Privacy and human resources: applying Law 25 day to day
We talk a lot about the website and cookies, then forget the employee file that holds health, discipline, and salary data. HR is often the real heart of Law 25 compliance. If this area lags, the rest is cosmetic.
Reminder: employees are individuals too. They have a right to transparency, proportionality, and protected files, not just your customers.
Common HR data
Let's acknowledge the elephant in the room: this information is more sensitive than a delivery address.
- Health and absences: accommodations, sick leave, medical notes.
- Performance and discipline: evaluations, warnings, internal investigation files.
- Time and travel: schedules, geolocation (company vehicles, punch apps).
- Images and video: workplace cameras, ID photos, recorded video conferences.
Transparency and surveillance
Every employee must know what is collected, why, and how long it is kept, before, not after, an incident. Surveillance (cameras, click tracking, reading work email) must be proportionate, justified in writing and, as a rule, announced in advance. "We monitor everything just in case" is not a policy; it is a lawsuit waiting to happen.
Day-to-day best practices
- Lean hiring: forms limited to information necessary for the role; no "nice to have" curiosity.
- Applications: CVs of unsuccessful candidates; defined retention, then destruction (data lifecycle).
- Restricted access: direct manager, HR, leadership; not the colleague in the open office.
- Two policies: employees on one side, clients on the other (governance).
Recruitment, minors, and consent: see consent.
In brief
Give HR the same seriousness you give digital marketing: clear policy, configured tools, manager training. A leaked employee file does as much damage as a compromised customer database.
Useful references
- CAI, Protection of personal information: guides for employers.
- Consent under Law 25: recruitment, minors, and HR purposes.
- Governance and policies: internal policy separate from the client policy.
This text is for information only and does not constitute legal advice. For a decision that binds your organization, consult the CAI and a legal professional.
Check your website
Several obligations show up on your public site (policy, cookies, privacy officer contact details). Our free technical scan helps spot observable gaps. It complements, but does not replace, your compliance program.