RGPD in HR: Employee Data Processing

The General Data Protection Regulation (GDPR) does not apply only to commercial relations between a company and its customers: it also regulates, in a very precise way, the processing of personal data of employees. Recruitment, payroll management, access control, performance evaluation, video surveillance… each stage of the employee lifecycle generates personal data that the employer must process in strict compliance with European law. With fines reaching up to 20 million euros or 4% of annual global turnover, the stakes are considerable. This article details the applicable legal bases, the practical obligations of HR departments and best practices to secure your processing — including when digitizing HR documents.

The legal foundations of HR data processing

Legal bases applicable in labour law

The GDPR lists six legal bases for processing personal data (article 6). In HR context, three of them are used almost systematically:

• Performance of the employment contract (art. 6.1.b): constitutes the main basis for payroll management, working time tracking, delivery of payslips or management of leave.

• Legal obligation (art. 6.1.c): justifies processing required by labour law or social legislation, such as the pre-employment declaration (DPAE), the nominal social declaration (DSN) or the maintenance of the single staff register.

• Legitimate interest (art. 6.1.f): may underpin certain IT security or internal fraud prevention processing, provided that this interest is not outweighed by the fundamental rights of employees.

⚠️ The consent basis must be handled with extreme caution in a salary context. The CNIL regularly reminds that the inherent imbalance in the employer-employee relationship makes consent rarely "free" in the sense of article 7 of the GDPR. Resorting to consent for processing that could be based on another legal basis exposes the employer to a risk of requalification.

Special categories of data: an enhanced regime

Some data collected by HR fall under the regime of "sensitive data" referred to in article 9 of the GDPR, whose processing is in principle prohibited except for exceptions:

• Health data: sick leave, unfitness declarations by occupational health, job adjustments for disability.

• Trade union data: membership in a union, representative mandates.

• Biometric data: access control by fingerprint or facial recognition.

• Data relating to offences: criminal record verification, only authorized in regulated sectors (security, child protection, etc.).

For these categories, the employer must identify an explicit exception (art. 9.2), carry out a data protection impact assessment (DPIA) in most cases, and often consult the CNIL before deployment.

Practical obligations of HR departments

The record of processing activities

Any organization employing more than 250 employees is required to maintain a record of processing activities (art. 30 of the GDPR). Below this threshold, the obligation remains as long as processing is not occasional or concerns sensitive data — which is almost always the case in HR. This record must document:

• The purpose of each processing (e.g.: "management of payslips")

• The categories of data concerned

• The recipients (third parties, processors, authorities)

• The retention periods

• The security measures implemented

The CNIL provides a freely downloadable template for this record. Its rigorous maintenance constitutes the first line of defense in case of inspection.

Retention periods: often overlooked

Article 5.1.e of the GDPR imposes the principle of storage limitation: data must not be retained beyond the duration necessary for the purpose for which it was collected. In HR, the reference legal periods are as follows:

| Type of data | Recommended retention period | |---|---| | Payslip | 5 years (civil prescription) | | Employment contract | 5 years after contract termination | | Recruitment data (rejected candidate) | 2 years maximum after last contact | | Disciplinary file | Variable duration depending on sanction (max. 3 years for a warning) | | Video surveillance data | 1 month in general | | DSN and staff register | 5 years after employee departure |

These periods must be recorded in the register and enforced through purge or permanent archiving procedures.

Employee notification: an often underestimated obligation

Article 13 of the GDPR requires providing a complete information notice to data subjects at the time of collection. In HR, this notice should ideally be provided:

• From the application stage: for data collected during the recruitment process.

• At hiring: included in the employment contract or provided as an annex at signature.

• During the contractual relationship: for each new processing deployed (e.g.: rollout of biometric timekeeping tool).

Digitizing the onboarding process, in particular through electronic signature for HR, facilitates tracking of this notification: the date of reading and signature of the notice is time-stamped in a probative manner, which constitutes valuable evidence in case of dispute.

Security of HR data: technical and organizational measures

Encryption, access control and compartmentalization

Article 32 of the GDPR requires the implementation of security measures adapted to the risk. For HR data, which are by nature sensitive and targeted during intrusions, minimum best practices include:

• Encryption of data at rest and in transit: payroll files, contracts and personal files must be stored encrypted (AES-256 minimum) and transmitted via secure protocols (TLS 1.3).

• Role-based access control (RBAC): only authorized HR managers access payroll data; the team manager only accesses data necessary for management.

• Access logging: any consultation or modification of an employee file must be traced with the user identifier, date and time.

