GDPR in HR: Processing Employee Data

Human resources management generates, every day, a considerable volume of personal data: employment contracts, pay slips, health data, performance evaluations, bank details… Since the entry into force of the General Data Protection Regulation (GDPR) in May 2018, HR departments have become central actors in compliance within organizations. Yet, according to CNIL's 2024 activity report, the human resources sector remains one of the three most frequently cited areas during audits. This article guides you through the key obligations, best practices, and available tools to process your employees' data in full compliance.

What personal data do HR departments process?

Common data categories

HR departments handle a very broad spectrum of personal data. Two main families can be distinguished:

Ordinary data, collected under the employment contract: name, surname, address, social security number, IBAN, CV, diplomas, professional history, annual evaluations, working hours, attendance and absence data.

Sensitive data, subject to stricter restrictions under Article 9 of the GDPR: health data (sick leave, work accident declarations, medical restrictions), union data (union membership, representative mandates), data relating to criminal convictions in certain recruitment contexts.

The latter can only be processed subject to an explicit exception provided by the regulation — such as the performance of legal obligations in labor law, or explicit consent from the data subject.

The special case of recruitment

The recruitment phase generates specific processing, often poorly controlled. The collection of CVs, cover letters, and test results involves precise retention periods: according to CNIL recommendations, data of unsuccessful candidates must be deleted or anonymized within a maximum period of two years after the last contact. Indefinitely retaining CVs in an unsecured shared directory constitutes a clear violation.

The use of tracking tools in ATS (Applicant Tracking Systems) or behavioral analysis algorithms must be explicitly mentioned in the privacy policy provided to candidates, in accordance with Articles 13 and 14 of the GDPR.

Legal bases for processing in an HR context

Identifying the correct legal basis

The GDPR requires that all personal data processing is based on one of the six legal bases defined in Article 6. In an HR context, three bases are primarily used:

• Performance of the employment contract (Art. 6.1.b): justifies the processing of data necessary for payroll management, leave, or training.

• Legal obligation (Art. 6.1.c): applies to mandatory social declarations (DSN), personnel registers, or workplace accident monitoring.

• Legitimate interest (Art. 6.1.f): may be invoked for processing such as access badge management or video surveillance, subject to rigorous balancing tests.

Consent (Art. 6.1.a), on the other hand, is a fragile legal basis in a work context: CNIL and the European Data Protection Board (EDPB) recall that the structural imbalance between employer and employee makes it difficult to prove free consent. It should only be used as a last resort.

The processing register, an unavoidable obligation

Any organization employing at least 250 persons — or processing sensitive data on a smaller scale — must maintain a record of processing activities (Art. 30 of the GDPR). In HR, this register must document, for each processing: the purpose, data categories, recipients, retention periods, and security measures implemented.

This document, made available to CNIL in the event of an audit, is also a valuable management tool. Combined with a HR-dedicated electronic signature solution, it allows each step of the HR document lifecycle to be tracked and timestamped, thereby strengthening the auditability of processes.

Employee rights and employer obligations

Informing employees: an immediate obligation

Article 13 of the GDPR requires informing data subjects at the time of data collection. In practice, HR departments must provide employees — ideally at the time of signing the employment contract — with a GDPR privacy notice detailing: the identity of the controller, purposes and legal bases, retention period, available rights, and the contact details of the DPO (Data Protection Officer) if the company has one.

Digitizing and securing this exchange is essential. The use of electronic signature in the enterprise for delivery of this notice ensures a timestamped and incontestable proof of delivery, aligned with the requirements of the eIDAS regulation.

Employee rights to be respected imperatively

Employees have extensive rights over their data:

• Right of access (Art. 15): any employee may request a copy of all data concerning them processed by the employer.

• Right to rectification (Art. 16): correction of inaccurate data (e.g., postal address, IBAN).

• Right to erasure (Art. 17): applicable in certain cases, particularly after the end of the contract and the expiration of legal retention periods.

