overlooked point

Article 5.1.e of GDPR imposes the principle of storage limitation: data must not be kept beyond what is necessary for the purpose for which it was collected. In HR, the reference legal periods are as follows:

| Type of data | Recommended retention period | |---|---| | Payslip | 5 years (civil statute of limitations) | | Employment contract | 5 years after contract termination | | Recruitment data (non-selected candidate) | 2 years maximum after last contact | | Disciplinary file | Varies depending on sanction (max. 3 years for a warning) | | Video surveillance data | 1 month as a general rule | | DSN and staff register | 5 years after employee departure |

These periods must be recorded in the register and applied through purging or final archiving procedures.

Employee notification: an often underestimated obligation

Article 13 of GDPR requires providing complete information notice to individuals concerned at the time of data collection. In HR, this notice should ideally be delivered:

• At application: for data collected during the recruitment process.

• At hiring: incorporated into the employment contract or attached at the time of signature.

• During the contractual relationship: with each new processing implemented (e.g., deployment of a biometric time-tracking tool).

Dematerialization of the onboarding process, in particular via electronic signature for HR, facilitates traceability of this information delivery: the date of reading and signing the notice is time-stamped in a reliable manner, which constitutes valuable evidence in case of dispute.

HR Data Security: Technical and Organizational Measures

Encryption, access control and compartmentalization

Article 32 of GDPR requires the implementation of security measures appropriate to the risk. For HR data, which are naturally sensitive and targeted during intrusions, minimum best practices include:

• Encryption of data at rest and in transit: payroll files, contracts and personal files must be stored encrypted (AES-256 minimum) and transmitted via secure protocols (TLS 1.3).

• Role-Based Access Control (RBAC): only authorized HR managers access payroll data; the team leader only accesses data necessary for management.

• Access logging: any consultation or modification of an employee file must be traced with the user identifier, date and time.

• Pseudonymization for analytical processing (HR dashboards, compensation studies).

Management of HR subprocessors

HR departments rely on numerous subprocessors: HRIS editors, outsourced payroll providers, training platforms, online recruitment tools. Each of these third parties must be subject to a processing agreement compliant with Article 28 of GDPR, specifying in particular:

• The nature and purpose of the processing subcontracted

• The processor's obligations regarding security and confidentiality

• The prohibition on sub-contracting without prior authorization

• Modalities for data return or destruction at end of contract

When selecting a provider, it is also advisable to verify whether its servers are located in the European Economic Area (EEA) or whether an adequate transfer mechanism (standard contractual clauses, adequacy decision) is in place for transfers outside the EEA.

Dematerialization of HR documents and GDPR compliance

The growing digitization of HR processes — electronic employment contracts, dematerialized payslips, amendments signed remotely — raises specific GDPR issues. While eIDAS-compliant electronic signature provides undeniable guarantees of integrity and authenticity, the employer must ensure that the platform used:

• Does not collect unnecessary data during the signature process (minimization principle, Art. 5.1.c)

• Retains evidence of signature (audit trail) under secure conditions and for an appropriate period

• Allows signatories to exercise their rights (access, rectification, erasure within legal limits)

For further information on the compliance of signature tools, the comprehensive guide to electronic signature from Certyneo details the technical and legal criteria to verify before any deployment.

Employee Rights and Their Effective Exercise

Overview of Rights Guaranteed by GDPR

Employees benefit from all the rights provided for in Articles 15 to 22 of GDPR. In an HR context, the most frequently exercised rights are:

• Right of access (Art. 15): the employee can request a copy of all data concerning them held by the employer, including professional email exchanges in certain circumstances.

• Right to rectification (Art. 16): correction of inaccurate data (error on bank details, degree incorrectly recorded, etc.).

• Right to erasure (Art. 17): limited in HR by legal retention obligations, but applicable to recruitment data of a non-selected candidate.

• Right to object (Art. 21): can be exercised against processing based on legitimate interest, such as certain surveillance processing.

• Right to data portability (Art. 20): applicable to data provided by the employee in the context of contract performance.

Response deadline and internal procedures

The employer has one month to respond to any request to exercise rights, extendable to three months in case of complexity or high volume of requests (Art. 12.3). To organize this processing efficiently, it is recommended to:

• Designate a single point of contact (DPO or GDPR coordinator) to receive requests

• Implement a dedicated form accessible to employees

• Document each request and response in a rights exercise request register

• Train HR managers to identify an implicit request (an employee asking for "their personnel file" is effectively exercising their right of access)

The role of the DPO in the company

GDPR requires the appointment of a Data Protection Officer (DPO) in three cases (Art. 37): public authority, large-scale processing of sensitive data, or systematic monitoring on a large scale. Many companies whose HR processing is significant fall under this obligation. The DPO may be internal or external; they must have functional independence and be involved in all decisions affecting data protection, including the deployment of new digital HR tools. Their role is advisory and not decision-making: final responsibility remains that of the controller, i.e., the employer.

