HR managers process a large amount of sensitive personal data relating to employees. In accordance with the GDPR and national regulations, such as the Federal Data Protection Act (BDSG) in Germany or the Data Protection Act (DSG) in Austria, this results in various (information) obligations and data subject rights for companies as well as authorities and public institutions. Data protection compliance is of the utmost importance, as violations can result in severe fines in addition to potential reputational damage. Consequently, it is not necessary to discuss the pros and cons of complying with legal obligations towards employees. Rather, the question is how the public administration can ensure GDPR compliance.
With the digital personnel file Talents on Fabasoft eGov, you can demonstrably comply with the regulations relating to the data protection-compliant management of your personal data. In this blog post, you will find out which aspects are particularly relevant and how you can reliably meet the requirements of the GDPR in your authority.
Confirming data accuracy, completeness & up-to-dateness
GDPR-compliant data management means ensuring that the information is correct, complete and up-to-date. In addition, as part of the principles of data minimization and purpose limitation (Art. 5 para. 1 b/c GDPR), HR managers only collect and process information that is absolutely necessary and directly related to the employment relationship. If invalid or missing data becomes known, the GDPR legitimizes the correction or deletion of this data. In addition, the principle of transparency (Art. 5 para. 1 a GDPR) and the right of access (Art. 15 GDPR) allow employees to inspect their own personnel file. In this context, it is also possible to make copies and extracts.
HR managers must therefore be able to retrieve, correct and disclose all employee data to authorized persons at any time. This poses a major challenge, especially in public administration, due to the geographical distribution of partial and ancillary files, which are often still available in paper form only. In Talents on Fabasoft eGov, all personal data is stored in one place. As a "single source of truth", the digital personnel file not only enables access to current and complete information regardless of location and time, but also allows incorrect or outdated information to be corrected quickly and easily.
Ensuring confidentiality and processing security
The GDPR places a particular focus on maintaining confidentiality and processing security (Art. 5 para. 1 f GDPR). For the HR department, this results in the obligation to reduce the number of authorized persons to a minimum and to ensure protection against unauthorized access and processing by third parties. For example, payroll accounting only requires a limited amount of personal data for the payment of remuneration, which is why employees are not authorized to view the entire contents of the personnel file. On the other hand, suitable technical measures must be implemented in data processing to protect personnel data and documents from unintentional loss, for example. In this context, digital personnel file management facilitates GDPR compliance for public administration.
Talents on Fabasoft eGov is equipped with a sophisticated role and authorization concept as well as two-factor authentication at log-in. Managers can be permitted to make decisions or HR employees to process personnel matters in an easy-to-understand and secure manner. It is also possible to add a dynamically generated watermark to documents, which contains the name of the user and the exact time of access. This provides authorities with additional protection against the unlawful use of information and ensures traceability.
Reliably comply with archiving and deletion obligations
In accordance with the principle of storage limitation (Art. 5 para. 1 e GDPR) and the right to be "forgotten" (Art. 17 GDPR), there is an obligation to delete personal data that is no longer required - for example, after termination of the employment relationship. At the same time, there are predefined retention periods that are derived from the regulations for the audit-proof storage of documents for public administration. In this context, the interest in documentation justifies extended data retention by the HR department. As an example, the retention period for documents relating to payroll tax and duties is seven years (*).
In order to comply with the "right to be forgotten", the electronic personnel file enables user data to be anonymized after the employee has left the company - including in the audit log, of course. Talents on Fabasoft eGov also ensures audit compliance by automatically deleting documents once the individual retention periods have expired.
GDPR-compliance made in Europe
Compliance with European data protection regulations is an essential prerequisite for the processing of personal data in the public sector, not least to avoid sensitive fines or potential reputational damage.
With Talents on Fabasoft eGov, public authorities benefit from GDPR-compliant personnel file management. Internationally recognized certifications prove the maximum security level of the digital personnel file. These include the IDW PS 880 certificate, the C5 certificate from the German Federal Office for Information Security and the EU Cloud Code of Conduct (Level 3) as the highest European data protection standard in compliance with the GDPR.
Let's get in touch: Personnel file: Public administration | Fabasoft eGov
________________
(*) WKO (2023)