Electronic signature HR & GDPR: complete guide 2026

Electronic Signature HR & GDPR: Complete Guide 2026

The digitalization of human resources has accelerated considerably since 2020: employment contracts, amendments, pay slips, IT charters, remote work agreements — virtually all of these documents now transit in digital form. Yet dematerializing does not mean escaping legal obligations. Quite the contrary: electronic signature of HR documents under GDPR is a subject with dual regulatory entry points, as it combines the eIDAS framework on the probative value of signatures and the European regulation on the protection of personal data. If poorly managed, this dual constraint exposes the company to legal risks and CNIL sanctions. This guide presents the essential rules, best practices and points of vigilance you must know in 2026.

Why does GDPR apply to electronic signature for HR?

Electronic signature necessarily processes personal data

Signing an employment contract online involves collecting, transmitting and storing personal data within the meaning of Article 4 of GDPR n°2016/679: name, first name, professional email address, sometimes mobile phone number, timestamp and IP address of signature. In an HR context, this data is particularly sensitive because it directly identifies the employee and is linked to their contractual relationship with the employer.

The trust service provider (TSP) that provides the signature solution is qualified as a data processor within the meaning of Article 28 of the GDPR. The employer remains the data controller. This distinction is fundamental: it is the company that answers to the CNIL in case of breach, not the software provider.

Applicable legal bases in HR context

For each category of dematerialized HR documents, the employer must identify the most appropriate legal basis for processing:

• Contract performance (art. 6.1.b GDPR): signing of employment contract, salary amendment, full-time day rate convention. This is the most robust legal basis for contractual documents.
• Legal obligation (art. 6.1.c GDPR): dematerialized delivery of pay slip (authorized since the Macron law of 2015 under conditions), personnel registers.
• Legitimate interest (art. 6.1.f GDPR): IT charters, internal regulations, internal policy documents — subject to passing the balancing test.

The consent basis (art. 6.1.a) should be avoided in HR context: the CNIL and the EDPB (European Data Protection Board) believe that the subordination relationship between employer and employee makes consent rarely free. An employee who refuses to sign electronically might fear professional consequences.

Concrete obligations of the HR data controller

Update the data processing register (DPR)

Article 30 of the GDPR requires any organization employing more than 250 employees (and SMEs processing sensitive data on a large scale) to maintain a data processing register. The introduction of an electronic signature tool for HR documents must be included with:

• The purpose of processing (e.g.: dematerialization and archiving of HR contractual documents)
• Categories of data processed (identity, contact data, authentication data)
• Duration of storage (legal retention period for employment contract: 5 years after end of contract under Labor Code, art. L. 1234-20)
• Contact details of the data processor (the signature platform)
• Security measures implemented

Sign a DPA (Data Processing Agreement) with the service provider

In accordance with Article 28 of the GDPR, any use of a data processor to process personal data must be formalized by a data processing contract (DPA). This contract must specify:

• The subject matter and duration of processing
• The nature and purpose of processing
• The type of personal data and categories of data subjects
• The obligations and rights of the data controller
• The location of data (hosting in the EU recommended to avoid transfers outside the EEA)
• Technical and organizational security measures

A serious electronic signature provider systematically offers a compliant DPA. Its absence constitutes an immediate non-compliance that is sanctionable.

Inform employees before the first signature

Article 13 of the GDPR imposes prior information of persons whose data is collected. Before deploying electronic signature for HR documents, the employer must inform employees:

• Of the identity of the data controller
• Of the purpose and legal basis
• Of the data retention period
• Of their rights (access, correction, deletion within the limits of legal retention obligations, portability)
• Of the contact details of the DPO (Data Protection Officer) if appointed

This information can be integrated into the signature process itself (information banner before signing), in the updated internal regulations, or via a service note distributed during deployment.

Required signature level for HR documents: SES, AES or QES?

The eIDAS signature level hierarchy

The eIDAS Regulation n°910/2014 defines three levels of electronic signature, each offering increasing probative value:

• SES (Simple Electronic Signature): weak probative value, suitable for low-stakes documents (acknowledgments of receipt, internal forms)
• AES (Advanced Electronic Signature): linked in a unique manner to the signatory, created from data under their exclusive control. Suitable for most common HR documents.
• QES (Qualified Electronic Signature): highest level, equivalent to handwritten signature under art. 25.2 eIDAS. Requires enhanced identity verification (face-to-face or video identification).

Which level for which HR documents?

