Personio offers a variety of settings for protecting the data of your employees and candidates in accordance with the requirements of your organization and those of the EU GDPR.
General information about data security and our white papers "EU GDPR at Personio" and "AWS at Personio" are available on our website.
Define Account Owners and Contract Owners
Go to Settings > Support > Support to define Account Owners and Contract Owners. Account Owners will be able to contact Customer Service for account-related requests, while Contract Owners will be in contact with the Customer Growth & Success Team for all subscription-related matters. Both these roles will also be authorized to issue instructions in accordance with the EU GDPR. The contact details saved in this section are synchronized with our CRM system, allowing us to verify whether the person contacting us with a request is authorized to do so.
For detailed information on defining Account Owners and Contract Owners, read our article What are Account Owners and Contract Owners in Personio?
Data Processing Agreement (DPA)
From 25.05.2018, Personio is required to provide and conclude with you a Data Processing Agreement (DPA). To minimize administrative effort on both sides, we provide the option of concluding the DPA directly in Personio. Go to Settings > SUPPORT > Subscription and Billing > Data Processing Agreement (DPA), enter your contractual information, and generate your agreement. You can download it and pass it on to your Legal Department or Data Privacy Officer for review. After it has been reviewed, your Managing Director or another authorized person can conclude the agreement electronically online.
For further information on the DPA, read our article Where can I find Personio's data processing agreement?
Restrict access to customer accounts
With the EU GDPR coming into effect, employees of Personio, by default, do not have access to your Personio account. If you would like to contact our Customer Success Team to receive assistance with the initial setup of your account or with service requests, you first need to grant our support team access to your account. Access can only be granted by Account Owners or Administrators and the access rights can be revoked at any time.
For detailed information on granting access to Personio employees, read our article Impersonation Access by Personio.
Email notifications
Decide whether you would like to globally activate system email notifications for you and your employees. You can do this under Settings > Company > Email notifications enabled. If this option is activated, users can select under their personal settings which notifications or approval requests and reminders they would like to receive via email. If this option is deactivated, no system email notifications will be sent by Personio to any user under your account.
For detailed information on email notifications from Personio, read our article Notifications and Tasks in Personnel Administration.
Complete export of company data
Personio offers the option to download all of your company data in a structured, common and machine-readable format at any time. Account Owners and Contract Owners may run a complete export of all company data saved in Personio under Settings > Company. After you have generated the export, you can download it as a ZIP file.
For detailed information on exporting your company data, read our article Export of Company Data.
Password security
In order to ensure that your Personio password meets high security standards, it needs to fulfill particular requirements. When an employee fails three login attempts in a row, we'll send a security token to their email address.
Go to Settings > Authentication > Password configuration to decide if your employees should be asked to change their password every 90 days. We will leave it up to you to decide whether you would like to activate this option as an additional level of safety.
Data privacy statement on your Personio career page
As a person or entity responsible for the online application process via your career page, you are required by law to process personal data exclusively in accordance with current legislation. Within the application process, this usually involves specific pre-contractual measures and/or the candidate's consent. Additionally, you are required to observe the rights of applicants such as the right to transparency and to receiving information regarding their data. To manage these aspects, please store a privacy statement under Settings > Recruiting > Career Page that candidates need to agree to before they submit their application.
Anonymize personal candidate data
With Personio, you can fully anonymize the candidate data. To do this, go to Settings > Recruiting > General and activate Anonymize data automatically. This will, after the period you have defined, irreversibly delete all personal data from candidates who have either declined your offer or have been rejected. Anonymized metadata of candidates, i.e. data that is not personal, is retained for reporting purposes.
Read more about Anonymizing and Deleting Candidate Data.
Who can do what?
For some of these functions, you need specific access rights. The following three are relevant:
- Administrators are defined under Settings > Employee roles and can view and edit everything in your Personio account, except for functions that are exclusive to Account Owners or Contract Owners.
- Account Owners are defined under Settings > SUPPORT > Support > Account Owners. They can contact Personio's Customer Service team about technical questions and are authorized for GDPR-related instructions.
- Contract Owners are defined under Settings > SUPPORT > Support > Contract Owners. They are in contact with Personio's Customer Growth & Success Team for all subscription-related matters and are authorized for GDPR-related instructions.
Administrators | Account Owners | Contract Owners | |
Adding, changing and deleting Administrators | ✓ | ||
Adding, changing and deleting Account Owners | ✓ | ✓ | |
Adding, changing and deleting Contract Owners | ✓ | ✓ | |
Access to the DPA | ✓ | ||
Changing the access restriction for Personio's Customer Service | ✓ | ✓ | |
Contacting Customer Service for technical questions | ✓ | ||
Personio's point of contact for all financial matters | ✓ | ||
Contacting Customer Growth & Success for subscription-related questions | ✓ | ||
Export of all company data and documents | ✓ | ✓ | |
GDPR-related instructions, e.g. the deletion of data or viewing of log files | ✓ | ✓ |