GDPR in HR: Employee Data Processing

The processing of employees' personal data is one of the most sensitive GDPR compliance projects for human resources departments. From hiring through to file archival after contract termination, HR services daily handle a variety of information categories — identity data, health data, performance evaluations, bank details — all of which fall within the scope of the General Data Protection Regulation (GDPR Regulation 2016/679). The CNIL has imposed over 100 million euros in cumulative fines in France since 2018; HR breaches regularly feature among the grounds for sanctions. This article guides you through the concrete requirements applicable in 2026, from the legal basis to the processing activity register, through management of employee rights and the role of electronic signature in the HR documentary chain.

Legal bases applicable to HR data processing

GDPR authorizes personal data processing only if it is based on one of the six legal bases of Article 6. In HR context, three of them are used in practice.

Performance of the employment contract

Article 6(1)(b) of GDPR constitutes the reference legal basis for processing strictly necessary to perform the employment contract: salary payment, leave management, social declarations (DSN), contribution calculation. The employer does not need employee consent for these processing activities, as consent would not be freely given in any case within a subordination relationship — the CNIL has emphasized this point in its guidelines since 2019.

Legal obligation

Article 6(1)(c) covers processing imposed by national or European law: personnel register (Labor Code, art. L. 1221-13), occupational risk assessment document, workplace accident file, or data transmitted to tax authorities. Such processing is mandatory and refusal would expose the employer to administrative sanctions independent of GDPR.

Legitimate interest

Article 6(1)(f) may justify certain HR processing not covered by the two preceding bases, such as video surveillance of premises or monitoring of connection times to professional tools, provided the employer's interest is balanced against employee rights and freedoms. This proportionality analysis must be documented in the processing activity register.

The processing activity register and the DPO

Any employer processing employee data on a large scale — or whose processing is systematic — must maintain a processing activity register (Article 30 of GDPR). In practice, virtually all companies with at least 250 employees are subject to this requirement, but the CNIL recommends maintaining the register from the first employee.

Mandatory content of the HR register

For each HR processing activity (payroll management, recruitment, training, annual appraisal, etc.), the register must mention: the purpose of processing, the categories of data concerned, the categories of persons concerned, the recipients of data (payroll providers, social bodies, etc.), retention periods, and technical and organizational security measures. This register is a living document, to be updated with each organizational or software change.

Appointment of a DPO

The appointment of a Data Protection Officer (DPO) is mandatory for organizations whose core activity consists of large-scale processing of sensitive data (Article 37 of GDPR), which includes employee health data. Beyond this obligation, appointing a DPO — internal or external — is strongly recommended for any organization of intermediate size. The DPO advises the employer, ensures compliance with the regulation and serves as a point of contact with the CNIL.

Categories of particularly sensitive data in HR

GDPR distinguishes ordinary data from so-called "sensitive" data under Article 9, whose processing is in principle prohibited except for exceptions. HR is directly concerned with several of these categories.

Health data

Sick leave records, medical restrictions, work accident/occupational disease declarations and information transmitted to occupational health constitute health data in the strict sense. Their processing is based on the exception of Article 9(2)(b) — labor law obligations — and must respect enhanced guarantees: limited access, encryption, specific retention periods. The employer cannot access the medical diagnosis; only the fitness-for-work opinion from the occupational physician is communicated to them.

Data relating to trade union convictions

Information relating to trade union membership or representation mandates is sensitive data. It can only be processed within the strict scope of legal obligations related to personnel representation (calculation of delegation hours, organization of workplace elections).

Biometric data

Access control or time-tracking systems based on fingerprints or facial recognition involve biometric data. Since GDPR, their implementation requires a data protection impact assessment (DPIA) and prior authorization from the CNIL when no direct legal exception applies.

Retention periods and archival of HR files

One of GDPR's fundamental principles is "storage limitation" (Article 5(1)(e)): data must not be retained beyond what is necessary for the purposes for which it was collected. In HR, periods are often determined by specific legal limitation periods.