The recommended mapping in 2026, taking into account French case law positions and sectoral recommendations:

| HR Document | Recommended Level | Justification | |---|---|---| | Employment contract permanent/fixed-term | AES minimum, QES recommended | Strong contractual value, employment law risk | | Contract amendment | AES minimum, QES recommended | Same logic as main contract | | Trial period (renewal) | AES | Short timeline, limited formalism | | Telework/BYOD Charter | SES or AES | Collective agreement or internal regulation | | Full-time day rate convention | QES strongly recommended | Demanding case law in labor matters | | Amicable termination | QES mandatory | Certified form, high stakes | | Balance payment receipt | AES or QES | Binding effect, art. L. 1234-20 CT |

For high-stakes documents (day rate convention, amicable termination), QES is de facto necessary to guarantee enforceability before employment tribunals. The Court of Cassation has progressively tightened its requirements on proof of employee agreement.

Storage, archiving and rights of individuals: pitfalls to avoid

Legal retention periods for electronically signed HR documents

The storage of electronically signed HR documents is subject to mandatory legal periods. These periods override the right to erasure under the GDPR (art. 17.3.b):

• Employment contract: 5 years after end of contract (employment tribunal limitation period, art. L. 1471-1 Labor Code)
• Pay slips: 5 years (salary limitation period), but retention recommended until pension entitlements are settled
• Documents relating to workplace accidents: 30 years (long-term litigation risk)
• Professional training (plans, certificates): 3 years
• Personnel registers: 5 years after the date the employee left the establishment

Long-term electronic archiving with probative value must comply with the requirements of the NF Z 42-013 standard and ideally the ETSI EN 319 162 standard (long-term archiving of electronic signatures). Simple server storage is not sufficient: integrity, readability and qualified timestamping of documents must be guaranteed throughout the retention period.

Managing employee rights without compromising probative value

An employee can legitimately exercise their right of access (art. 15 GDPR) to obtain a copy of signature data concerning them. They can also request correction of inaccurate data.

On the other hand, the right to erasure (art. 17 GDPR) cannot be exercised on HR documents subject to legal retention obligations. The employer must be able to clearly explain this refusal by citing the applicable legal basis. Documenting these exchanges in the rights request register is a good practice recommended by the CNIL.

Portability (art. 20 GDPR) applies to data provided by the employee on the basis of consent or contract performance. Concretely, an employee can request their signature data in a structured format — an obligation to anticipate when choosing a signature solution.

Technical and organizational security: essential measures

Technical requirements of the signature platform

In accordance with Article 32 of the GDPR, security measures must be appropriate to the risk. For an HR electronic signature solution, this translates notably into:

• Encryption of data in transit (TLS 1.3 minimum) and at rest (AES-256)
• Multi-factor authentication (MFA) for access to the platform
• Audit logs timestamped and tamper-proof, tracing every action on the document
• Hosting in the EU (or EEA) to avoid transfers outside the EEA without adequate safeguards (adequacy decision or standard contractual clauses)
• Annual penetration tests and ISO 27001 certification of the provider
• Business continuity plan guaranteeing service availability and archive recovery in case of incident

Impact assessment (DPIA): when is it mandatory?

Article 35 of the GDPR imposes a Data Protection Impact Assessment (DPIA) when the processing is likely to result in a high risk. The CNIL published a list of processing types requiring a DPIA: large-scale processing of data relating to professional life is mentioned there.

In practice, a DPIA is recommended (even mandatory for large enterprises) when deploying an electronic signature solution for HR documents affecting all employees. It must identify risks (loss of confidentiality, identity theft, document alteration), assess their severity and probability, and propose mitigation measures. This analysis must be documented and revised if processing changes.

Applicable legal framework for electronic signature HR and GDPR

Founding European texts

eIDAS Regulation n°910/2014 (and its eIDAS 2.0 revision currently being deployed): this text defines the three levels of electronic signature (SES, AES, QES) and their legal value across all Member States. Article 25 provides that QES has a legal effect equivalent to handwritten signature. Article 26 sets out the technical requirements for advanced signature. Qualified trust service providers are listed on national trust lists (in France, the list is managed by ANSSI).

GDPR n°2016/679: applicable since May 25, 2018, this regulation governs any processing of personal data within the EU. Articles 5 (principles), 6 (legal bases), 13-14 (information), 28 (data processors), 30 (register), 32 (security), 35 (DPIA) and 37-39 (DPO) are directly relevant for HR electronic signature.

Applicable French law

Civil Code, articles 1366-1367: Article 1366 establishes the principle of functional equivalence between electronic and paper writing. Article 1367 recognizes electronic signature as a means of proof, provided it consists of a reliable identification process that guarantees the link with the document to which it attaches. Reliability is presumed for QES, but can be demonstrated for AES.

