Technical and Organisational Measures in accordance with Art. 32 EU GDPR

The customer as data controller and Personio as data processor must take suitable technical and organisational measures pursuant to Art. 32 GDPR, in consideration of the state of technology, the implementation costs and the type, scope, circumstances and purposes of processing, and of the likelihood of occurrence and severity of the risk for the rights and freedoms of individuals.  

In doing so, the customer is responsible for identifying and implementing its own suitable measures according  to Art. 24 GDPR. To this end, Personio recommends adhering to best practice security measures.

Personio is ISO/IEC 27001:2022 and ISO/IEC 27017:2015 certified, attesting to our commitment to international standards in information security management.

Below we present the measures that Personio itself has taken to ensure the security of customer data. 

Personio has implemented the following technical and organisational measures to ensure encryption and pseudonymization, confidentiality, integrity, availability and capacity, recoverability, as well as appropriate procedures for verification.

Personio adheres to the requirements of Art. 25 GDPR already in the conception and development phase of product development. In so doing, processes and features are designed so that data privacy principles such as legitimacy, transparency, purpose limitation, data minimisation, etc., as well as the security of the processing are taken into consideration early. This is ensured by proactive involvement of the legal department, the Privacy Team, the DPO, and the Information Security Team. 

The governance of data privacy and information security are set out in data privacy and information security policies, and are binding for all employees of Personio. In addition to this, further company guidelines and procedures have been implemented in order to give employees specific instruction regarding the processing of personal data (e.g., guidelines on home-based work and telecommuting or guidelines on use of IT, Internet and e-mail).  

Personio has appointed a Data Protection Officer and details of our Data Protection Officer can be found on our website. The Data Protection Officer works toward compliance with data privacy provisions and performs duties in accordance with Art. 39 GDPR. 

All employees are obligated in writing, when their employment contract is issued or at the latest when  they start work, to comply with confidentiality and data privacy, as well as other relevant laws. The  obligation continues beyond the term of employment. Personio ensures appropriate written terms are in place with third parties in relation to aspects of confidentiality and data privacy. 

Every employee of Personio receives periodic security awareness training, and additional data privacy training. 

Personio employees are not allowed to use the company email system for private use. A separation of private and company data must be strictly observed. Personio employees must only access customer data when using Personio owned and managed devices. Personal devices may not be used to process customer data. Personio employees commit to comply with these guidelines upon joining the organisation.

Personio implements measures before, during and after employment to ensure employee security. As a rule,  this includes: 

• Contractual agreements determining responsibilities, 

• Implementation of measures for training, raising awareness and monitoring, 

• Process of raising awareness of and sanctions for breaches of data protection law, and 

Carrying out a documented off-boarding process (including return of Personio owned devices, access keys/badges, withdrawal of access rights, surrender and passing on of data, information and knowledge, etc.) upon termination of the employment relationship.

Personio's Security Team implements a diverse stack of intrusion detection and extended detection and response technologies and methods to safeguard its infrastructure and customer data.

Personio employee’s laptops are equipped with endpoint protection agents, and are updated in near real-time. Laptops must not be operated without these endpoint protection agents running. Organisational security settings may not be deactivated or bypassed. 

Each server is equipped with a host-based intrusion detection system. This system collects host and container information and continuously monitors processes, files, network and system call activity for suspicious events. All parameters are assessed in real time providing vulnerability runtime validation to detect vulnerable executables and libraries, as well as detecting execution of malware or malicious behaviour. In the case of anomalies, the responsible employees of Personio are notified immediately by the notification system. 

Personio employees may only connect to secured public wireless networks over a VPN connection provided by the organisation.

Personio’s servers are protected by packet filter firewalls, which ensure that no services are accessible directly from the internet. Publicly accessible services are routed through load balancers, which only permit the access that is needed for the respective device. 

Personio implements the use of cryptographic procedures for the use, protection and long life of keys, as well as for the use of encryption procedures according to the status of technology. The process of creation, management, and storage of the encryption keys is handled by the cloud service provider used by Personio, but the keys are owned and managed entirely by Personio. The access to the key management service is logged and automated, and in any suspicious event, it is checked for irregularities by staff authorised by Personio. The corresponding keys are rotated at regular intervals.

All databases used by Personio use encryption at rest by default, so that the data from the database can only be read after proper authentication. The storage media used to store documents are similarly  encrypted at the file system level. Backups of the database systems are stored exclusively in encrypted form. 