Table of main retention periods

Payslips must be retained for 5 years (limitation period for wages, Labor Code, art. L. 3245-1). Recruitment files for unsuccessful candidates can only be kept for a maximum of 2 years after last contact, unless explicit candidate consent. Active employee files are retained for the duration of the contract, then 5 years after termination for elements related to contract performance. Mandatory registers (personnel register, risk assessment document) follow specific timelines that can extend up to 5 years after the last entry. The electronic signature for HR allows each signed document to be time-stamped and archived with immediate probative value, which considerably simplifies management of these retention obligations.

Distinction between current archival and intermediate archival

The CNIL distinguishes three states for personal data: current use (active database), intermediate archival (restricted access, legal limitation period), and final archival or destruction. HR data in intermediate archival should no longer be accessible to day-to-day managers; they are isolated in a dedicated environment, ideally encrypted.

Employee rights and how to exercise them

Employees benefit, like any other data subject, from all rights recognized by GDPR: right of access (Article 15), right to rectification (Article 16), right to erasure in applicable cases (Article 17), right to restrict processing (Article 18), right to data portability for data provided with consent or within a contractual framework (Article 20), and right to object to processing based on legitimate interest (Article 21).

Procedure for responding to access requests

The employer has one month to respond to an access request (extendable by two additional months in case of complex requests). They must communicate a copy of the data processed, the purposes, the recipients and retention periods. The response may be transmitted electronically if the employee consents, which argues for a dematerialized documentary infrastructure integrating a complete guide to electronic signature to secure exchanges.

Limits to the right to erasure

The right to erasure does not apply when processing is necessary to comply with a legal obligation or for the establishment, exercise or defense of legal claims (Article 17(3)(b) and (e)). An employee therefore cannot demand deletion of their payslips or time records during applicable limitation periods. The employer must, however, document the justified refusal and communicate it to the employee within the prescribed timeframe.

HR data security and notification obligations

Data security is a partial obligation of result in GDPR: Article 32 requires "appropriate technical and organizational measures" in light of risks. For HR, this translates notably into encryption of files containing sensitive data, management of access authorizations, pseudonymization of data in analytical tools, and implementation of business continuity plans (BCP) covering HR systems. In case of data breach — leak, hacking, loss of unencrypted computer — the employer must notify the CNIL within 72 hours (Article 33) and, if the breach presents high risk to individual rights, directly inform affected employees (Article 34). Use of certified solutions, such as those compliant with the eIDAS regulation for electronic signature and archival, helps demonstrate the employer's diligence in implementing security measures.

Legal framework applicable to GDPR in HR

The regulatory foundation for processing employee data rests on several interconnected texts.

Regulation (EU) 2016/679 – GDPR: applicable since 25 May 2018 throughout the European Union, it constitutes the reference text. Its Articles 5 (principles), 6 (legal bases), 9 (sensitive data), 13 and 14 (information), 15 to 22 (data subject rights), 24 to 32 (controller obligations) and 33-34 (data breach) are directly applicable in French law without necessary transposition.

Data Protection Act (Law No. 78-17 of 6 January 1978, amended by Law No. 2018-493 of 20 June 2018): it adapts GDPR to national law and provides scope for certain HR processing, particularly regarding health data and trade union representation (Articles 6, 9 and 88 of GDPR allowing national derogations in labor law).

Labor Code: several articles impose data retention or disclosure obligations that constitute "legal obligations" under Article 6(1)(c) of GDPR: article L. 1221-13 (personnel register), article L. 3245-1 (five-year limitation period for wages), articles L. 4121-1 et seq. (occupational risk assessment document).

eIDAS Regulation No. 910/2014: employment contracts, amendments, termination letters and HR documents signed electronically must comply with this regulation to have full probative value. Qualified electronic signature (QES level) offers a legal presumption of authenticity and integrity equivalent to handwritten signature. eIDAS Regulation 2.0, in force since 2024, strengthens these requirements.