Labor Code: Article L. 1221-1 does not impose any particular form for the employment contract (except exceptions: fixed-term contract art. L. 1242-12, apprenticeship contract, etc.). The 2015 Macron law (law n°2015-990) opened the way to electronic pay slip. Article L. 3243-2 governs its terms.

Modified Data Protection and Freedoms Law (law n°78-17 of January 6, 1978): French implementation of the GDPR, it grants the CNIL its investigation and sanctioning powers. Fines can reach €20 million or 4% of annual global turnover for the most serious violations.

Reference technical standards

• ETSI EN 319 132: advanced electronic signature format XAdES, applicable to XML documents
• ETSI EN 319 122: CAdES format for CMS electronic signatures
• ETSI EN 319 162: long-term archiving of electronic signatures (ASiC)
• NF Z 42-013 (AFNOR): functional specifications for a probative electronic archiving system
• ISO/IEC 27001: information security management, certification reference framework expected from service providers

Legal risks in case of non-compliance

The cumulative risks are significant: an employment contract signed with an insufficient signature level can be contested before the Employment Tribunal, exposing the employer to requalification or nullity. On the GDPR side, absence of a DPA with the provider, failure to inform employees or hosting outside the EU without adequate safeguards can lead to an enforcement order from the CNIL or even an administrative sanction.

Usage scenarios: HR electronic signature compliant with GDPR

Scenario 1: A mid-sized industrial company with 600 employees digitizes its employment contracts

A mid-sized industrial company spread across four sites in France processed approximately 180 permanent and fixed-term hires each year, generating as many paper files to print, sign in duplicate, digitize and archive. The average time between job offer and effective contract signature was approximately 8 working days.

After deploying an advanced electronic signature solution (AES) integrated into its HRIS, with a GDPR-compliant DPA signed with the provider and a documented DPIA, the company reduced this timeline to less than 24 hours. The rate of incomplete files dropped by 34% (sources: ANDRH sector benchmarks 2024). Data hosting in France was selected as a contractual criterion, eliminating any risk of transfer outside the EEA. Employees are informed of the processing via an information notice integrated into the signature workflow, ensuring compliance with Article 13 of the GDPR.

Scenario 2: A retail franchise network deploys QES signature for day rate conventions

A specialty distribution network with about sixty stores and a hundred day-rate managers faced an identified employment law risk: several day-rate conventions could only be proven through poor-quality paper copies. Since the Court of Cassation has tightened its proof requirements for this type of convention, the litigation risk was estimated at several hundred thousand euros.

The network deployed a qualified signature solution (QES) for all new conventions and offered existing day-rate managers to resign their existing conventions. Identity verification through video identification was chosen. The data processing register was updated, and an external DPO validated GDPR compliance of the process. Within 6 months, the entire day-rate convention portfolio was secured. The cost of the approach (approximately €15 to €25 per QES signature depending on market providers) was deemed far inferior to the litigation risk covered.

Scenario 3: A local authority dematerializes its amendments and telework charters

A local authority with approximately 1,200 permanent staff wanted to dematerialize management of its telework amendments following the 2021 national framework agreement on telework in the public service. The volume to be processed was approximately 400 documents per year, with specific constraints: staff are public persons whose data is subject to particularly regulated processing.

The authority opted for advanced signatures (AES), with sovereign hosting from a provider qualified SecNumCloud by ANSSI. The DPIA was submitted to the authority's DPO before deployment. Staff were informed via a service note published on the intranet and an information notice in the digital process. The HR department estimated a gain of 3 FTE-days per month on administrative management of amendments, representing an annual savings equivalent to approximately €35,000 in direct costs, consistent with ranges published by the Observatory for Digital Transformation of Local Authorities (2025).

Conclusion

GDPR compliance for electronic signature of HR documents is not optional: it determines both the legal value of your acts and the protection of your employees' rights. In 2026, companies that have not yet updated their processing register, signed a DPA with their provider and adapted the signature level to each document type are exposed to a dual risk — employment law and administrative — whose financial consequences can be significant.

The good news: a well-chosen and well-configured solution allows reconciling operational fluidity, eIDAS compliance and GDPR compliance without friction for HR teams or employees.

Certyneo supports you in this approach: eIDAS-compliant platform, DPA available, European hosting and signature workflows designed for HR. Discover our dedicated HR solution or calculate the ROI of your transition to full digital in a few clicks.