Skip to content

Data Protection – Which requirements are important for the Cloud?

VS.-7 Kopie 2

The new European General Data Protection Regulation (GDPR) will enter into force on 25 May 2018. Particularly affected is the human resources sector, where the processing of the personal data protected by the new regulation is largely concerned. We have already written about this in our last post about Data Privacy. What must be considered when introducing a new software? Which requirements does the system have to fulfill?

When does the DSVGO apply?

The aim of the new European Data Protection Regulation (GDPR) is to standardize European data protection law. The law brings far-reaching changes, especially for HR. From May 25, 2018, the specifications are binding. More about the implementation of the GDPR here.

Companies that do not comply with the new law must expect painful fines of up to € 20 million, or four percent of global revenue. The higher the amount is due, which in the worst case can drive companies into economic ruin. This shows that the EU is very serious about data protection.

Which data does the DSVGO protect? 

Especially with the introduction of new software, it is therefore important to put the offer through its paces to ensure that the EU GDPR takes full account of it.Protected by the EU GDPR personal data. This is all information about which a person can be identified. For example:



•E-mail address



•Account Data

•Location data

•IP addresses



For more information on personal data here and what SMEs need to do before the GDPR enters into force.

Who is liable for data breaches

To work with this information is part of everyday HR work. Therefore, it is particularly important in this area that companies that use the programs of external service providers, such as job portals or, for example, HR software from the cloud, ensure that they guarantee compliant data processing before 25 May 2018 when the EU-DSGVO is legally binding.

Although, for example, a cloud provider can be made liable as a data-processing contractor for data breaches, if Data Privacy violations can be proven. Basically, however, the user is under the obligation that everything inside and outside his four walls runs properly.

For example, the EU GDPR in Article 28 requires that customers only work with cloud providers who “provide guarantees that appropriate technical and organizational measures are taken to ensure that processing is in line with DSGO requirements and protection rights of the person concerned “.

Important criteria that a cloud provider should meet

Therefore, before signing a contract with a provider, the cloud user should, for example, ensure that they comply with DSGVO data protection certification.

The location of the server where a cloud provider hosts their data is also relevant. For example, in America, the state may access the servers of US companies without any judicial warrant, citing the Patriot Act, which has been in force since 2001.

This right extends to the European subsidiaries of US companies, but is not compatible with the requirements of DSVGO. Therefore, users of cloud software should make sure that all data is hosted in Europe.

Audit-proof filing of personal data

In terms of content, the programs from the cloud should include functions that take the new specifications of the DSVGO into account. For example, the EU GDPR reverses the burden of proof: Companies no longer have to be proven a violation, but as of May companies are accountable. As a result, all processes must be structured and documented so that an employer can prove its innocence at all times.

A cloud provider should therefore be able to guarantee a revision-proof storage of personal data, which can be used to trace every change exactly:

What has been changed?

When was data changed?

Who changed them?

Do not worry, cloud software like jacando meets these and other requirements.

Proof and information obligation

In addition, every company that processes personal data is required to provide evidence and information. This means that an employer must be able to inform a talent or employee at any time how their data has been collected. At the same time, the person’s consent to the data collection must be obtained. And so that employers can really prove this consent to data processing. With a DSVGO-compliant digital personnel file, companies are on the safe side and have always presented all the relevant information of their employees in a clear view. Everything else means a lot of work for HR managers. An example: If an employee wants to get accurate information about his stored data, companies would have to laboriously do it without digital support and search through different sources:

Paper files

Excel lists

Word documents

And and and…

In an HR software, however, the data are stored uniformly and can be found at the touch of a button.

Deletion of data 

The DSVGO also stipulates that recorded data may only be stored if there is a reason for doing so. If this becomes obsolete, for example, because a talent rejects a job or an employee leaves, all personal information must be deleted at the latest after the legal retention period. Experts call this the “right to forget”. More about the deletion of personal data. But do not worry: DSVGO-compliant applicant management systems do this automatically.

Conclusion: If you decide for a new software, you should check whether all these points are taken into account by the provider. With the selection of privacy-compliant software solutions, companies can now take a very effective measure to be on the safe side in terms of data protection in the future. And then there are no bad surprises ….

Published in[:de]Digitalisierung[:en]Digitalization[:de]E-Recruiting[:en]E-Recruiting[:de]HR Wissen[:en]HR Know-howAllgemeinKnow-How