GDPR in HR: Processing Employee Data

The General Data Protection Regulation (GDPR) does not apply solely to commercial relationships between a company and its customers: it also governs, in a very precise manner, the processing of personal data of employees. Recruitment, payroll management, access control, performance evaluation, video surveillance… each stage of the lifecycle of an employment contract generates personal data that the employer must process in strict compliance with European law. With fines reaching up to 20 million euros or 4% of annual worldwide turnover, the stakes are considerable. This article details the applicable legal bases, the practical obligations of HR departments and best practices for securing your processing — including when dematerializing HR documents.

The Legal Foundations of HR Data Processing

Admissible Legal Bases in Employment Law

The GDPR lists six legal bases for processing personal data (Article 6). In an HR context, three of them are used almost systematically:

• Performance of the Employment Contract (Art. 6.1.b): constitutes the main basis for payroll management, time tracking, payslip delivery or leave management.
• Legal Obligation (Art. 6.1.c): justifies processing required by labor law or social legislation, such as the prior notification of hiring (DPAE), the declarative social statement (DSN) or the maintenance of the unique personnel register.
• Legitimate Interest (Art. 6.1.f): may support certain IT security or internal fraud prevention processing, provided that this interest is not outweighed by the fundamental rights of employees.

⚠️ The consent basis must be handled with extreme caution in a salarial context. The CNIL regularly reminds that the inherent imbalance in the employer-employee relationship makes consent rarely "free" in the sense of Article 7 of the GDPR. Resorting to consent for processing that could be based on another legal basis exposes the employer to a risk of requalification.

Special Categories of Data: a Stricter Regime

Certain data collected by HR falls under the regime of "sensitive data" referred to in Article 9 of the GDPR, the processing of which is in principle prohibited except for exceptions:

• Health Data: sick leave, fitness determinations by occupational medicine, job adjustments for disability.
• Trade Union Data: union membership, representative mandates.
• Biometric Data: access control by fingerprint or facial recognition.
• Data Relating to Offences: criminal record verification, authorized only in regulated sectors (security, children, etc.).

For these categories, the employer must identify an explicit exception (Art. 9.2), conduct a Data Protection Impact Assessment (DPIA) in most cases, and often consult the CNIL before deployment.

Practical Obligations of HR Departments

The Register of Processing Activities

Any organization employing more than 250 employees is required to maintain a register of processing activities (Art. 30 of the GDPR). Below this threshold, the obligation remains if processing is not occasional or concerns sensitive data — which is almost always the case in HR. This register must document:

• The purpose of each processing (e.g.: "payroll management")
• The categories of data involved
• Recipients (third parties, processors)
• Retention Periods
• The security measures implemented

The CNIL provides a freely downloadable template register. Its rigorous maintenance constitutes the first line of defence in the event of an inspection.

Retention Periods: A Often Neglected Point

Article 5.1.e of the GDPR imposes the principle of storage limitation: data must not be kept beyond the period necessary for the purpose for which it was collected. In HR, the reference legal retention periods are as follows:

| Type of Data | Recommended Retention Period | |---|---| | Payslip | 5 years (civil limitation period) | | Employment Contract | 5 years after contract termination | | Recruitment Data (non-selected candidate) | 2 years maximum after last contact | | Disciplinary File | Duration varies depending on sanction (max. 3 years for a warning) | | Video Surveillance Data | 1 month as a general rule | | DSN and Personnel Register | 5 years after employee departure |

These periods must be recorded in the register and enforced through purge or final archiving procedures.

Information of Employees: An Often Underestimated Obligation

Article 13 of the GDPR requires providing complete information notice to the persons concerned at the time of collection of their data. In HR, this notice should ideally be provided:

• From the Application Stage: for data collected during the recruitment process.
• At Hiring: integrated into the employment contract or provided as an appendix at signature.
• During the Contract Relationship: for each new processing implemented (e.g.: deployment of a biometric time tracking tool).

The dematerialization of the onboarding process, in particular via electronic signature for HR, facilitates the traceability of this information delivery: the date of reading and signing of the notice is time-stamped in a probative manner, which constitutes a valuable piece of evidence in case of dispute.

Security of HR Data: Technical and Organizational Measures

Encryption, Access Control and Compartmentalization

Article 32 of the GDPR requires the implementation of security measures adapted to the risk. For HR data, which are by nature sensitive and targeted during intrusions, minimum best practices include:

• Encryption of Data at Rest and in Transit: payroll files, contracts and personal files must be stored encrypted (AES-256 minimum) and transmitted via secure protocols (TLS 1.3).
• Role-Based Access Control (RBAC): only authorized HR managers access payroll data; the team manager only accesses data necessary for management.
• Access Logging: any consultation or modification of an employee file must be traced with the user's identifier, date and time.
• Pseudonymization for analytical processing (HR dashboards, compensation studies).

