EU GDPR at Personio from Hanno Renner

**for German-version please click here**

Dear customers,

The European General Data Protection Regulation (GDPR) will become effective across Europe and binding for all European Union member states on 25 May 2018. Evidently, the GDPR is particularly relevant for us, being suppliers of software that processes highly sensitive employee data. Since we have defined data protection as an integral aspect of our product strategy from the very beginning, the new regulation offers us an opportunity for building even further on one of our core competences. We have been working on implementing the requirements of the new GDPR at the technical, procedural and organizational levels for over a year, and I am delighted to inform you today that we have successfully completed this process: Personio is GDPR-compliant, as has been confirmed by the German Federal Association for Information Technology, Telecommunications and Bitkom Servicegesellschaft mbH (Bitkom Consult) in its audit report, which is available here (German only).

In the past year we invested more than 60% of our engineering resources to prepare for GDPR. While this has indeed slowed down our process in enhancing the software, I am fully convinced this investment into data privacy has been worthwile and will allow for us to provide our customers with an even more professional setup.

We already provided you with an interim report on 21 March 2018 and would now like to give you further details on our data protection efforts. This email contains a summary of the most important product changes. We invite you to read our whitepaper “EU-DSGVO bei Personio” (German only) for a full overview of how we have implemented the GDPR requirements.

Download Whitepaper (German)

New functionalities in Personio support you in meeting your information obligations in relation to your employees and applicants. Our updated privacy statement is now also available from within the application, for example, to allow you and your employees to check transparently and accurately which data Personio processes in order to provide its services and how this data is used.We have developed a number of new functionalities to ensure that our customers are able to safeguard the rights of data subjects (e.g. employees or applicants), including the rights of access to and rectification or erasure of their personal data.Based on the employee-self-service approach embodied by Personio software, Personio protects your employees’ right to receive the personal data relating to them in a structured, commonly used and machine-readable format. Appropriately authorized users will additionally be able to perform a full export of all corporate data stored with Personio at any time.As of 25 May 2018, Personio employees will no longer have access to your customer account by default. Once the GDPR becomes effective, only dedicated support staff and appropriately authorized staff may request support, provide Personio employees with (temporary) access to an account and give instructions, in order to prevent any misuse of account administration. You may nominate these authorized persons in your application.

The new data processing agreement, which supersedes the previous one, is already available from within the application (under Package and invoice). This agreement takes the requirements of the new GDPR into account, particularly regarding safeguards for data subjects’ rights and regarding control, notification and proof obligations. Please store your company information directly in your account and generate your agreement. You can download the new agreement and have it reviewed by your legal department or data protection officer. Your managing director or authorized representative can then execute the agreement electronically online. Since both parties will be responsible for making relevant agreements from 25 May 2018, we would be grateful if you could complete the contract by the end of next week.

Find Out More

As we already informed you in March, we decided to migrate our infrastructure to Amazon Web Services (AWS) to ensure that we will be able to provide consistently stable services even with continued growth, while enabling us to implement stringent data protection and IT security requirements even more effectively. Since “data protection made in Germany” is a very high priority for us, our servers continue to be located in Frankfurt, even after the change in provider, and we have made contractual arrangements to ensure that data will not leave the EU.We have decided on using AWS based on a careful selection process. We are impressed with AWS not only because of functionality and performance benefits, but above all because these services meet the most stringent compliance and IT security requirements. AWS, the AWS region of Frankfurt and the services used by us are therefore certified under all material standards, including DIN ISO/IEC 27001 (IT security), DIN ISO/IEC 27018 (data protection in the cloud) and the Payment Card Industry Data Security Standard (PCI DSS) (one of the strictest sets of regulations for financial institutions and credit card providers). We have also cooperated intensively with our data protection officer and our competent state data protection authority throughout the selection process, and both have confirmed to us that the use of AWS in Germany complies with data protection regulations.As an additional precaution to ensure that neither Amazon nor any third parties are able to gain access to customer data based on our use of the AWS cloud, all customer data, without exception, is stored encrypted. The master key used for encryption is not generated on Amazon servers, but by Personio directly, and is stored on appropriately secured computers of the Personio Infrastructure Security Team. This ensures that neither AWS nor any third party will be able to decrypt or view any data stored in the cloud. Please consult the following whitepaper on Data Hosting/AWS (German only) within Personio for a detailed description of the encryption technologies and other security measures used.

Download Whitepaper

Please visit www.personio.de/datenschutz/ (German only) for additional information on data protection within Personio. Our updated technical and organizational measures and the recent audit of our product and organization can be viewed there for further detail.

Please do not hesitate to contact us at datenschutz@personio.de or via our support if you have any questions regarding these changes.

Best regards,

Hanno Renner Co-Founder & CEO Personio GmbH & Co. KG