Privacy Settings in Personio

Personio offers a variety of settings for protecting the data of your employees and candidates in accordance with the requirements of your organization and those of the EU GDPR.

General information about data security and our white papers "EU GDPR at Personio" and "AWS at Personio" are available on our website.

In light of the EU GDPR, this article offers you a guide to ensuring that your employee and candidate management are data protection compliant. We recommend checking and using the following settings:


1. Defining Authorized Employees for Support and Instructions

Go to Settings > Support > Authorized employees for support and instructions to define up to two employees who will be authorized to request support. Also decide whether these employees will be authorized to issue instructions in accordance with the EU GDPR. The contact details saved in this section are kept synchronized with our CRM system, thus allowing us to verify whether the person contacting us with a request is authorized to do so.

See this article for detailed information on defining authorized employees for support and instructions.


2. Data Processing Agreement (DPA)

From 25.05.2018, Personio is required to provide and conclude with you a Data Processing Agreement (DPA). In order to minimize administrative effort on both sides, we provide the option of concluding the DPA directly in Personio. Go to Settings > Plan & Billing > Data processing agreement (DPA), enter your contractual information, and generate your agreement. You can download it and pass it on to your legal department or data privacy officer for review. After it has been reviewed, your Managing Director or another authorized person can conclude the agreement electronically online.

For further detailed information about the DPA, click here.


3. Restricting Access to Customer Accounts

With the EU GDPR coming into effect, employees of Personio, by default, do not have access to your Personio account. If you would like to contact our Customer Success Team to receive assistance with the initial setup of your account or with service requests, you first need to grant our support team access to your account. Access can only be granted by employees who have been defined as authorized employees for support and instructions under Settings > Support. You can revoke the access rights any time.

Click here for detailed information on granting access to Personio employees.


4. Email Notifications

Decide whether you would like to globally activate system email notifications for you and your employees. You can do this under Settings > Company > Email notifications enabled. If the option is activated, users can select under their personal settings which notifications or approval requests and reminders they would like to receive via email. If the option is deactivated, no system email notifications will be sent by Personio to any user under your account.

Click here for detailed information about email notifications from Personio.


5. Complete Export of Company Data

Personio offers the option to download all of your company data in a structured, common and machine-readable format at any time. Employees authorized for instructions may run a complete export of all company data saved in Personio under Settings > Company. After you have generated the export, you can download it as a ZIP file.

Click here for detailed information about exporting your company data.


6. Password Security

In order to ensure that your Personio password meets high security standards, it needs to fulfill particular requirements. Note that an employee's access to their Personio account will be blocked after three failed login attempts. Learn here how to reactivate access to a blocked account.

Go to Settings > Authentication > Password configuration to determine whether your employees should be asked to change their password every 90 days. We will leave it up to you to decide whether you would like to activate this option as an additional level of safety.


7. Data Privacy Statement on Your Personio Career Page

As a person or entity responsible for the online application process via your career page, you are required by law to process personal data exclusively in accordance with current legislation. Within the application process, this usually involves specific pre-contractual measures and/or the candidate's consent. Additionally, you are required to observe the rights of applicants such as the right to transparency and to receiving information regarding their data. To manage these aspects, please store a privacy statement under Settings > Recruiting > Career Page  that candidates need to agree to before they submit their application.

For detailed information about the privacy statement and a template, click here.


8. Anonymizing Personal Candidate Data

With Personio, you can fully anonymize the candidate data. To do this, go to Settings > Recruiting > General and activate Anonymize data automatically. This will, after the period you have defined, irreversibly delete all personal data from candidates who have either declined your offer or have been rejected. Anonymized metadata of candidates, i.e. data that is not personal, is retained for reporting purposes.

Click here for further information on anonymizing candidate data.


Who Can Do What?

For some of these functions, you need specific access rights. The following three are relevant:

  • Administrators are defined under Settings > Employee roles and can view and edit everything in your Personio account, except for functions that are exclusive to authorized employees for support and instructions.
  • Employees authorized for support are defined under Settings > Support. Employees authorized for support will receive a phone PIN (this function is not yet active) that they will need to authenticate themselves with our customer service team when requesting assistance. This helps to better protect your data.
  • Employees authorized for instructions are defined under Settings > Support by checking the corresponding box with the relevant authorized support employee. Persons who are authorized to issue instructions in accordance with the EU-GDPR can, for example, request the deletion of their data. They are always automatically authorized for support. Employees who are authorized for instructions in Personio automatically become part of the data processing agreement.
  Administrators Authorized for support Authorized for instructions
Adding, changing and deleting Administrators X    
Adding, changing and deleting Employees authorized for support X    
Adding, changing and deleting Employees authorized for instructions     X
Access to the DPA  X    
Changing the access restriction for Personio's customer service     X
Export of all company data and documents     X
Instructions, e.g. the deletion of data or viewing of log files     X
Contacting Personio's service team   X X


Can't find what you're looking for?

We are happy to help you! Just write us a message with your questions and we will get back to you as soon as possible.

Submit a request



Article is closed for comments.

    Topics of this article