Legal Framework Applicable to HR Data Processing

GDPR: foundational text

The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) constitutes the regulatory foundation for the processing of personal data in Europe. Directly applicable in all Member States since 25 May 2018, it applies to any employer processing data of employees residing in the EU, regardless of the company's nationality. The main articles applicable in an HR context are:

• Art. 5: fundamental principles (lawfulness, fairness, transparency, data minimization, accuracy, storage limitation, integrity and confidentiality, accountability)

• Art. 6: legal bases for processing

• Art. 9: sensitive data regime

• Art. 12 to 22: rights of data subjects

• Art. 24 to 32: obligations of controller and processor

• Art. 33-34: notification of data breaches (72 hours to the CNIL, and notification to individuals if high risk)

• Art. 35: impact assessment (DPIA) mandatory for high-risk processing

• Art. 83: administrative penalties (up to €20 million or 4% of global turnover)

The modified Data Protection Act

Under French law, the Act No. 78-17 of 6 January 1978 on data processing, files and freedoms, modified by Act No. 2018-493 of 20 June 2018 and Order No. 2018-1125 of 12 December 2018, supplements GDPR by opening national margins of discretion ("opening clauses"). Among the most important in HR: the possibility of processing trade union data in the context of management of staff representative bodies (Art. 9 of the Act), or specific rules for processing occupational health data.

Labor Code and social jurisprudence

The Labor Code imposes information and prior consultation obligations to the Social and Economic Committee (CSE) before any deployment of employee surveillance or monitoring device (Art. L. 2312-38). Failure to consult exposes the employer to the disqualification of evidence gathered as well as criminal penalties.

Court of Cassation jurisprudence regularly reminds that monitoring tools (geolocation, time clocks, activity tracking software) must be proportionate to the objective pursued and cannot be misused for purposes other than those declared to employees and the CNIL.

Electronic signature of HR documents: eIDAS and Civil Code

When dematerializing employment contracts, amendments or disciplinary documents, the employer must comply with the Regulation (EU) No. 910/2014 eIDAS, which defines three levels of electronic signature. For documents as critical as a permanent employment contract or severance termination document, an advanced electronic signature (or even qualified) is recommended to guarantee the identity of the signer and the integrity of the document. The Civil Code in Articles 1366 and 1367 affirms the probative value of electronic writing and electronic signature, subject to reliable identification of the signer and assurance of integrity.

Sanctions issued by the CNIL regarding HR matters

The CNIL has issued several significant penalties for HR data processing: in 2022, a company was fined €400,000 for excessive surveillance of remote work employees via screen capture software. In 2023, a security company was fined €200,000 for excessive collection of biometric data without valid legal basis. These decisions illustrate the regulator's growing vigilance on this scope.

Use Cases: GDPR in HR Practice

Scenario 1 — A mid-sized industrial company of 450 employees brings its recruitment process into compliance

A mid-sized industrial company employing about 450 people across three sites received over 3,000 spontaneous applications each year and posted around sixty job openings. CVs and cover letters were stored without time limit in a shared email box between six department managers. No information notice was provided to candidates about the use of their data.

Following a GDPR audit, the following actions were deployed over six months:

• Migration to an ATS (Applicant Tracking System) certified GDPR-compliant, with automatic purging of files after 24 months of inactivity

• Addition of a GDPR information notice to each online application form

• Electronic signature of offer letters and employment contracts via an eIDAS-compliant platform, reducing the average time for signed contract returns from 8 days to under 48 hours

• Update of the processing activities register with 12 new HR processing data sheets

Result: no CNIL requests received in the following 18 months; estimated gain of 1.2 FTE on recruitment administrative management thanks to dematerialization.

Scenario 2 — A distribution group of 1,200 employees manages its video surveillance policy

A group specializing in food distribution had deployed a video surveillance system covering 34 retail locations. Images were retained for 45 days at some sites, without information posted for employees. Several cameras continuously covered checkout positions, creating a risk of disproportionate monitoring.

Following an employee complaint to the CNIL, the company undertook compliance improvements including:

• Reduction of retention period to maximum 30 days across all sites

• Repositioning cameras to exclude continuous monitoring of individual work stations

• Consultation and agreement of the central CSE before any new deployment

• Systematic notification of employees via employment contracts and an internal charter displayed

Result: closure of the CNIL complaint without penalty; improved employee relations measured in the following annual satisfaction survey (+11 points on the "trust in employer" item).

Scenario 3 — An external HR consulting firm secures data transfers with its clients

A firm specializing in outsourced payroll and personnel administration managed employee files for about twenty SME clients, representing approximately 1,800 payslips monthly. Payroll files were transmitted by unencrypted email, without a formal processing agreement under Article 28 of GDPR.

The firm undertook a complete overhaul of its practices:

• Signing of Data Processing Agreements (DPA) compliant with Article 28 with each of its clients, via an advanced electronic signature platform enabling traceability

• Deployment of a secure client portal (TLS encryption + two-factor authentication) for deposit and retrieval of payroll files

• Data hosting on servers located in France, certified HDS for occupational health data

• Drafting of a subprocessing policy governing recourse to third parties (payroll software editor, archiver)

Result: 100% reduction in HR data transmission by unsecured email; acquisition of two new client contracts that had made GDPR compliance a mandatory selection criterion in their request for proposal.

Conclusion

GDPR in HR is not merely an additional administrative burden: it is a lever of trust between employer and employees, and a competitive factor in a job market where transparency is increasingly valued. Processing activities register kept up to date, controlled retention periods, formalized employee notification, reinforced security of sensitive data and contracted processors: each of these pillars contributes to building an HR policy that is both legal and responsible.

Dematerialization of HR documents — contracts, amendments, payslips, information notices — offers a unique opportunity to combine GDPR compliance and operational efficiency, provided that you rely on certified tools. Certyneo supports you in this approach with an eIDAS-compliant electronic signature solution, designed for HR teams. Discover our pricing and launch your free trial on Certyneo to secure your HR documents starting today.