A cloud-based solution is increasingly being used for this purpose. The cloud offers many advantages, for example, mobile access. But how secure is your data with an HR service provider in the cloud, and who is responsible for secure and legally compliant processing?
First of all, data ownership, in general, has not been regulated by law so far. This is because data is not a thing in the legal sense, as it is not a tangible, solidified object. Therefore, only the ownership of the storage medium on which the data is stored is legally protected. And this can be a company-owned server, the data centre of the HR service provider or its cloud.
Protective rights such as copyright or patent protection do not apply here, as data does not constitute intellectual property.
Sensitive data is subject to the GDPR
The handling of personal information is regulated; it is subject to the Basic Data Protection Regulation (DSGVO). Data may only be used for the purpose for which the data subject has given his/her consent. In addition, processing must be transparent and protected from unauthorised access. According to the GDPR, the person responsible for handling such data is the one who provides the data – i.e. the company or the client that passes on the personal data to an HR service provider. However, even if you are the controller, you are not automatically the owner of the data.
Even if data is not tangible, as intangible assets, they are suitable objects for contracts. Since the legislator has not provided any regulation so far, both parties have to do this. Therefore, you and your HR service provider should draw up an agreement in the form of a data processing contract in which ownership and responsibility are clearly formulated. The legal allocation of the data, for example, should generally remain with the intermediary or client. The commissioned data processing should also not take place without its instruction.
The termination of the contract should also be regulated in the agreement – and what happens to the stored data then. Will it be deleted immediately? Does the HR service provider make the collected data available in advance?
IT expertise guarantees technical security
Once the formalities have been clarified, nothing stands in the way of a good and, above all, secure cooperation. With the right partner at your side, the security of your sensitive personnel data is guaranteed. A reliable service provider is not only an expert in HR outsourcing, but also has sound and up-to-date know-how in the field of IT security. Companies sometimes underestimate how important this is. Yet, the responsibility for technical security poses a considerable challenge.
While the HR service provider is responsible for ensuring that the system is always accessible and secure, companies are also liable. This is because the principle of shared responsibility applies to compliance with the GDPR in data transfers. This means that both the service provider as the provider, and you as the user, always bear part of the responsibility. Therefore, make sure you choose your HR service provider carefully.
Tips for choosing the right HR service provider
If you pay attention to a few points, your data will be in good hands. A reputable HR service provider is also always an expert in data centre technologies and thus guarantees the protection of your data. Thanks to data centres with backup servers, your data is protected from unauthorised access, even in the event of a power failure, for example.
Data should also be protected by a password lock; passwords must meet certain criteria and be changed regularly. This ensures that only authorised persons have access. It is advisable to check at least once a year which persons these are and adjust access rights if necessary. In addition, data should be encrypted each time it is accessed and sent.
The ISAE 3402 certification is also an important indication that the HR service provider documents processes comprehensively, presents them clearly and complies with all legal documentation requirements at all times.
Data ownership is not regulated by law, but the handling of personal data, as collected and processed in the HR sector, is. There are strict guidelines for this, which you as an entrepreneur and the HR service provider must adhere to. If you follow these guidelines when choosing your HR outsourcing partner, your personnel data will be in safe hands.