• Right to object (Art. 21): the employee may oppose processing based on legitimate interest.

• Right to restrict (Art. 18): temporary suspension of contested processing.

The employer has a period of one month to respond to any request to exercise rights, extendable to three months in case of complexity (Art. 12 of the GDPR).

Security of HR data and management of subprocessors

Technical and organizational measures

Article 32 of the GDPR requires the implementation of security measures "appropriate to the risk." For HR data, best practices include:

• Encryption of files containing sensitive data (pay slips, medical records).

• Access control: principle of least privilege — a payroll manager does not have access to disciplinary data.

• Logging of access to HR systems (HRIS, payroll tools).

• Incident response plan: in the event of a data breach, the employer has 72 hours to notify CNIL (Art. 33), and potentially affected individuals if the risk is high (Art. 34).

A complete audit via the electronic signature guide can help HR teams identify unsecured processing persisting on paper media and digitalize them in a compliant manner.

Governing HR service providers through DPAs

HR services rely on numerous subprocessors: payroll software, training platforms, time management tools. Each service provider accessing personal data must be subject to a data processing agreement (DPA), in accordance with Article 28 of the GDPR. This contract must specify processing instructions, security guarantees, modes of return or destruction of data, and obligations in the event of a breach.

Selecting service providers whose infrastructure is hosted in the European Union, or governed by standard contractual clauses (SCC) approved by the Commission, remains a fundamental requirement to prevent any unlawful transfer outside the EU.

Retention periods: a structuring issue

Legal retention periods applicable to employee files

The retention period for HR data is governed by a stack of texts: the GDPR (principle of storage limitation, Art. 5.1.e), the Labor Code, and various tax and social provisions. In practice, the main periods to observe are:

| Type of document | Minimum retention period | |---|---| | Pay slip | 5 years (social limitation period) | | Employment contract | 5 years after end of contract | | Payroll data (DSN) | 3 years (URSSAF inspection) | | Personnel register | 5 years after employee departure | | Disciplinary data | Period proportional to the measure | | Occupational health file (occupational medicine) | 50 years (specific regulation) |

Implementation of an automated archiving and purge policy in the HRIS, combined with electronic signature workflows that timestamp document creation, is today the best practice for demonstrating compliance to CNIL.

Pitfalls to avoid

The most frequent errors observed during CNIL audits regarding HR data are: indefinite retention of CVs of unsuccessful candidates, maintenance of computer access for former employees, absence of encryption of exported payroll files, and failure to delete badge data beyond regulatory periods. To secure these issues, consulting the comparison of electronic signature solutions allows you to identify tools natively integrating probative archiving functions and document lifecycle management.

Legal framework applicable to employee data processing

The processing of employees' personal data is part of a dense regulatory framework, articulating several levels of regulation.

Regulation (EU) 2016/679 — GDPR forms the cornerstone. Its Articles 5 to 11 define the fundamental principles (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality). Article 9 establishes the strict conditions applicable to special categories of data, including health and union data, particularly frequent in HR. Article 83 provides for fines of up to 20 million euros or 4% of worldwide turnover in the event of serious violation.

The Data Protection and Freedom of Information Act amended (Law No. 78-17 of January 6, 1978), in its consolidated version, adapts the GDPR to French law. It grants CNIL its investigation and penalty powers, and notably provides for sectoral exemptions for health data in occupational medicine.

The Labor Code governs processing related to employee surveillance (Art. L. 1121-1 on respect for privacy), consultation of employee representatives on digital tools (Art. L. 2312-38), and mandatory registers.

The eIDAS Regulation (No. 910/2014), supplemented by eIDAS 2.0 (Regulation EU 2024/1183), governs the legal value of electronic signatures affixed to HR documents. A qualified electronic signature (QES), conforming to Annex I of eIDAS and the standards ETSI EN 319 132 and ETSI EN 319 122, provides the presumption of equivalence to handwritten signature under Article 1367 of the French Civil Code.