• Pseudonymization for analytical processing (HR dashboards, compensation studies).

Management of HR subprocessors

HR departments call upon numerous subprocessors: HRIS editors, outsourced payroll providers, training platforms, online recruitment tools. Each of these third parties must be subject to a subprocessing contract compliant with article 28 of the GDPR, specifying in particular:

• The nature and purpose of processing outsourced

• The obligations of the processor regarding security and confidentiality

• The prohibition of sub-subcontracting without prior authorization

• The procedures for data return or destruction at end of contract

When selecting a service provider, you should also verify whether its servers are located in the European Economic Area (EEA) or if an adequate transfer mechanism (standard contractual clauses, adequacy decision) is in place for transfers outside the EEA.

Digitization of HR documents and GDPR compliance

The growing digitization of HR processes — electronic employment contracts, dematerialized payslips, amendments signed remotely — raises specific GDPR issues. While electronic signature compliant with eIDAS provides undeniable guarantees of integrity and authenticity, the employer must ensure that the platform used:

• Does not collect superfluous data during the signature process (minimization principle, art. 5.1.c)

• Preserves proof of signature (audit trail) in secure conditions and for an appropriate duration

• Enables signatories to exercise their rights (access, rectification, erasure within legal limits)

For more information on signature tool compliance, Certyneo's comprehensive electronic signature guide details the technical and legal criteria to verify before any deployment.

Employee rights and their effective exercise

Overview of rights guaranteed by the GDPR

Employees benefit from all rights provided for in articles 15 to 22 of the GDPR. In HR context, the most frequently exercised rights are:

• Right of access (art. 15): the employee may request a copy of all data concerning them held by the employer, including professional email exchanges under certain conditions.

• Right to rectification (art. 16): correction of inaccurate data (error on bank details, qualification incorrectly entered, etc.).

• Right to erasure (art. 17): limited in HR by legal retention obligations, but applicable to recruitment data of a non-selected candidate.

• Right to object (art. 21): can be exercised against processing based on legitimate interest, such as certain surveillance processing.

• Right to data portability (art. 20): applicable to data provided by the employee in the context of contract performance.

Response time and internal procedures

The employer has one month to respond to any request to exercise rights, extendable to three months in case of complexity or high volume of requests (art. 12.3). To organize this processing efficiently, it is recommended to:

• Designate a single point of contact (DPO or GDPR officer) to receive requests

• Set up a dedicated form accessible to employees

• Document each request and its response in a register of rights exercises

• Train HR managers to identify implicit requests (an employee claiming "their personnel file" is effectively exercising their right of access)

The role of the DPO in the company

The GDPR requires the appointment of a Data Protection Officer (DPO) in three cases (art. 37): public authority, large-scale processing of sensitive data, or systematic large-scale monitoring. Many companies whose HR processing is significant fall within this obligation. The DPO may be internal or outsourced; they must have functional independence and be involved in all decisions impacting data protection, including the rollout of new digital HR tools. Their role is advisory and not decision-making: final responsibility remains with the controller, that is, the employer.

Legal framework applicable to HR data processing

The GDPR: foundational text

The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) constitutes the regulatory foundation for personal data processing in Europe. Directly applicable in all Member States since 25 May 2018, it applies to any employer processing data of employees residing in the EU, regardless of the company's nationality. The main articles applicable in HR context are:

• Art. 5: fundamental principles (lawfulness, fairness, transparency, minimization, accuracy, storage limitation, integrity and confidentiality, accountability)

• Art. 6: legal bases for processing

• Art. 9: regime for sensitive data

• Art. 12 to 22: rights of data subjects

• Art. 24 to 32: obligations of the controller and processor

• Art. 33-34: data breach notification (72 hours to the CNIL, and notification of individuals if high risk)

• Art. 35: impact assessment (DPIA) mandatory for high-risk processing

• Art. 83: administrative penalties (up to 20 M€ or 4% of global turnover)

The amended Data Protection Act

In French law, the Law No. 78-17 of 6 January 1978 on data processing, files and freedoms, amended by Law No. 2018-493 of 20 June 2018 and Ordinance No. 2018-1125 of 12 December 2018, supplements the GDPR by opening national discretionary margins ("opening clauses"). Among the most important in HR: the possibility of processing trade union data as part of the management of employee representative institutions (art. 9 of the law), or the specific rules for processing occupational health data.

Labour Code and case law

The Labour Code imposes obligations for information and prior consultation of the Social and Economic Committee (CSE) before any deployment of device for monitoring or control of employees (art. L. 2312-38). Failure to consult exposes the employer to the unavailability of evidence gathered and criminal penalties.

