GDPR in HR and payroll outsourcing departments

From 25 May 2018, the EU regulation on the protection of personal data will come into force. The new GDPR will apply to all entities that process personal data in an automated manner in the European Union. The introduction of the new regulations is primarily aimed at strengthening the protection of personal data in light of advancing technological development and the expanding scope of digitization. HR departments constantly process personal data, which is why the real challenge for them is to ensure an appropriate level of security that fully meets the requirements of the GDPR. 

HR and payroll outsourcing

HR and payroll services are very often outsourced to optimize costs and make better use of the potential of employees already employed in a given company. Entrusting HR services to an external company is associated with an increased need to ensure an adequate level of security of the personal data processed. In this respect, the provisions of the GDPR specify the need to implement certain technical and organizational measures.

One should bear in mind the fact that a company that outsources HR and payroll is still the administrator of personal data. By entrusting HR and payroll services to an external company and thus implying the processing of personal data, it transfers this data to the subcontractor. Therefore this requires the signing of personal data processing agreements with the provider of such services.

Personal data processing agreement

The personal data processing agreement should include such elements as: subject, duration, nature and purpose of processing, type of personal data, categories of persons concerned, duties and rights of the administrator or obligations of the company to which the data is transferred. The contract should also include the rules for further data transfers, that is information on whether the personal data administrator agrees to further data transfers - in the case of consent it is necessary to determine to whom the data will be transferred and what the responsibility of the processor is for each additional batch of transferred data.

The provisions of the GDPR define in great detail the responsibilities of the entity that processes personal data. It is obliged to provide the same degree of protection as the data administrator, as well as to make systematic risk estimates.

According to art. 28.3b of the GDPR, the entity that processes personal data is obliged to authorize its employees and ensure they maintain confidentiality. After completing the service, the processing entity, in this case the company providing HR and payroll services, is obliged to delete the data or return it to the administrator. If any breach or even suspicion of breach of the confidentiality of entrusted data occurs during the performance of the service, the administrator of the personal data should be immediately informed about it.