Electronic personnel management systems

Employers are not legally obliged to maintain a personnel file. In practice, however, a personnel file is regularly necessary to manage and organise the vast amount of information relating to employees. Electronic personnel information and personnel management systems are a widely used solution for managing personnel files in digital form. In the case law of the Federal Labour Court (BAG, decision dated 16.11.2010, ref. 9 AZR 573/09), personnel files are defined as a collection of documents and records relating to the personal and professional circumstances of the employee which are intrinsically linked to the employment relationship. Consequently, personnel management systems not only contain personal data relating to employees; they also constitute a filing system within the meaning of Art. 4 (6) GDPR, and the GDPR is applicable. In order to ensure that an electronic personnel management system is used in compliance with data protection regulations, employers must also take into account the applicable data protection principles and implement, both technically and in practice, the access authorisations of staff members as well as the employees’ rights of access. 

The data protection-compliant operation of a personnel management system

The personnel management system must comply with the data protection principles set out in Art. 5 GDPR.

Data protection law operates on the principle of prohibition subject to authorisation. Accordingly, the processing of personal data is only permitted if it can be legitimised by a legal basis. As an employment contract has been concluded between the employer and the employee, and the management of the employee’s personal data is necessary to fulfil contractual rights and obligations – such as the payment of salary – the legal basis for data processing in personnel management systems is the performance of a contract under Art. 6 (1) (b) of the GDPR. A contractual relationship between employer and employee is already established upon submission of the application, meaning that the processing of application documents is covered by Art. 6 (1) (b) GDPR. The justification under data protection law is specified in the German legal system by Section 26 (1) sentence 1 of the Federal Data Protection Act (BDSG) to the effect that data processing may only take place for purposes to the employment relationship, i.e. for the decision on its establishment, its performance or its termination. The application process is also taken into account here. For information which is to be included in the personnel management system but does not serve the fulfilment of the employment relationship, consent must be obtained in accordance with Art. 6 (1) (a) GDPR, or a balancing of interests under Art. 6 (1) (f) GDPR must be positive. This applies, for example, to personal data from logbooks. The processing of employees’ personal data may also be justified on the basis of a legal obligation pursuant to Art. 6 (1) (c) GDPR.

In accordance with the principle of transparency, data processing must be comprehensible to the employee. Furthermore, employees must be informed about data processing in accordance with Art. 13 GDPR before the first entry is made in the personnel management system. 

The employer is subject to an accountability obligation and must be able to demonstrate compliance with data protection law. It is recommended that all activities carried out in the personnel management system – with the exception of reading – be logged and that the data processing associated with the personnel management system be included in the record of processing activities pursuant to Art. 30 GDPR. 

If the use of a personnel management system poses a high risk to employees, a data protection impact assessment must be carried out in accordance with Art. 35 (1) GDPR. The personnel management system contains sensitive financial or health data in some cases, meaning that unauthorised third parties gaining access could result in significant damage. However, organisational or technical safeguards, strict authorisation schemes and the use of established standard software can reduce the likelihood of unauthorised access, thereby significantly mitigating the risk and rendering a data protection impact assessment unnecessary.

The processing activities within the personnel management system are purpose-limited and may only be carried out to the extent necessary for the purposes of personnel management or administration. 

The principle of data accuracy stipulates that personal data must be factually correct and up to date. In this context, it is advisable to store current and archived data sets separately. In addition, employees have the right to have inaccurate data in the digital personnel file corrected in accordance with Art. 16 GDPR.

Finally, in companies with a works council, the right of co-determination under Section 87 (1) (6) of the Works Constitution Act (BetrVG) must also be observed. Not only the decision to introduce a personnel management system, but also the (de)activation of data protection-relevant functions or the installation of updates that alter functionality may be covered by the right of co-determination and therefore require a reliable flow of information between the IT department, the HR department and the works council.

What data may be included in the personnel management system?

Unlike paper-based systems, electronic personnel management systems can store enormous amounts of information, which raises concerns under the principle of data minimisation. According to this principle, only data necessary for the establishment, performance or termination of the employment relationship may be included in the personnel management system.

Application documents are collected during the recruitment process and added to the personnel file once the candidate has been hired. Contractual documents, such as the employment contract and changes to remuneration, as well as employment-related matters such as warnings or holiday requests, are also included. For health data – such as medical certificates, sick notes and medical reports – Art. 9 GDPR requires a higher level of protection. This can be implemented, for example, through stricter access permissions or additional passwords. Furthermore, it should be noted that the term ‘personnel file’ encompasses all ancillary or special files with a relevant connection to the employment relationship, even if they are not physically or technically linked to the (main) personnel file. The employer therefore cannot circumvent data protection requirements by creating a separate file.

Statutory retention obligations

Personal data may only remain in the personnel management system until the legal basis ceases to apply. Notwithstanding the statutory retention obligations, a legal basis for data processing continues beyond the termination of the employment relationship until any claims become time-barred. The limitation period is generally three years, commencing at the end of the calendar year in which the employment relationship ended. Records relating to accidents at work and claims for regularly recurring benefits under the occupational pension scheme also generally become time-barred after three years (Sections 195, 199 of the German Civil Code (BGB), Section 113 of Book VII of the Social Code (SGB VII), Section 18a (2) of the Occupational Pensions Act (BetrAVG)). The general entitlement to benefits under the occupational pension scheme is not time-barred until 30 years have elapsed (Section 18a of the Occupational Pensions Act).

