Personaldaten in den Datenraum - Personnel data

Personnel data in the data room? This is what board members need to bear in mind

In German companies, human resources is an area in which data processing is always synonymous with the processing of personal data. Since, by definition, personnel data always relates to individuals, it usually requires special protection.

GDPR regulates the handling of employee data

Personal data have not only been adequately protected since the General Data Protection Regulation (GDPR) came into force. The (old) German Data Protection Act already formulated specific rules for handling personal data, which also continue to apply under the GDPR.

However, the GDPR sometimes establishes high penalties for data protection violations. Depending on the case, fines of up to € 20 million or 4% of annual global sales are possible. And there’s more: Under certain circumstances, breaches of duty in the data protection area can make managing directors and board members personally liable for compensation – with their private assets! In extreme cases, even prison terms can be imposed. Therefore, many companies seek supposedly secure storage offerings such as digital data rooms.

Risk: Privileged access

But even if companies take the usual “technical and organizational measures” (cf. GDPR Art. 32) to protect data, there remains a residual risk that should not be underestimated – since particularly the organizational measures, such as carefully thought-out rights and role concepts, can be circumvented with relatively little effort. In addition, administrators can often gain privileged access to the servers and view, manipulate, or steal confidential data. This puts those responsible in dire straits – after all, they are the ones that have to ensure the integrity of the data.

Personnel data: Data protection by technology?

To protect personnel data from being viewed, manipulated, or lost, a technical solution is needed that reliably prevents any access – even privileged admin access. Traditional public cloud offerings generally cannot meet this requirement. Even some business clouds struggle to effectively prevent unwanted data access. This is because most common server infrastructures provide for privileged admin access, for example for maintenance or monitoring purposes.

By contrast, a better and more secure approach is taken by operator-safe or sealed infrastructures. Here, organizational protection measures have been replaced without exception by technical measures that cannot be circumvented, even at great expense. The servers are hermetically sealed, and privileged admin access is not provided. This means that confidential data cannot be accessed, nor can it be stolen or manipulated. This applies not only to administrators, but also to all external and internal attackers.

Companies that rely on operator-secure cloud and data room offerings such as uniscon’s idgard to store and process confidential and personal data are thus legally on the safe side. The appropriate certificates can also make it easier for the responsible parties to fulfill their accountability obligations.