How long should HR data be retained when the law is silent? The CNIL guidelines as a useful reference framework.

The General Data Protection Regulation (GDPR) requires employers to retain personal data only for a limited period that is proportionate to the purpose pursued. In practice, while certain retention periods are expressly provided for by law, many HR data categories are not subject to any defined statutory retention period. In this context, the Commission nationale de l'informatique et des libertés (CNIL), the French data protection authority, has published a reference framework on retention periods for personal data in the field of human resources management. Although it is based on French law, this document contains best-practice recommendations that may serve as useful guidance for Belgian employers, particularly in the absence of applicable statutory retention periods.

An operational framework based on the principle of storage limitation

The reference framework of the CNIL covers the main HR activities and proposes indicative retention periods for each category of data. It generally distinguishes between two phases:

• an active retention phase, strictly limited to the period necessary for the purpose of the processing. During this period, the data are directly accessible to HR departments for day-to-day management purposes;
• where applicable, an intermediate archiving phase, with access restricted to specifically authorised persons, for data that retain administrative or evidentiary value (notably for the defence of the employer in the event of a dispute) or that must be retained in order to comply with a legal obligation.

This framework is intended to be operational and to facilitate the practical implementation of the principle of storage limitation laid down in the GDPR.

Where a retention period is explicitly prescribed by law in Belgium, such statutory period naturally takes precedence. This applies, among others, to:

• tax-related documents (such as tax forms: recently extended from 7 years to 10 years); 
• social security documents (e.g. DMFA declarations: 5 years; Dimona notifications: 6 months from receipt); 
• occupational accident records (10 years); 
• CCTV footage (maximum 30 days); 
• documents relating to construction and real estate (such as invoices and contracts with contractors and architects: 10 years); 
• etc.

Conversely, in the absence of applicable statutory retention periods, the recommendations of the CNIL, based on the requirements of the GDPR and the experience of supervisory authorities, provide useful guidance for assessing proportionate retention periods.

Examples of recommendations drawn from the reference framework

1. Recruitment data – unsuccessful candidates

For the CVs and cover letters of unsuccessful candidates, the CNIL recommends limited retention after the close of the recruitment process, in particular with a view to potential future opportunities. Where such data are retained in a CV database, the reference framework provides for:

• retention in the active database for up to maximum two years from the last contact with the unsuccessful candidate,
• provided that the profile remains of interest to the employer and that the candidate has not objected.

For evidentiary purposes, in particular in the event of litigation relating to discrimination, the CNIL recommends intermediate archiving for a period of five years from the date on which the position was filled, with strictly limited access. In Belgium, given the extension of limitation periods to ten years for criminal offences, intermediate archiving for up to ten years from the date on which the application was rejected or the position was filled could therefore be justified for evidentiary purposes.

2. Data contained in the employee’s personnel file

Evaluations, warnings, amendments to the employment contract, and other related data may, in principle, be retained for the duration of the employment relationship, i.e., as long as the employee remains part of the workforce.

After termination of the employment contract, retention may continue in intermediate archiving where the employer is legally required to do so (see above) or wishes to retain evidence in the event of potential litigation. Such retention must be limited to the applicable limitation period, with restricted access, and without maintaining the data in active HR systems.

In principle, actions arising from an employment contract are time-barred one year following the end of the employment contract. However, certain claims may also be based on a criminal offence (e.g., in cases of non-payment of remuneration or discrimination), in which case the limitation period may be extended to ten years. Retention of the relevant data in intermediate archiving for that period may therefore be justified.

Here again, the underlying logic is compliance with a proportional retention period which lasts no longer than necessary. 

Action point 

A prudent approach for employers consists in:

• first verifying whether a minimum or maximum retention period is expressly provided under Belgian law for the data concerned;
• in the absence of a legally defined retention period, determining the applicable retention period by taking into account operational needs, statutory limitation periods, and technical constraints. In this context, the recommendations issued by the CNIL reference framework may be useful;
• formalising the chosen retention periods in a data retention policy, where appropriate, clearly distinguishing between active retention, intermediate archiving, and deletion.

Such an approach contributes to strengthening compliance with the GDPR and increases the legal certainty within your HR practices.