Article 1366 of the Civil Code provides that "electronic writing has the same probative force as writing on paper, provided that the person from whom it emanates can be duly identified and it is established and preserved under conditions likely to guarantee its integrity." This provision is directly applicable to employment contracts, amendments, confidentiality agreements, and other dematerialized HR documents.

The NIS2 Directive (EU 2022/2555), transposed into French law by the law of February 26, 2025, imposes on essential and important entities (notably large industrial enterprises and digital service operators) reinforced requirements regarding the management of risks related to information security, including protection of sensitive HR data.

CNIL sanctions are on the rise: in 2024, the total amount of fines exceeds 100 million euros, with several decisions directly involving breaches in employee data management. Non-compliance with retention periods, absence of DPA with HR subprocessors, and insufficient security measures are among the most frequently cited grievances.

Use scenarios: GDPR compliance in HR in practice

Scenario 1 — A mid-sized industrial company with 450 employees digitalizes its onboarding processes

A mid-sized industrial company, spread across three sites in France, was managing employment contracts and amendments on paper. New employee files were not transmitted to the payroll department until an average of 12 working days later, generating payroll errors in approximately 8% of cases. Moreover, no formal GDPR notice was provided to new hires: the information was only included at the bottom of the internal regulations, not signed separately.

After deploying an electronic signature solution integrated with its HRIS, with simultaneous delivery of a GDPR notice co-signed by the employee and the HR Director, the company reduced the documentary onboarding period to 2 working days (an 83% reduction). Payroll errors related to missing data fell to less than 1%. Each signed document is archived with qualified timestamping, providing proof that can be relied on in the event of a CNIL audit or labor court dispute.

Scenario 2 — A distribution group with 1,200 employees brings its retention policy into compliance

A group operating in specialized distribution underwent a CNIL audit following a complaint from a former employee. The inspection revealed that Excel files containing payroll data for employees who had left more than 8 years ago were still accessible on an unsecured shared server, without encryption. A formal warning was issued, together with an order to comply within 3 months.

The group then conducted a complete audit of its HR processing, mapped its 23 processing activities, and implemented an automated purge plan triggered by the HRIS. Electronically signed documents were migrated to a digital safe with retention periods configured according to legal obligations. The DPO produced a complete HR processing register, presented at a second CNIL audit 18 months later, which concluded without further action. The cost of compliance was estimated at less than 60% of the amount of a potential fine.

Scenario 3 — An HR consulting firm with 35 employees secures the data of its own consultants and clients

An HR consulting firm manages both the data of its own consultants and that of candidates and employees of its client companies (as part of assessment or outplacement missions). It thus finds itself in a dual role: controller of processing for its own HR, and subprocessor (or even joint controller) for third-party data.

The firm implemented a differentiated document architecture: simple electronic signatures for routine internal exchanges, advanced signatures for mission contracts with clients, and data processing agreements (DPA) systematically integrated into engagement letters. All consultants received an updated GDPR charter, electronically signed and retained in a dedicated register. This organization allowed the firm to showcase its compliance as a commercial argument with large accounts subject to strict vendor audits, reducing the average contracting period from 7 to 2 weeks.

Conclusion

The GDPR imposes a profound transformation of HR management practices on human resources departments: rigorous identification of legal bases, effective notification of employees, management of rights, contractual governance of subprocessors, data security, and compliance with retention periods. These obligations are not merely administrative formalities — they determine the company's ability to avoid sanctions that could reach several million euros and to maintain the trust of its teams.

The digitalization of HR processes, through eIDAS-compliant electronic signature solutions, is one of the most effective levers for reconciling operational efficiency with regulatory compliance. Certyneo supports HR teams in this transition, from the signing of the employment contract to the secure archiving of employee files.

Discover how Certyneo can secure your HR processes by consulting our HR-dedicated offering or by starting for free to test the solution without commitment.