Management of HR Processors

HR services call upon many processors: HRIS editors, externalized payroll providers, training platforms, online recruitment tools. Each of these third parties must be subject to a processor contract compliant with Article 28 of the GDPR, specifying in particular:

• The nature and purpose of processing outsourced
• The processor's obligations regarding security and confidentiality
• The prohibition on sub-processing without prior authorization
• Methods for return or destruction of data at the end of the contract

When selecting a service provider, it is also advisable to verify whether its servers are located within the European Economic Area (EEA) or whether an adequate transfer mechanism (standard contractual clauses, adequacy decision) is in place for transfers outside the EEA.

Dematerialization of HR Documents and GDPR Compliance

The increasing digitization of HR processes — electronic employment contracts, dematerialized payslips, amendments signed remotely — raises specific GDPR issues. While eIDAS-compliant electronic signature provides undeniable guarantees of integrity and authenticity, the employer must ensure that the platform used:

• Does not collect superfluous data during the signature process (minimization principle, Art. 5.1.c)
• Preserves signature evidence (audit trail) in secure conditions and for an appropriate duration
• Enables the exercise of the signatories' rights (access, rectification, erasure within legal limits)

To learn more about the compliance of signature tools, the complete guide to electronic signature from Certyneo details the technical and legal criteria to verify before any deployment.

Rights of Employees and Their Effective Exercise

Overview of Rights Guaranteed by the GDPR

Employees benefit from all the rights provided for in Articles 15 to 22 of the GDPR. In an HR context, the most frequently exercised rights are:

• Right of Access (Art. 15): the employee can request a copy of all data concerning them held by the employer, including professional email exchanges in certain conditions.
• Right to Rectification (Art. 16): correction of inaccurate data (error in bank details, diploma incorrectly recorded, etc.).
• Right to Erasure (Art. 17): limited in HR by legal retention obligations, but applicable to recruitment data for a non-selected candidate.
• Right to Object (Art. 21): can be exercised against processing based on legitimate interest, such as certain surveillance processing.
• Right to Data Portability (Art. 20): applicable to data provided by the employee themselves in the context of contract performance.

Response Deadline and Internal Procedures

The employer has one month to respond to any request to exercise rights, a deadline extendable to three months in case of complexity or high volume of requests (Art. 12.3). To organize this processing efficiently, it is recommended to:

1. Designate a single point of contact (DPO or GDPR representative) to receive requests
2. Set up a dedicated form accessible to employees
3. Document each request and its response in a register of rights exercise requests
4. Train HR managers to identify an implicit request (an employee requesting "their personnel file" is implicitly exercising their right of access)

The Role of the DPO in the Company

The GDPR requires the appointment of a Data Protection Officer (DPO) in three cases (Art. 37): public authority, large-scale processing of sensitive data, or systematic large-scale monitoring. Many companies whose HR processing is significant fall within this obligation. The DPO may be internal or externalized; they must have functional independence and be involved in all decisions affecting data protection, including the deployment of new digital HR tools. Their role is advisory and not decision-making: the final responsibility remains that of the controller, namely the employer.

Legal Framework Applicable to HR Data Processing

The GDPR: The Foundational Text

The Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 (GDPR) constitutes the regulatory foundation for personal data processing in Europe. Directly applicable in all Member States since 25 May 2018, it applies to any employer processing data of employees residing in the EU, regardless of the nationality of the company. The main articles applicable in an HR context are:

• Art. 5: fundamental principles (lawfulness, fairness, transparency, minimization, accuracy, storage limitation, integrity and confidentiality, accountability)
• Art. 6: legal bases for processing
• Art. 9: sensitive data regime
• Art. 12 to 22: rights of the data subjects
• Art. 24 to 32: obligations of the controller and processor
• Art. 33-34: notification of data breaches (72 hours to the CNIL, and notification of individuals if high risk)
• Art. 35: impact assessment (DPIA) mandatory for high-risk processing
• Art. 83: administrative sanctions (up to 20 M€ or 4% of global turnover)

The Modified Personal Data and Computing Act

In French law, the Law No. 78-17 of 6 January 1978 on computing, files and freedoms, amended by Law No. 2018-493 of 20 June 2018 and Ordinance No. 2018-1125 of 12 December 2018, supplements the GDPR by opening national discretionary margins ("opening clauses"). Among the most important in HR: the possibility of processing union data within the framework of managing staff representative bodies (Art. 9 of the law), or the specific rules for processing occupational health data.

