Since May 25, 2018, businesses are facing stricter, but also clearer directives with regard to the processing of personal data. While most organisations have focussed their attention on data pertaining to customers, suppliers and candidates for a job, some seem to have overlooked that the requirement to implement the new general data protection regulation does not stop with protecting the data of external persons. After all, the principles of the new EU-GDPR also apply to in-house proceedings – mainly in the form of personnel data.
Principles of GDPR
In my previous blog article “Digital management of personnel files, restful sleep” I addressed the first two principles of the new general data protection regulation: Data minimisation and purpose limitation. The Fabasoft Personnel File however also meets the other basic principles of the new EU-GDPR and therefore facilitates day-to-day HR operations with regard to the sensitive topic of data protection. Let’s take a look at the complex issue of “storage limitation”.
Where exactly is the problem?
What does storage limitation actually mean? HR managers are facing different requirements concerning the retention of personnel data. The law sets out specific retention periods for every type of data. Data pertaining to employees who have left the company is a very good example to highlight this problem. At a certain point in time, this data must be deleted. Formerly, these data collections put on dust in physical archives. Today, the data protection authorities demand that these digital “perpetual employees” must no longer exist. The authorities are authorised to check at any given time whether HR departments employ a legally compliant concept for storage and deletion.
Deadlines, rights and obligations
But why is Human Resources an area where these requirements are particularly hard to meet? The main reason lies in the fact that there are many different storage limitations and deadlines. In Austria, for example, accounting departments must keep employee settlement accounts for seven years and then delete them with immediate effect. Testimonials must however be kept for the amazingly long period of 30 years to ensure that they can be re-issued upon request. This is the core of the problem: Only certain data is relevant in connection with testimonials. Any other data that is not needed, for example pay slips, is subject to a different retention period and certainly must be deleted.
To make matters even more difficult for HR departments, the various deadlines have different start and end dates. Without the use of automated processes, businesses are unable to keep track and risk high penalties. Unfortunately, most systems that are in use at HR departments cannot process the great number of different retention periods and storage limitations. Equally, it does not make sense to process employee personal data manually again, even less in the case of businesses with many employees.
Internal administration made easy
The Fabasoft Personnel File supports HR departments in adhering to all storage and deletion deadlines and automatically sends out reminders for start and end dates. The principle of storage limitation is met to the satisfaction of all parties concerned and can be maintained permanently.
In my next blog article, I will highlight how HR departments can use GDPR to their advantage. If you would like to get more information, watch our webinar “Framework conditions for data protection in the EU-GDPR-compliant digital administration of personnel files” (in German) with Dr. Rainer Knyrim, attorney at law and data protection expert.