The French Data protection authority, the CNIL, has adopted Terms of Reference (“Terms”) relating to the processing of personal data for HR management purposes. The Terms were adopted following a public consultation and published on the CNIL’s website on 15 April 2020.

Purpose and legal significance of the terms of reference:

The Terms are intended to apply to all private and public organizations. They replace the norms that were applicable before the GDPR’s entry into force, including NS-46 on HR management and the norm on payroll processing.

Whilst not mandatory, the Terms are intended to be a compliance assistance tool. Data controllers may deviate from its recommendations (for example, by applying retention periods different from those suggested in the Terms, or by identifying other legal bases for processing, etc.), provided that they can justify and remain accountable for their decisions..


The Terms apply to the HR processing activities that are most frequently carried out by employers.  In order to best meet the needs of organizations, the Terms cover not only HR management, but also payroll management and the most common recruitment processes, as follows:

  • recruitment;
  • administrative management of personnel;
  • management of remuneration and completion of related administrative formalities;
  • provision of professional tools to staff;
  • work organization;
  • career and mobility monitoring;
  • training;
  • keeping of compulsory registers;
  • relations with staff representatives;
  • internal communication;
  • management of social assistance;
  • carrying out audits; and
  • managing litigation and pre-litigation

Excluded processing activities

Certain processing activities are not covered due to the types of issues raised.  Excluded from the Terms, for example, are access controls to enter work premises using biometric devices (for which the CNIL has adopted a mandatory standard); whistleblowing (for which the CNIL has adopted specific terms of reference); CCTV; listening to and recording of telephone conversations; and algorithmic analysis aimed at predicting employee behaviour or productivity.

Processing activities that are intrusive or that use particularly innovative tools are also excluded from the scope of the Terms. A controller that intends to implement such systems must ensure that its approach complies with the regulations in force, by carrying out its own analysis and in most cases a Data Protection Impact Assessment (“DPIA”) in line with applicable guidance.

Legal basis for processing

The most frequently used legal bases in the context of HR management are:

  • compliance with a legal obligation incumbent on the organization, imposing the implementation of processing within the framework of HR management (e.g. obligations related to the keeping of a single register of staff);
  • the performance, either of a contract to which the employee is a party, or of pre-contractual measures taken at his/her request;
  • the legitimate interest pursued by the organization or by “the recipient of the data” (the text of Article 6 of the GDPR is wider as it refers to legitimate interest of a third party and does not limit it to data recipients), except where such interests are overridden by the interest or rights and freedoms fundamentals of the data subject;
  • the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Given that employees and job applicants are rarely in a situation to refuse, consent can be used only in limited circumstances. The CNIL notably considers that consent may not be used for recruitment purposes.

The CNIL has provided a table listing the purpose and one or more legal bases that may apply to each of the most common HR processing activities. It points out that each organization shall nevertheless have to verify which lawful basis should apply in each particular circumstances.

Categories of personal data

The CNIL lists the categories of data likely to be necessary for each processing purpose.

It reminds controllers that only strictly necessary data should be collected and processed (data minimization principle) and that data collected for a given purpose may only be reused for another purpose if such use is itself lawfully justified.

Sensitive data

Certain categories of data call for increased vigilance because of their nature.

  • In France there are only very limited cases where special categories of data under Article 9 of the GDPR can or have to be processed. Health data is collected only for very limited purposes, such as vocational illness or accidents at work, and adjustments to the workplace for disabilities. [1] Information on trade union membership may also be collected in very limited circumstances.
  • An individual’s national identity (social security) number may only be processed as set out by a special decree of 19 April 2019 or Article L. 444-5 of the Labour Code [2]
  • Data relating to offenses, criminal convictions and related safety measures.

Recipients of the data

The Terms list the various categories of recipients and remind controllers that access to the data more generally should be restricted to authorized personnel. The Terms also reiterate that transfers of data outside of the EEA require adequate safeguards to be implemented.

Retention periods

The CNIL reminds employers that data should not be kept for longer than is necessary and that they need to determine the adequate applicable retention periods as well as inform data subjects thereof.

The Terms provide a very short list of indicative retention periods “depending on the context”. (The CNIL has announced that it will publish more comprehensive guidance on retention periods but as many companies have already experienced, this is not an easy exercise).


The CNIL has published lists of processing activities that do or do not require a DPIA[3] and has indicated that employees are generally considered as “vulnerable data subjects”. For HR data, a DPIA is notably required for:

  • Processing whose purpose is to constantly to monitor the activity of the relevant employees (e.g. “Data Loss Prevention tools” , CCTV etc.); and
  • Establishing profiles of individuals for HR management purposes (e.g. evaluation or scoring using artificial intelligence).

Other topics

  • The general obligations in respect of transparency and other obligations under the labor regulation including consultation of employee representatives, remain in place.
  • The standard also sets out in very general terms, and without detail, the rights of data subjects.
  • The document lists a series of security measures.

The CNIL’s standard terms of reference for HR management will be useful guidance for employers. There are, however, a number of issues that require more in-depth analysis and these should be tailored to the organization’s actual processing activities, both from a data protection and employment law perspective.

Please do not hesitate to ask our Data Protection & Cybersecurity team if you have any comments or require assistance.

[1] The CNIL has notably reminded employers of the fact that they may not systematically collect health information for the purpose of health and safety during the Coivd19 pandemic as this should be carried out by healthcare professionals. See our blog ‘Recommendations by the CNIL in the Context of COVID-19.

[2] See our blog Use of the Social Security Number in France.

[3] See our blog The CNIL Has Published Its List of Processing Activities Requiring a DPIA