All personal data that is transferred from the Personio software to a customer or to other platforms over an unsecured or public network, are transferred exclusively in encrypted form. This applies especially for access to the customer or administration system. Data in transit is encrypted using Transport Layer Security (TLS v1.2 at least), a strong standard especially when paired with strong cipher suites with larger key sizes and modern encryption algorithms. Administrative access to Personio’s server systems, as well as the transfer of backups are only carried out over encrypted connections. A VPN connection is used for access to systems with customer data at all times. Only VPN servers that are under Personio’s direct control are used for this. The use of public VPN providers is not permitted. 

Data carriers (referring to Personio managed laptops) are stored in secure locations that prevent access to these carriers by unauthorised persons.

Customer personal data shared on data carriers are required to be encrypted. The use of any type of private internet or cloud storage for the storage of such data is prohibited, even on a temporary basis. Data will not be stored on removable storage media or end devices as the use of removable storage devices is prohibited.

The exchange of information and files between customers and Personio takes place in directly encrypted form using the Personio Software. If the customer data or confidential information cannot be sent using TLS encryption, HTTPS uploads must be transferred to servers and transferred using Secure File Transfer Protocol (SFTP) or another encrypted mechanism. The customer is responsible for requesting or providing this secure data transport, if needed. 

All emails sent by Personio employees or within Personio Software are encrypted with TLS. There may be exceptions if the receiving mail server does not support TLS. The customer must ensure that the mail  servers used for the software service support TLS encryption.  

Data will be retained for a period of 30 days following the termination of the Agreement with Personio. After such time, all services that process customer data automatically delete the data. Any services that are unable to delete the data via automation are manually triggered to start the deletion process again.

All data stored on data carriers is irrevocably deleted through a third-party service provider, at in-house data deletion stations. The service provider utilizes data deletion software that is certified by Common Criteria (ISO/IEC 15408), EAL3+ (BSI recognised) and the National Cyber ​​Security Center (NCSC), among others.

Printing documents is discouraged, but if necessary, they are disposed of when no longer needed. They must be destroyed or rendered unreadable to ensure that the data cannot be retrieved.

Personio’s premises are locked and electronically secured. The doors are opened using a personal electronic key. 

Key assignment to Personio employees is managed centrally and monitored. These electronic keys can  be deactivated centrally by the workplace management. 

External parties may only enter offices with prior authorisation, registration at the front desk,  and accompanied by a Personio employee.

Secure areas (zones) are defined on the basis of information security and data protection requirements. Access is restricted by appropriate physical safeguards, including barriers to physical entry, video surveillance, obfuscation, and further access restriction on high risk zones. The physical security concept distinguishes between public areas, controlled areas and high risk zones, which are further restricted internal areas.

Visitors and delivery procedures are in place to prevent unauthorised persons from accessing internal areas without the accompaniment of a Personio employee. The visitor’s details are also collected.

A clear desk and screen policy is enforced to maintain physical security standards. When laptops are left unattended, computers must be locked (screen lock). Screen locks are automatically activated after inactivity. Documents containing confidential information are not to be left open or unattended on desks or in freely accessible storage. 

All data processing systems are protected using a Single Sign-On (SSO) solution, and require multi factor authentication (MFA). Special protocols are established for granting access rights to privileged systems, such as those controlling critical processes or managing access rights for other systems.

For authentication on data processing systems using SSO, stringent password policies are implemented.

The prohibition of disclosure of passwords applies to both customers and also employees of  Personio, and the use of shared accounts for access to customer systems is also prohibited.

Attempts to log in and out of admin, customer and server systems/software are logged (email address, user ID, IP address, result of the login attempt and time stamp), and these logs are currently stored for 30 days. These logs can be analysed on request and/or if there is a specific suspicion. 

Access to information is only granted through established procedures and follows the principle of least privilege. The access to admin systems or servers and databases is restricted to a limited number of employees, based on their role and responsibilities.

The customer has the option of deciding, via the system settings in their account, whether Personio employees can access their account as required. This can be disabled at any time by the customer.  

Managers apply for correction of authorisations with the IT Team, where appropriate, such as if an employee’s role changes. Privileged access is reviewed annually, at a minimum.