The case law of the Court of Cassation regularly reminds that monitoring tools (geolocation, time clocks, activity tracking software) must be proportionate to the objective pursued and cannot be diverted to purposes other than those declared to employees and the CNIL.

Electronic signature of HR documents: eIDAS and Civil Code

When digitizing employment contracts, amendments or disciplinary documents, the employer must comply with the Regulation (EU) No. 910/2014 eIDAS, which defines three levels of electronic signature. For documents as important as a permanent employment contract or a severance agreement, an advanced electronic signature (or even qualified) is recommended to guarantee the identity of the signatory and the integrity of the document. The Civil Code at articles 1366 and 1367 confirms the probative value of electronic writing and electronic signature, subject to reliable identification of the signatory and assurance of integrity.

Penalties imposed by the CNIL in HR matters

The CNIL has imposed several significant penalties regarding HR data processing: in 2022, a company was fined 400,000 € for excessive monitoring of remote workers via screen capture software. In 2023, a security company received a penalty of 200,000 € for excessive biometric data collection without valid legal basis. These decisions illustrate the regulator's growing vigilance on this area.

Use scenarios: GDPR HR in practice

Scenario 1 — A 450-employee industrial mid-market brings its recruitment process into compliance

An industrial mid-sized company, employing about 450 people across three sites, received over 3,000 unsolicited applications annually and responded to about sixty job postings. CVs and cover letters were stored without time limit in a shared email inbox among six service managers. No information notice was provided to candidates about the use of their data.

Following a GDPR audit, the following actions were rolled out over six months:

• Migration to an ATS (Applicant Tracking System) certified GDPR-compliant, with automatic purge of files after 24 months of inactivity

• Addition of a GDPR information notice to each online application form

• Electronic signature of job offer letters and employment contracts via a platform compliant with eIDAS, reducing the time for signed contract return from 8 days on average to less than 48 hours

• Update of the record of processing activities with 12 new HR processing forms

Result: no CNIL requests received in the 18 months following; estimated savings of 1.2 FTE on recruitment administrative management thanks to digitization.

Scenario 2 — A 1,200-employee retail group establishes a video surveillance policy

A group specializing in food distribution had deployed a video surveillance system covering 34 stores. Images were retained for 45 days on certain sites, without information displayed for employees. Several sensors continuously covered cashier positions, creating a risk of disproportionate surveillance.

Following an employee complaint to the CNIL, the company engaged in compliance efforts including:

• Reduction of retention period to maximum 30 days across all sites

• Repositioning of cameras to exclude continuous monitoring of individual work stations

• Consultation and agreement of the central CSE before any new deployment

• Systematic information of employees via employment contracts and a posted internal charter

Result: closure of the CNIL complaint without penalty; improvement in workplace climate measured in the following annual satisfaction survey (+11 points on the item "trust in employer").

Scenario 3 — An outsourced HR consulting firm secures data transfers with its clients

A firm specializing in outsourced payroll and personnel administration managed employee files for twenty SME clients, representing approximately 1,800 monthly payslips. Payroll files were sent by unencrypted email, without a subprocessing contract formalized under article 28 of the GDPR.

The firm undertook a complete overhaul of its practices:

• Signature of Data Processing Agreements (DPA) compliant with article 28 with each of its clients, via an advanced electronic signature platform enabling traceability

• Implementation of a secure client portal (TLS encryption + two-factor authentication) for deposit and retrieval of payroll files

• Hosting of data on servers located in France, certified HDS for occupational health data

• Drafting of a subprocessing policy governing the use of third parties (payroll software editor, archiver)

Result: 100% reduction in unsecured email transmission of HR data; acquisition of two new client contracts having made GDPR compliance a mandatory selection criterion in their call for tenders.

Conclusion

GDPR in HR is not just an additional administrative burden: it is a lever for trust between employer and employees, and a competitiveness factor in a job market where transparency is increasingly valued. A record of processing kept up to date, managed retention periods, formalized employee notification, strengthened security of sensitive data and contracted subprocessors: each of these pillars contributes to building an HR policy that is both legal and responsible.

Digitizing HR documents — contracts, amendments, payslips, information notices — offers a unique opportunity to combine GDPR compliance with operational efficiency, provided you rely on certified tools. Certyneo supports you in this approach with an eIDAS-compliant electronic signature solution, designed for HR teams. Discover our pricing and launch your free trial on Certyneo to secure your HR documents today.