If no employment relationship has been established due to the rejection of an applicant, it is advisable to retain the data for six months to fulfil the rights of data subjects or to defend against subsequent claims for damages.

Some of the data entered into the personnel management system are also subject to commercial or tax law retention obligations, which must be taken into account as early as the programming and technical setup stages. Documents relating to working hours should generally be retained for at least two years (Section 16 (2) of the Working Hours Act (ArbZG), Section 19 of the Temporary Employment Act (AEntG), Section 17 (1) sentence 1 of the Minimum Wage Act (MiLoG), Section 27 (5) of the Maternity Protection Act (MuSchG)). This also applies to records concerning young people employed by the company (Section 50 of the Youth Employment Protection Act (JArbSchG)). Documents relevant for income tax purposes must be retained for six years (Section 41 of the Income Tax Act), whilst payroll records must be retained for ten years (Section 147 (1) of the Fiscal Code). 

Given the differing retention obligations, it makes sense to implement automatic deletion deadlines. This helps to avoid both prolonged storage and accidental premature deletion. In the case of longer storage periods, the data protection breach of the principle of storage limitation under Art. 5 (1) (e) GDPR is obvious. However, premature deletion may also breach statutory retention obligations or deprive the employee of their data subject rights if, for example, the deletion takes place before a requested data disclosure has been provided.

Access authorisation

The storage of personal data in electronic personnel management systems must be technically and organisationally structured in a way to prevent access by unauthorised third parties. Possible technical measures include encryption, passwords or authentication. Sensitive information – which requires enhanced protection – should not be displayed on the initial screen or be directly visible when the digital personnel file is opened. Instead, the entry of further commands or an additional password should be required; access authorisations must be checked with particular care. It is advisable to draw up an authorisation policy and have the system administrator manage the authorisations.

Access authorisation may only be granted to staff members who are responsible for handling personnel matters within the HR department. These staff members may then only use the data for the purposes of personnel administration and management. System administrators or senior management are generally excluded from this. However, to ensure the proper functioning of the business operation, the internal disclosure of personal data may be necessary, provided that the data protection requirements are met for each instance of disclosure. This applies, for example, to the notification of an employee’s absence due to illness or holiday, in order to coordinate the distribution of tasks within the relevant department. As a rule, the relevant superior and the employees concerned must be informed of the absence; however, it is not necessary to disclose the reason for the absence. Conversely, the internal publication of a birthday calendar is not necessary for business operations and therefore requires the consent of the employees pursuant to Art. 6 (1) (a) GDPR, even if the date of birth is stored in the personnel management system.

Merely disclosing the personnel file to unauthorised third parties may give rise to a claim for damages under Art. 82 (1) GDPR due to the employee’s loss of control over the personal data contained in the personnel file , provided that this results in damage. Any confidentiality obligations on the part of the unauthorised third party may, at most, be taken into account as a mitigating factor when assessing the damages.

Right of access to the personnel management system

Finally, the principle of transparency under Art. 5 (1) (a) GDPR and the right of access play an important role. Employees have a right to access their personnel file; extracts, copies or photocopies may also be made. In companies with a works council, Section 83 (1) sentence 1 of the Works Constitution Act (BetrVG) grants employees in an existing employment relationship the right under labour law to inspect their personnel file. Furthermore, there is a right of access under data protection law pursuant to Art. 15 GDPR. As the employee requires knowledge of the contents of the personnel file in order to exercise their right to have incorrect data in the file deleted or corrected, they are still entitled to access their personnel file retained by their former employer even after the employment relationship has ended; the Federal Labour Court (BAG) based this entitlement in 2010, prior to the entry into force of the GDPR, on Section 241 (2) of the German Civil Code (BGB) in conjunction with Art. 2 (1) and Art. 1 (1) of the German Basic Law (GG) (BAG, judgment of 16 November 2010, ref. 9 AZR 573/09). Access must be technically secured in such a way that the employee requesting information cannot view the personal data of other employees.

Conclusion

Personnel management systems offer a widely used solution for managing personal data relating to employees. The human resources management system must not only enable compliance with data protection principles, but also guarantee employees’ access authorisations and the respective employee’s rights of access. 

The data processing associated with the personnel management system is justified for the performance of the employment contract pursuant to Art. 6 (1) (b) GDPR in conjunction with Section 26 (1) sentence 1 BDSG and is limited to the purposes of personnel administration and management. This also applies to application documents, as the contractual relationship is already in the process of being established in this case. To ensure that the processing activity is transparent to the employee, the personnel management system must be included in the register of processing activities and the activities carried out therein must be documented. Furthermore, employees must be informed about the data processing associated with the personnel management system. The principles of data minimisation and purpose limitation provide a guide to determining which data may be included in the personnel management system. The data must be necessary for the establishment, performance and termination of the employment relationship. In this context, ancillary or special files fall under the definition of a personnel file and are likewise subject to data protection requirements. 

When deciding which personnel management system to use, and during the technical implementation of the chosen system, the works council must be involved where appropriate. It is particularly important that the statutory retention periods can be technically implemented and that the protection of personal data is ensured through access authorisations and other measures. Finally, the employee has a right to inspect their personnel file, which the employer must facilitate using the personnel management system.