EU-GDPR, a major challenge for personnel management

1 March 2018

“Without software that complies with data protection requirements, employee data must be deleted manually”

Many businesses are currently involved in intensive preparations for the EU General Data Protection Regulation (EU-GDPR) and its new and tightened requirements involving the protection of personal data. Their efforts often focus on data pertaining to persons outside of their organisations, such as customers, suppliers or job applicants. However, it is equally important to process employee data in compliance with data protection regulations.

Vienna / Linz, February 22, 2018 Dealing with sensitive data is part of everyday life in HR departments. The strict provisions of EU-GDPR concern the handling of all personal data, irrespective of whether it is information on employees or on candidates for a job. The data protection requirements cover the entire processing workflow, starting with the collection of data, its storage, inquiries, usage and transmission up until its deletion. Data protection compliance must therefore be an integral part of personnel administration.

“Businesses may face penalties of up to 20 million euros or 4 percent of their group turnover if they fail to comply with the basic principles of data processing, such as purpose limitation, data minimisation or data deletion”, warns Dr. Rainer Knyrim, lawyer and data protection expert at Knyrim Trieb Rechtsanwälte. “Businesses are accountable”, he adds. “They need to be able to prove to the authorities that they adhere to these basic principles.” 

In the course of a press meeting, Hasan Cakmak, product manager Fabasoft Personnel File, and Rainer Knyrim, Fabasoft’s legal adviser, explained some of the key concepts of EU-GDPR with regard to the introduction of an electronic personnel file: the principles of purpose limitation, storage minimisation, storage limitation and the rights of data subjects.

Restricting access on personnel data

The personnel files of long-term employees can be rather comprehensive: They may hold recommendations, training certificates, records on performance reviews, private addresses, mobile phone numbers and social security numbers, sick notes and much more. This short list already shows the sensitive nature of the data that is stored for each employee, and that access to it must be very restrictive.  

EU-GDPR requires that personal data may only be processed within the intended purpose and to an extent as limited as possible. This means that the accounting department may only access the required data when it is paying the salaries. A member of the HR department who is responsible for trainings needs access to the acquired certificates, completed trainings and training needs – but not more.

“Implementing different retention periods within a personnel file is particularly difficult. Without a software tool that can handle this requirement, data must regularly be deleted manually in order to comply with data protection”, Hasan Cakmak and legal expert Knyrim agree.

Fabasoft Personnel File: The foundation on which to comply with EU-GDPR

This effort can be avoided. “Modern solutions for personnel file management are capable of digitising HR processes, increasing efficiency and forming the basis on which to comply with EU-GDPR”, Hasan Cakmak explains. In addition, EU-GDPR can only be met successfully if the “digital personnel file” can be integrated with the existing IT solutions of a company and if it has the highest levels of certified security standards. Appliances, i.e. preconfigured hardware/software combinations, allow for a particularly quick and cost-effective introduction of a digital personnel file management system.

Hasan Cakmak concludes by saying: “With the Fabasoft Personnel File it is possible to manage all documents on an employee centrally and in full recognition of legal requirements. Many HR software solutions only focus on the employee master data such as addresses, salaries, social security numbers, etc., but completely disregard that this information is also available in documents.” 

About Fabasoft

Fabasoft is a leading European and listed software manufacturer and Cloud provider for digital records management and electronic document, process and file management headquartered in Linz, Austria. Fabasoft’s products are used to digitise, accelerate and improve business processes – within an organisation and across the boundaries of organisations or countries. The software products and Cloud services cover the feeding, structuring, team- and process-oriented processing and executing, the safe retention and context-sensitive finding of all business documents for organisations. Customers benefit from almost 30 years of innovation and experience in boundless digital records management.

Dr. Rainer Knyrim 

is a data protection expert at Knyrim Trieb Rechtsanwälte OG and one of Austria’s leading experts on data protection. The founder and partner at Knyrim Trieb Rechtsanwälte is a certified expert for the European Privacy Seal EuroPriSec and is advising organisations in matters of data protection, currently in particular the EU’s General Data Protection Regulation. Dr. Knyrim also shares his knowledge as the editor-in-chief of the Austrian data protection law review “Datenschutz konkret” and as the author of textbooks and specialist publications. 

EU-GDPR requires that personal data may only be processed within the intended purpose and to an extent as limited as possible.  (c) Fabasoft
Hasan Cakmak, product manager Fabasoft Personnel File (on the left) and Dr. Rainer Knyrim, data protection expert at Knyrim Trieb Rechtsanwälte. (c) Fabasoft