GDPR in HR: Processing of Employee Data

Introduction

Since the entry into force of the General Data Protection Regulation (GDPR) on May 25, 2018, HR departments have been on the front line of compliance. Human resources functions process sensitive personal data on a daily basis: CVs, pay slips, health data, evaluations, bank details. Poor management exposes the company to sanctions of up to 20 million euros or 4% of global turnover (article 83 of the GDPR). This article presents the key obligations and best practices for securing the processing of employee data throughout the HR cycle.

The fundamental principles applicable to HR data

The GDPR imposes six cardinal principles codified in Article 5: lawfulness, loyalty, transparency, limitation of purposes, minimization, accuracy, limitation of retention and integrity/confidentiality. In practice, this means that the HR department can only collect the data strictly necessary for a specific purpose. For example, asking for the social security number when applying is disproportionate: it is only justified after hiring for the DSN.

The CNIL, via its deliberation no. 2019-160 relating to personnel management, specifies the recommended retention periods: 2 years for unsuccessful applications (unless consent), 5 years after departure for the administrative file, 6 years for pay slips in the employer version.

Legal basis and information for employees

Contrary to popular belief, consent is rarely the appropriate legal basis in HR, due to the relationship of subordination. The relevant bases are rather the execution of the employment contract (article 6.1.b), the legal obligation (article 6.1.c) or the legitimate interest (article 6.1.f). For sensitive data (health, union), Article 9 requires a specific basis such as the obligation in terms of labor law.

The employer must provide clear information via a GDPR notice given upon hiring, update the processing register (article 30) and consult the CSE before any new processing impacting employees (article L.2312-38 of the Labor Code).

Security and rights of employees

Technical and organizational security (article 32) requires: encryption of HRIS, access control by profile, traceability of consultations, confidentiality clauses with payroll or recruitment subcontractors (article 28). In the event of a violation, notification to the CNIL within 72 hours.

Employees have reinforced rights: access, rectification, erasure (limited by legal retention obligations), portability, opposition. An internal procedure must allow a response within a maximum of one month. The refusal of access to the disciplinary file must be legally justified.

Practical examples

Example 1 – Recruitment:An SME has kept the CVs of all candidates in a shared folder for 5 years. Non-compliant: excessive duration, lack of security. Solution: automated purge after 2 years, restricted access to recruiters, GDPR mention in the job offer.

Example 2 – Video surveillance:A logistics warehouse continuously films workstations. Possible sanction (the CNIL sanctioned Amazon France Logistique of €32 million in 2024). Solution: limit to sensitive areas, individual information, consultation of the CSE, retention period of one month maximum.

Example 3 – Collaborative tools:The deployment of Microsoft 365 requires an impact analysis (AIPD) if monitoring functions are activated, as well as a compliant subcontracting clause with the publisher.

Compliance and sanctions

In addition to CNIL fines, the employer is exposed to industrial tribunal actions for invasion of privacy (article 9 of the Civil Code, article L.1121-1 of the Labor Code). The designation of a DPO is mandatory for entities processing data on a large scale. An annual mapping of HR processing, coupled with manager training, constitutes the best legal and operational protection.

Conclusion

GDPR compliance in HR is not a one-off project but a continuous process of improvement. Between legal obligations, employee rights and operational performance, HR managers must rigorously manage data governance. Investing in a compliant HRIS, training teams and documenting each processing transforms regulatory constraints into a lever of employee trust.