GDPR in HR: Employee Data Processing

Introduction

Since the General Data Protection Regulation (GDPR) came into force on May 25, 2018, HR departments have been on the frontlines of compliance. Human resources functions process sensitive personal data daily: CVs, payslips, health data, evaluations, and banking information. Mismanagement exposes the company to penalties reaching €20 million or 4% of global turnover (Article 83 of GDPR). This article presents key obligations and best practices for securing employee data processing throughout the HR cycle.

Fundamental principles applicable to HR data

GDPR imposes six cardinal principles codified in Article 5: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity/confidentiality. In practice, this means the HR department can only collect data strictly necessary for a determined purpose. For example, requesting the social security number from the application stage is disproportionate: it is justified only after hiring for DSN purposes.

The CNIL, through its deliberation No. 2019-160 on the framework for personnel management, specifies recommended retention periods: 2 years for rejected applications (unless consent is obtained), 5 years after departure for the administrative file, 6 years for payslips in employer version.

Legal basis and employee information

Contrary to common belief, consent is rarely the appropriate legal basis in HR, due to the subordination relationship. More relevant bases are contract execution (Article 6.1.b), legal obligation (Article 6.1.c), or legitimate interest (Article 6.1.f). For sensitive data (health, union), Article 9 requires a specific basis such as labor law obligation.

The employer must provide clear information via a GDPR notice given at hiring, update the processing register (Article 30), and consult the CSE before any new processing affecting employees (Article L.2312-38 of the French Labor Code).

Security and employee rights

Technical and organizational security (Article 32) requires: HRIS encryption, access control by profile, consultation traceability, confidentiality clauses with subcontractors (payroll or recruitment) (Article 28). In case of breach, notification to CNIL within 72 hours.

Employees have enhanced rights: access, rectification, erasure (limited by legal retention obligations), portability, and opposition. An internal procedure must allow response within one month maximum. Denial of access to disciplinary records must be legally justified.

Practical examples

Example 1 – Recruitment: An SME has retained CVs from all candidates for 5 years in a shared folder. Non-compliant: excessive duration, lack of security. Solution: automatic purge at 2 years, restricted access to recruiters, GDPR mention in the job posting.

Example 2 – Video surveillance: A logistics warehouse films work stations continuously. Possible penalty (CNIL sanctioned Amazon France Logistique €32M in 2024). Solution: limit to sensitive areas, individual information, CSE consultation, maximum retention period of one month.

Example 3 – Collaborative tools: Deployment of Microsoft 365 requires an impact analysis (DPIA) if monitoring functions are activated, as well as a compliant subprocessing clause with the publisher.

Compliance and penalties

Beyond CNIL fines, the employer faces labor court actions for privacy violations (Article 9 of the French Civil Code, Article L.1121-1 of the Labor Code). Designating a DPO is mandatory for entities processing data on a large scale. An annual mapping of HR processing, coupled with manager training, provides the best legal and operational protection.

Conclusion

GDPR compliance in HR is not a one-time project but an ongoing improvement approach. Between legal obligations, employee rights, and operational performance, HR directors must pilot data governance with rigor. Investing in compliant HRIS, training teams, and documenting each processing transforms regulatory constraint into an employee trust lever.