HR and HR Managers are constantly juggling highly sensitive data. The Privacy should therefore have top priority. With the new European General Data Protection Regulation, not only does the responsibility for handling sensitive data increase, but also the penalties for violations.

Best of HR –®

What do HR managers need to look out for in the future?

The Federal Data Protection Act still applies in Germany - but in one year, it will be serious for the member states of the European Union: on the 25. May 2018 replaces the new EU General Data Protection Regulation (GDPR) with the previously valid national law.

It entered into force already in May 2016, but the Member States have a two-year deadline to regulate the requirements of the EU-DSGVO and the national characteristics by opening clauses.

5 Tips for Personals

The books on the subject (advertising)

Tip: You can also use this text as a PDF or an eCourse on the subject download. You can also find it in the shop exciting inspiration to experience your success, plus offers & news in Newsletter ! (Advertising)

Objective The new regulation is the harmonization of data protection law at European level. This is intended to give the individual more Control be given about his own data. An important innovation in the EU GDPR is the joint liability rule.

1. Up to 20.000 million euro penalty

In the still valid Federal Data Protection Act, the customer is always liable in the case of order data processing. From May 2018 onwards, however, binding rules apply - so both clients and service providers will be prosecuted for breaches of data protection law.

Since the upper limit for the fine has been adjusted, too Company in the Choice their service providers to proceed with particular care. In Future companies face a fine of up to 300.000 million euros or four percent of the previous year's turnover instead of 20 euros - whichever amount is higher.

2. Special rules through opening clauses

The BDSG (new) has already been approved by the Bundestag and received the approval of the Federal Council at the 12.05.2017. In many articles of the Basic Regulation so-called opening clauses are installed.

The opening clauses stipulate that EU member states can regulate certain requirements in more detail. For example, companies in Germany that have more than nine Employees process personal data automatically, appoint a data protection officer. In the new basic regulation, on the other hand, the function of the data protection officer appears, but there is no precise personal limit. Member states can then specify these more precisely via an additional national standard.

3. The processing of personal data

Another example concerns the processing of personal data - the currently valid Federal Data Protection Act prohibits this generally, except the data subject expressly agrees to a data processing or there is a legal basis.

Such a basis is for example the employment relationship. If an employee is employed by a company, the latter may process his / her data without asking him beforehand. The same applies to the duration of the application process: Until the procedure is completed, the company does not have to obtain the applicant's consent.

4. Consent to the Privacy Waiver

In the new EU-DSGVO, employee data protection can now be regulated by the individual member states themselves by means of an opening clause. In Germany, the previous regulations remain largely intact. One innovation, however, is that company agreements can regulate matters and that individual consent is not necessary.

As has already been taken into account in the case-law, it is also clarified there that the voluntary consent to a data protection offense in an employment relationship needs special indications, for example, an advantage of the employee acquired with it.

5. What HR departments should do now

HR departments of companies should take appropriate precautions due to the innovations. This applies in particular to the aspect of joint liability with service providers. If a company outsources sensitive applicant data to a service provider for processing, it must ensure in advance that the data is stored there in exactly the same way for sure are like in your own home. Therefore, they should ask their service providers for proof of the technical and organizational data protectionMeasures and an Vorlage ask for an agreement on order data processing.

Is the service provider prepared for this and provides the relevant documents fast and readily available, there is a high probability that he is trustworthy. If the documents then also stand up to the examination of the data protection officer and are possibly supplemented by data protection certificates from external bodies, this is a good basis for long-term cooperation. On the other hand, if the service provider is taken by surprise by the question, one should rather refrain from awarding the contract.

Top books on the subject

Read text as PDF

Discounts for your success (advertising)!

Acquire this text as a PDF (only for own use without passing it on according to Terms and conditions): Please send us one after purchase eMail with the desired title, we will then send the PDF to you immediately. You can also purchase text series.


Advice on success, goal achievement or marketing

You have Ask about career, Recruiting, personal development or increasing reach? Our AIAdviser helps you for 5 euros a month – free for book buyers. We offer special ones for other topics IT services

5,00 / per month   Book

Book eCourse on Demand

Up to 30 lessons with 4 learning tasks each + final lesson as a PDF download. Please send us one after purchase eMail with the desired title Alternatively, we would be happy to put your course together for you or offer you a personal, regular one eMail-Course - all further information!


Skate eBook as desired

If our store doesn't offer you your desired topic: We will be happy to put together a book according to your wishes and deliver it in a format of your choice. Please sign us after purchase