When an employee resigns, the People Team notify the administrators promptly of pending changes, so that the corresponding authorisations can be disabled via the SSO solution in place. All access is revoked within 24 hours of employee offboarding.

Software changes that are to be transferred into the operating environment must first be tested in a test environment. Programs for error analysis or creation/compiling of software may only be run in the operating environment if this cannot be avoided. This is the case above all if error situations are dependent on data that have been corrupted due to  requirements for anonymisation when transferring into test environments. 

Personio separates its networks according to tasks. In this process, the following networks are used long term; operating environment (“Production”), development environment, testing environment, office network for employees, office network for guests. Separation of networks is achieved using either physical or virtual networks.

Personio ensures the separate processing and storage of data of different customers using logical customer separation based on multi-tenancy architecture. In this process, the classification and identification of the data is handled using the assignment of a non-ambiguous identifier to each customer (e.g., customer number/ “company ID”). The architecture is safeguarded by implementation of integration tests that ensure that no database queries are carried out without query and classification to this identifier, and the risk of bypassing client separation due to programming errors is minimised.

Measures for pseudonymisation and anonymisation of customer personal data are implemented to the extent necessary. We do not use customer personal data in our development or test environments.

Mechanisms to secure data traffic and communication connections, as well as to monitor and log activities in networks, have been established to the necessary extent.

Where appropriate, firewalls and intrusion detection and prevention systems (IDS / IPS) are implemented. 

Secure end-to-end encryption of personal data transmitted via public communication networks is ensured. When establishing secure connections (VPN tunnels) providing access to IT resources via public networks, multi-factor authentication is employed as standard practice.

When transporting customer personal data stored on data carriers, encryption is utilised among other measures to safeguard the data against unauthorised access, manipulation, or loss.

Disclosure of personal data at the customer’s order may only take place within the scope of instructions and to the extent required for provision of the contractual services for the customer. Disclosure of personal data from the assignment to unauthorised third persons, e.g., through storage in another cloud provider, is especially prohibited. 

System activities are logged (user ID, rights according to role concept, IP address, system components or resources, type of activities carried out, as well as timestamp) and kept for 30 days. This also includes input, modification and deletion of data, users and  authorisations, as well as the modification of system settings. If requested or if there is a specific suspicion, an appropriate analysis of the logs can be conducted.

To ensure appropriate availability, Personio ensures backups are created every 24 hours for the databases with the customer’s data and documents, and are stored for 30 days.

Data backups of databases and operating system images are taken to the extent required and with the aim of preventing the loss of personal data in the event of a technical malfunction or human error. Backups are performed for network drives and servers in the production environment, and the performance is logged and monitored. The recovery of data backups is tested on a periodic basis.

To ensure geo-redundancy in the event of an unforeseen event, e.g. a natural disaster, Personio  ensures that appropriate requirements for spatial separation in relation to the server infrastructure of the production data and backups are observed. This is ensured by using different data centres at sufficient distances or by data centres of different availability zones, all within the EU.

There is capacity management including monitoring and automatic notifications of responsible Personio  employees in the event of capacity bottlenecks.

There are warning systems for monitoring of the accessibility and conditions of the server systems. If there is downtime, engineering is notified automatically so they can take troubleshooting measures immediately.

There is a concept and documented procedures for handling malfunctions and security-related incidents. These include planning and preparation of response to events, procedures for monitoring,  detection and analysis of security-related incidents, as well as the determination of the corresponding  responsibilities and channels for reporting in the event of a breach of protection of personal data in the  context of legal requirements. 

Our cloud service provider is ISO 27001, SOC 2 and BSI C5 certified. Those certifications and security measures are also applicable to data centers, in order to protect their physical perimeters against threats and disasters.

Regular, complete Restore Tests are conducted to ensure the recoverability in the event of an emergency / catastrophe. 

There is a concept for handling emergencies/catastrophes, as well as an appropriate emergency plan. This includes recovery of critical infrastructure, data processing, and data and documents storage capabilities.

A data privacy and information security team is in place for planning, implementing and assessing measures in the field of data protection and data security and making adjustments.

Each risk identified is analysed, assessed, and classified according to our risk management policy. Further remediation and mitigation measures are derived based on these risks. These measures are regularly assessed on their effectiveness in the context of Personio’s data protection and information security management system.

