Data Protection in Human Resource Management

Data protection in human resources is a top priority in order to protect the personal rights of employees. The following article explains what you need to watch out for.

The aim of data protection is to protect the personal rights of applicants and employees. The Federal Data Protection Act has regulated data protection for employees since 2017 and gives them clearly defined rights. Accordingly, every employee has the right to request and have access to information from their employer about the data stored on them, including their personnel file.

The employer also has to inform the employee about the following:

What data has been collected?
How is the collected data processed?
Who has access to the data?
How long and after what criteria is the data being stored?

If the collected data is incorrect or outdated, the employee has a right to have their data deleted or corrected.

The employer is obliged under the Data Protection Act to keep personal information strictly confidential. In return, the employee is obliged to provide all necessary data for employment.

If personal data is transmitted to third parties, e.g. for the purpose of payroll accounting, this transmission may only take place in encrypted form. The data has to be protected from access by unauthorised third parties within the company. In case the company works with modern software, it can rest assured that the data protection requirements are being fulfilled. In order to document the individual data processing steps, the software creates a register of processing activities in accordance with Art. 30 (2) GDPR.

There are also certain requirements that have to be met when it comes to application management. For example, the application documents and all related data can only be stored for a maximum of six months. Applicant data may be forwarded to other persons involved in the application process. However, after six months all data pertaining to the applicant has to be entirely deleted, including emails. Upon request by the applicant, the HR department must be able to prove to whom the documents have been forwarded and that the deletion has taken place.

This goes to show that data protection in human resources is a very important topic. A breach of data protection regulations can result in fines of up to €20 million or up to 4% of the company’s annual worldwide turnover (whichever is higher).