The French Data Protection Authority (CNIL) has recently released new guidelines regarding human resources processing operations.
When the GDPR became effective, the CNIL’s previous set of HR Data guidelines became out of date as they did not incorporate the new law’s requirements ( e.g. obligations relating to records of processing activities and Data Protection Impact Assessments).
The new guidelines include a comprehensive grid of applicable legal bases for processing related to each standard HR purpose, including: compliance with a legal obligation, performance of a contract or steps taken prior to entering into a contract, legitimate interests, or tasks performed in the public interest or in the exercise of official authority vested in the controller.
Source: CNIL’s New Guidelines on HR Processing