Civil Code, Articles 1366 and 1367: Article 1366 provides that "electronic writing has the same probative force as writing on paper" subject to the condition that the author's identity is duly identified and the document's integrity is guaranteed. Article 1367 clarifies the conditions for reliable electronic signature. These provisions fully apply to dematerialized HR documents.

ETSI EN 319 132 and EN 319 122 standards: these technical standards define XAdES, CAdES and PAdES formats for advanced and qualified electronic signature. Compliance with them ensures interoperability and longevity of signed documents in HR archival systems.

Non-compliance risks: GDPR sanctions can reach 20 million euros or 4% of annual global turnover (Article 83(5)). The CNIL may also issue warnings, injunctions, compliance orders or make sanctions public. In labor law, breaches of data security may engage the employer's civil and criminal liability (Penal Code Article 226-17: up to 5 years imprisonment and 300,000 € fine for non-compliant personal data processing).

Concrete use scenarios

Scenario 1: An industrial SME of 180 employees dematerializes its HR documents

An SME in the metalworking sector, employing 180 people across three sites, still uses paper processes for employment contracts, amendments and personal data collection forms at hiring. During routine CNIL inspection, the company is given notice: absence of formalized processing activity register, undefined retention periods, and inability to prove employees actually received mandatory prior information (Article 13 GDPR). By adopting an electronic signature solution integrated with its HRIS, the SME automatically generates certified time-stamping for each signed document, maintains proof of signer identity and archives documents according to parameterized duration rules. Within six months, the rate of untraceable HR documents drops to zero and the average contract signing time falls from 4 days to less than 24 hours, an 80% gain in integration timelines according to HR sector benchmarks.

Scenario 2: A home care services group manages sensitive data at scale

A home care network employing approximately 1,200 caregivers must process health data (medical restrictions, work accident declarations), information relating to criminal convictions (criminal records for home care workers with vulnerable populations) and banking data for salary payment. Facing the DPIA obligation for these high-risk processing activities, the group appoints an external DPO who identifies three major vulnerabilities: unsegmented access to health files, absence of encryption for payroll files, and payroll subcontractors without DPA (data processing agreement, Article 28 GDPR). Compliance implementation includes integration of an eIDAS-compliant electronic signature solution for medical amendments and SEPA mandates, as well as electronic signature of DPAs with each service provider. Compliance implementation cost represents approximately 0.3% of annual payroll, well below estimated potential fine risk.

Scenario 3: A technology scale-up anticipates rapid headcount growth

A SaaS start-up in growth phase, moving from 40 to 150 employees in eighteen months, finds that its informal HR processes no longer work. Contracts are signed by email with PDF attachments, without any enhanced probative value. Several internationally recruited employees raise questions about their rights of access to data collected during recruitment. The HR director structures its GDPR approach around three axes: implementation of a processing activity register from month one, deployment of an advanced electronic signature solution for all contractual documents (linked with AI-powered contract generator to standardize templates), and creation of a formalized procedure for handling rights exercise requests. Result: average response time for access requests reduced to 12 days (compared to 28 days without formalized procedure), and zero complaints to the CNIL over the following twelve months after compliance implementation.

Conclusion

GDPR in HR is not bureaucratic constraint: it is a framework protecting both employees and the employer. Mastering the applicable legal bases, maintaining an up-to-date processing activity register, respecting retention periods required by labor law, and effectively responding to rights exercise requests are the four pillars of lasting compliance. Dematerialization of HR processes — contracts, amendments, data collection forms — through an eIDAS-compliant electronic signature solution simultaneously strengthens data security and document probative value. Certyneo was designed to respond precisely to these issues: traceability, certified archival and integrated regulatory compliance. Discover how our HR features can transform your GDPR compliance into operational advantage on our dedicated HR page, or estimate your return on investment using our ROI calculator.