Internal audits on data protection and information security are conducted on an annual basis by an external party to ensure an independent and unbiased review of our security program. The audits are conducted to ensure compliance with international standards such as ISO/IEC 27001.

Regular verifications are conducted to ensure compliance with the security guidelines, standards, and other security requirements that must be applied when processing personal data.

Regular automated and manual scans for vulnerabilities are conducted for the security of applications and infrastructure. An external service provider conducts penetration tests on a periodic basis.

Personio employees are instructed to process the customer’s personal data only if there are documented instructions from an authorised Personio user. In accordance with applicable documentation, Personio may receive the customer's instructions in writing, or in the electronic  formats offered for this purpose by Personio. Oral instructions are only permitted if time is short, and the customer must confirm them promptly in writing or in an electronic format offered by Personio.

The engagement of suppliers is handled when outsourcing on the basis of a diligent selection process in collaboration with the Information Security team, Procurement team, the Privacy and Legal team according to established criteria, especially regarding data protection and IT security, including but not limited to the following:

• Checking of documentation and compliance with technical and organisational measures  pursuant to Art. 32 GDPR 

• According to the level of protection and scope of the personal data, if possible, commissioning of only ISO/IEC 27001 certified companies (this applies in all cases for data centres). A risk assessment is likewise conducted for the respective suppliers to prevent risks during the process, if the third-party provider works regularly with personal data.  

The use of a subcontractor may only take place in accordance with the data protection terms agreed between Personio and the customer in accordance with Art. 28 GDPR. 

Before the procurement of any new sub-contractor and afterwards at regular intervals, Personio will make sure of compliance with technical and organisational measures by the sub-contractors that it employs or have evidence of these submitted.

Pursuant to Art. 32 of the GDPR, Personio implements a series of technical and organisational measures to ensure a level of protection appropriate to the risk to the rights and freedoms of natural persons. 

Additionally, pursuant to Art. 46 of the GDPR, Personio implements additional technical and organisational measures based on the recommendations on supplementary measures developed by the European Data Protection Board for the transfer of personal data to third countries. Such measures are implemented to satisfy the judgement of the Court of Justice of the European Union in Case C-311/18, also known as Schrems II, related to the use of legal instruments for the transfer of personal data to third countries.

The additional technical and organisational measures are necessary as Personio SE & Co. KG ("Personio") may transfer personal data to its subsidiary based in the United States, Personio Corp. It is important to note that all customer data resides in the EU. The Personio Corp. is also certified according to the requirements of the EU-US Data Privacy Framework.

Personio has taken the following additional technical and organisational measures within the meaning of Art. 32 of the GDPR and the supplementary measures following Schrems II.

Ensure that the in-house organisation meets the special requirements of data privacy when dealing with data transfers between Europe (European Union and the UK) and third countries.

Personio’s information security policies mandate the encryption of personal data both in transit and at rest. Policy measures exist to determine the protection of personal data when an employee resides in a third country.

Further measures are in place when handling personal data. Two layers of encryption are deployed in such cases, where the application layer encrypts traffic using TLS v1.2 or higher, and the network layer encrypts traffic using zero-trust based access technology.

The role and authorisation concept ensures the differentiation between Personio members of staff situated in the European Union (including UK) and in third countries. Access from third countries is restricted and segmented.

Systems that process and store personal data are identified and protected with location aware authentication. Access to such systems is only possible when using company provided zero-trust access technology.

Personio’s computers are hardened with centralised management software in the form of endpoint protection. This enforces the installation of security guidelines and the use of zero-trust based access by employees residing in third countries.

Personio’s information security policies include rules that control the movement of personal data to a third country.

Personio’s computers are technically configured to block data transfers to removable media, such as USB sticks and external hard drives.

A process for revoking access is in place in case access to personal data from personnel residing in a third country must be immediately cut off. Management and execution of such a process resides with employees situated in Europe (including UK) and no third country personnel is necessary to deploy the enforcement.

Employees within Europe follow documented and proven technical procedures in order to execute the revocation process at any time it is required. The process is reviewed periodically by management as part of the security program’s continuous improvement process.

Security policies are enhanced to determine, for all systems containing personal data, that the technical administration is also performed by personnel within Europe (including UK). 

At all times, for all systems containing personal data, personnel are employed within Europe to perform system administration tasks alongside employees residing in third countries. This ensures compliance with the access revocation process for potential administrators residing in third countries.

Version 04-2025