The French Data Protection Authority (CNIL) published practical guidelines to help employers and recruiters manage personal data of employees and job candidates (“personnel data”), in addition to the Work & Personnel Data Guidance Sheet and Guide for Employers and Employees.


During the recruitment process, employers should only collect information that may help them assess the candidate’s ability to perform the job duties, such as their qualification and experience. Employers are not allowed to ask for the job candidate’s social security number or information about their immediate family, political opinion, or trade union membership.


Employers may collect additional information at the hiring stage, or information necessary for complying with a legal obligation. Employers may also collect “useful” information, such as:

  •  administrative information, e.g. driver’s licence details, emergency contact details;
  • organizational information, e.g. optional photograph for internal directory and organization chart;
  • information to administer benefits, e.g. the employee’s beneficiaries.

Employees should have access to comments employers recorded about them which must remain objective and proportionate.


Employers should ensure controlled and limited access to personnel data, and record any access or use of the data. Only persons involved in the recruitment process should have access to job candidates’ data. In addition to the public organizations informed of the hiring, such as social organizations, only HR staff should have full access to employee data. Supervisors may have access to data necessary for performing their duties, for example, assessment data, compensation data etc.. Employers may reveal employees’ personal address and phone number if required by law or court ruling. Works council, union representative and other relevant authorities can also obtain information they require to carry out their missions. Trade Unions may, with the employer’s consent, send trade union information  by electronic emails to employees who may opt out at any moment.

Employers must ensure the security of employee data processing, and restrict access to authorized persons only on a need-to-know basis. Authorized persons keep a record all the processing activities performed on employee data, for example, who and when the data is accessed and for what purpose.

Data Protection Rights

Candidates and employees should be informed of:

  •  the identity of the owner of the file;
  •   the purposes for using the data;
  • whether the information was mandatory or optional, and the consequences of failure to respond;
  • the recipients of the data;
  • how to exercise their data protection rights (collection, access, rectification).

In the event of a transfer, candidates and employees must also be informed of the conditions of transfer including:  name of the recipient country, purpose of the transfer, categories of data transferred, and the transfer mechanism used to protect the data, such as EU Commission Model Clauses.

Job candidates should also be informed of the methods and tools used for recruitment.

A candidate or an employee has the right to obtain a copy of their personal data by a simple request without having to provide a reason.


When the candidate’s application has been rejected, the recruiter must inform the candidate if their data will be kept, and gives the candidate the opportunity to object to the retention. If the candidate does not object to the retention of their data, the data shall be automatically destructed two years after the last contact with the candidate, except where the candidate formally agrees to a longer retention period.

Employers should keep employee data for the whole duration of employment; once the employee leaves the organization, certain information must be kept in  archive mode . For example, pay slips of an employee must be kept five years after the termination of their employment.

CNIL notification

Employers must file a normal notification with the CNIL for any recruitment personnel data and a simplified notification for HR management (provided that the HR management data processing complies with the simplified norm n°46). Otherwise a normal notification may cover both data processing purposes. Any data processing which has not been notified to CNIL may not be enforceable against a data subject.

Employers may be exempted from filing a notification  if they have appointed a data protection officer. The data protection officer must, however, hold an internal record ofall data processing activities carried out by the employer. Such exemption does not apply the employer transfers any data to non-EU countries which do not offer an adequate level of protection, and if the data processing is not eligible to the application of simplified norm.

Contributor – Frances Chen