Labour Code and Social Case Law

The Labour Code imposes obligations of information and prior consultation of the Social and Economic Committee (CSE) before any deployment of a surveillance or control device affecting employees (Art. L. 2312-38). Failure to consult exposes the employer to evidence being unenforceable and to criminal penalties.

The case law of the Court of Cassation regularly recalls that control tools (geolocation, time clocks, activity tracking software) must be proportionate to the objective pursued and cannot be diverted to purposes other than those declared to employees and to the CNIL.

Electronic Signature of HR Documents: eIDAS and Civil Code

When dematerializing employment contracts, amendments or disciplinary documents, the employer must comply with the Regulation (EU) No. 910/2014 eIDAS, which defines three levels of electronic signature. For documents as significant as a permanent employment contract or termination document, an advanced electronic signature (or even qualified) is recommended to ensure the identity of the signatory and the integrity of the document. The Civil Code in Articles 1366 and 1367 establishes the probative value of electronic documents and electronic signatures, provided reliable identification of the signatory and assurance of integrity.

Penalties Issued by the CNIL Regarding HR Processing

The CNIL has imposed several significant penalties regarding HR data processing: in 2022, a company was fined 400,000 € for excessive surveillance of remote work employees via screen capture software. In 2023, a security company was penalized 200,000 € for excessive collection of biometric data without valid legal basis. These decisions illustrate the regulator's growing vigilance on this scope.

Use Scenarios: GDPR HR in Practice

Scenario 1 — A Mid-Sized Industrial Company of 450 Employees Brings Its Recruitment Process Into Compliance

A mid-sized industrial company employing approximately 450 people across three sites received more than 3,000 spontaneous applications annually and responded to about sixty job postings. CVs and cover letters were stored indefinitely in a shared email mailbox among six service managers. No information notice was provided to candidates on the use of their data.

Following a GDPR audit, the following actions were deployed over six months:

• Migration to an ATS (Applicant Tracking System) certified as GDPR compliant, with automatic purging of files after 24 months of inactivity
• Addition of a GDPR information notice in each online application form
• Electronic signature of job offer letters and employment contracts via an eIDAS-compliant platform, reducing the average time for contract returns from 8 days to less than 48 hours
• Update of the register of processing activities with 12 new HR processing sheets

Result: no CNIL requests received within 18 months following; estimated gain of 1.2 FTE on recruitment administrative management thanks to dematerialization.

Scenario 2 — A Distribution Group of 1,200 Employees Frames Its Video Surveillance Policy

A group specializing in food distribution had deployed a video surveillance system covering 34 retail locations. Images were retained for 45 days at certain locations, with no information displayed to employees. Several cameras covered checkout positions on a permanent basis, generating a risk of disproportionate surveillance.

Following a complaint from an employee to the CNIL, the company engaged in compliance work including:

• Reduction of retention period to 30 days maximum across all locations
• Repositioning of cameras to exclude continuous surveillance of individual work positions
• Consultation and approval of the central CSE before any new deployment
• Systematic information of employees via employment contracts and an internal charter posted

Result: closure of the CNIL complaint without penalty; improvement in social climate measured in the following annual satisfaction survey (+11 points on the "trust in employer" item).

Scenario 3 — An HR Consulting Firm Secures Data Transfers with Its Clients

A firm specializing in externalized payroll and personnel administration managed employee files for about twenty SME clients, representing approximately 1,800 payslips monthly. Payroll files were transmitted by unencrypted email, without a processor contract formalized within the meaning of Article 28 of the GDPR.

The firm undertook a complete overhaul of its practices:

• Signature of Data Processing Agreements (DPA) compliant with Article 28 with each of its clients, via an advanced electronic signature platform enabling traceability
• Implementation of a secure client portal (TLS encryption + two-factor authentication) for deposit and retrieval of payroll files
• Hosting of data on servers located in France, certified HDS for occupational health data
• Drafting of a processor policy governing recourse to third parties (payroll software editor, archiver)

Result: 100% reduction of non-secure email HR data transmissions; obtaining two new client contracts that made GDPR compliance a mandatory selection criterion in their request for proposals.

Conclusion

GDPR in HR is not merely an additional administrative burden: it is a lever of trust between the employer and its employees, and a competitive factor in a labor market where transparency is increasingly valued. A maintained register of processing activities, controlled retention periods, formalized employee information, strengthened security of sensitive data and contracted processors: each of these pillars contributes to building an HR policy that is both legal and responsible.

The dematerialization of HR documents — contracts, amendments, payslips, information notices — offers a unique opportunity to combine GDPR compliance and operational efficiency, provided that certified tools are used. Certyneo supports you in this approach with an eIDAS-compliant electronic signature solution, designed for HR teams. Discover our pricing and launch your free trial on Certyneo to secure your HR documents today.