How do I need to set up my Personio account to comply with data protection rules?

Personio offers a variety of data protection settings you can select to meet both your individual company requirements and the ones of the EU GDPR.

Please check out our website regarding data security (in German), our whitepaper “EU GDPR at Personio” (in German), and “AWS at Personio” (in German).  

In the following, we will describe how to set up your HR and recruiting management to comply with the data protection regulations of the EU GDPR. We recommend you check the following settings or conduct the initial setup as follows:

 

1. Define and authorize employees for support and instructions

Navigate to Settings > Support > Authorized employees for support and instructions and authorize up to seven employees to contact the Personio support teams and decide whether these employees should also be authorized to give instructions in the meaning of the EU GDPR. All contact details saved in this section of your account are synched with our CRM system, allowing us to verify whether the person getting in touch with us is actually authorized to do so.

Please find further details on how to authorize employees for support and instructions here.

 

2. Data processing agreement (DPA)

Since May 25, 2018, Personio is required to provide and conclude a data processing agreement (DPA) with you. In order to minimize the administrative workload for both parties, we offer the option to conclude the DPA in Personio. Navigate to Settings > Plan & Billing > Data processing agreement (DPA), enter your contract details and generate your individual contract. You can download the contract and pass it on to your legal department or data privacy officer for review. Having reviewed the contract, a managing director or any other authorized person can conclude the contract online by checking the respective box.

Please find further details on the DPA here.

 

3. Restricted access to customer accounts 

Since the EU GDPR went into effect on May 25, 2018, Personio staff no longer has impersonation access to your Personio account unless you explicitly grant it. In order for our Customer Success Team to support you in initially setting up your account or when using the account, you need to grant impersonation access to your account. This can only be done by employees who were authorized for support and instructions under Settings > Support. You can revoke the access rights anytime.

Please find further details on the impersonation access rights for Personio staff here.

 

4. Phone-PIN - not active yet

To prevent unauthorized access to your data, all employees authorized for support and instructions need to clearly identify themselves when contacting Personio’s Support Team. This is why our support staff need to request a valid phone support PIN. This way, we can protect your data from unauthorized access. Authorized employees find their personal support PIN under Personal Settings > Support. Should they wish to change their PIN, when suspecting their account was compromised, for example, they can do so anytime.

Please find further details on our phone PIN here.

 

5. E-mail notifications 

Please decide whether you wish to globally activate or deactivate system e-mail notifications. Navigate to Settings > Company > Email notifications enabled. When this option is activated, all employees can choose in their personal settings which notifications (e.g., approval requests or reminders) they would like to receive via e-mail. When this option is deactivated, no system e-mail notifications are sent to anyone in your Personio account.

Please find further details on e-mail notifications in your Personio account here.

 

6. Export of all company data 

Personio offers the option to download all data in a structured, common, and machine-readable manner at any time. Employees authorized for instructions can run a complete company export with all data saved in Personio under Settings > Company. The data will be provided as a zip file you can download to your computer.

Please find further details on the export of your company data here.

 

7. Password security 

To ensure a high safety standard, you need to comply with certain safety requirements when choosing a password for Personio. Please note that your employees’ access to their Personio account will be blocked after three failed login attempts. Please find further details on how to reactivate access to an account here.

Under Settings > Authentication > Password configuration you can determine whether your employees will be asked to change their password every 90 days. We leave it up to you to decide whether you want to include this additional safety level.

 

8. Data privacy statement on your Personio career page

As the company offering to apply for your job openings using the career page, you are obliged by law to process personal data within the respective legal framework. This usually means that in the application process you need to conduct specific pre-contractual measures that may or may not require the applicants’ consent. Additionally, you are required by law to respect the rights of the respective applicants, e.g., their right to transparent information regarding their data processing. In order to manage these aspects, please enter a privacy statement at Settings > Recruiting > Career Page to which the applicants need to agree before being able to submit their application.

Please find all details and templates of privacy statements here.

 

9. Deletion of personal applicant data 

Personio offers a feature to completely and irreversibly delete applicant data. Activate the automatic deletion of applicant data under Settings > Recruiting > General: this will irreversibly delete all personal data of rejected applicants or those who declined your offer after the custom period you selected. Anonymized metadata of the applicants without personal reference is saved for reporting.

Please find further details on the automatic deletion of applicant data here.

 

Who is allowed to do what?

For some of the functions described above, you need special rights. The following three rights are relevant:  

  • Administrators are appointed under Settings > Employee roles and can view and edit everything in your Personio account (except for functions for authorized employees for support and instructions only). 
  • Employees authorized for support are appointed under Settings > Support. Employees authorized for support receive a telephone PIN (this function is not yet active), which they need to verify themselves when contacting our customer service. This helps to better protect your data. 
  • Employees authorized for instructions are appointed under Settings > Support via the corresponding checkbox of the authorized employee for support. Persons who are authorized for instructions within the meaning of the EU-GDPR can, for example, request data deletion. Authorized employees for instructions are automatically always authorized for support. Those employees authorized for instructions in Personio automatically become part of the data processing agreement.  
  Administrators Authorized for support Authorized for instruction
Adding, changing, and deleting Administrators    
Adding, changing, and deleting Authorized employees for support X    
Adding, changing, and deleting Authorized employees for instructions     X
Access to the DPA  X    
Changing the access restriction for the Personio Customer Service   In future: administrators also (in progress)   X
Export of all company data and documents      X
Instructing the deletion of data, for example, or viewing log files     X
Contacting the service team of Personio   X

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.