Technical and organisational measures pursuant to Article 32 of the GDPR

1. General considerations 

The customer as data controller and Personio as data processor must take suitable technical and organisational measures pursuant to Art. 32 GDPR, in consideration of the state of technology, the implementation costs and the type, scope, circumstances and purposes of processing, and of the likelihood of occurrence and severity of the risk for the rights and freedoms of individuals.  

In so doing, the customer is itself responsible for identifying and implementing its own suitable measures according  to Art. 24 GDPR. To this end, Personio recommends the following measures by relevant  guidelines and standards, and adhering to best practise security measures outlined in ISO/IEC 27002.

Personio is ISO/IEC 27001 certified, attesting to our commitment to international standards in information security management.

Below we present the measures that Personio itself has taken to ensure security of data. 

2. Technical and organisational measures 

Personio has implemented the following technical and organisational measures to ensure encryption and pseudonymization, confidentiality, integrity, availability and capacity, recoverability, as well as appropriate procedures for verification. 

Measure to ensure data privacy using technology design and default settings 

Appropriate technical and organisational measures must be taken that meet the requirements of the GDPR, as  well as ensuring through appropriate default settings that only personal data that is required to be processed for  the respective specific purpose of processing is processed. 

Personio takes into account the requirements of Art. 25 GDPR already in the conception and development phase of product development. This is ensured by proactive involvement of the legal department, the Privacy Team, and also the Information Security Team. In so doing, processes and features are designed so that data privacy principles such as legitimacy, transparency, purpose limitation, data minimisation, etc., as well as the  security of the processing are taken into consideration early.  

Measures to ensure confidentiality 

Confidentiality pertains to safeguarding of information from unauthorised disclosure, ensuring that it remains accessible solely to those authorised to access it.

2.1. Organisational control 

Guarantee that the in-house organisation meets the special requirements of data privacy. 

a. Company directives (pursuant to 5 and 6 ISO/IEC 27002:2017) 

The goals for data privacy and information security are set out in data privacy and information security  policies, and they are binding for all employees of Personio. In addition to this, further company guidelines and procedures have been implemented in order to give employees specific instruction regarding the processing  of personal data (e.g., guidelines on home-based work and telecommuting or guidelines on use of IT,  Internet and e-mail).  

b. Appointment of a Data Protection Officer pursuant to Art. 37 GDPR 

Personio has appointed a Data Protection Officer and details of our Data Protection Officer can be found on our website. The Data Protection Officer  works toward compliance with data privacy provisions and performs duties in accordance with Art. 39 GDPR. 

c. Obligation to confidentiality and data privacy 

All employees are obligated in writing, when their employment contract is issued or at the latest when  they start work, to comply with confidentiality and data privacy, as well as other relevant laws. The  obligation continues beyond the term of employment. Personio ensures appropriate written terms are in place with third parties in relation to aspects of confidentiality and data privacy. 

d. Data privacy training sessions 

Every employee of Personio receives regular security awareness training, and additional data privacy training. Employees from sensitive  areas, such as the Human Resources, Product Development or Customer Service departments, also receive as needed separate information and training sessions on specific specialised topics.

e. Restriction of private and company use of communications devices 

Personio employees are not allowed to use the company email system for private use. The internet  system and telephone services may only be put to private use subject to certain restrictions. In this regard,  a separation of private and company data must be strictly observed. Personio employees must only access customer personal data when using Personio owned and managed devices. Use of personal devices is not allowed when dealing with customer personal data. Moreover, Personio employees are  not allowed to process personal data or the customer’s other data on private  communications devices. Personio employees commit to comply with corresponding guidelines.

f. Personnel security

Personio implements measures before, during and after employment to ensure staff security. As a rule,  this includes: 

● Verification and confirmation of stated academic and professional qualifications, 

● Contractual agreements on determining responsibilities and rules for behaviour, 

● Implementation of measures for training, raising awareness and monitoring, 

● Process of raising awareness of and sanctions for breaches of data protection law, and 

● Carrying out a documented off-boarding process (including taking back of keys, withdrawal of access  rights, ensuring of sufficient documentation, surrender and passing on of data, information and  knowledge, etc.) upon termination of the employment relationship. 

2.2. Encryption of personal data 

Guarantee that personal data are stored in the system only in a manner that does not enable third parties to  assign it to the data subject. 

a. Key management

Personio implements a guideline on use of cryptographic procedures for the use, protection and long life of keys, as well as for the use of encryption procedures according to the status of technology. According to these guidelines, the creation, management, and storage of the master key is handled by the Infrastructure-as-a-Service Provider used by Personio. The access to the key management is logged and automated, and in the event of a specific suspicion it is checked for irregularities by staff authorised by Personio. The corresponding keys are rotated at regular intervals, and the keys used up to now are invalidated and removed immediately. Moreover, keys are strictly separated by networks and databases (e.g., no transfer of a key into another network). In the context of a regular security check it is ensured that the measures for key rotation are effective and the old keys are removed properly.

b. Database and memory encryption 

All databases used by Personio use state-of-the-art “at rest” encryption so that the data from the database 

can only be read after proper authentication on the respective database system. The storage media used  to store documents are likewise encrypted at the file system level. Backups of the database systems are  stored exclusively in encrypted form. 

c. Transfer of data using encrypted data networks or tunnel connections (“data in transit”) 

All personal data that is transferred from the Personio application to a customer or to other platforms over an unsecured or public network, are transferred exclusively in encrypted form. This applies especially for access to the customer or administration system. Personio guarantees the use of a state-of-the-art  encryption method that depends on the encryption algorithm compatible with the customer (currently HTTPS  connections or Transport Layer Security (TLS), key word “downward compatibility”; the customer is  responsible for using end devices/ browsers compatible with Personio’s encryption method). Administrative access  to Personio’s server systems, as well as the transfer of backups are only carried out over encrypted  connections, e.g., Secure Shell (SSH) or Virtual Private Network (VPN). A VPN connection is used for access  to customer systems at all times. Only VPN servers that are under  Personio’s direct control are used for this. The use of public VPN providers is not permitted. 

d. Data carriers and mobile device control

Data carriers containing personal data are stored in secure locations that prevent access to these carriers by unauthorised persons.

Personal data shared on mobile devices and data carriers (referring to laptops and smartphones) are required to be encrypted. The use of any type of private internet or cloud storage for the storage of such data is prohibited, even on a temporary basis. Confidential data will never be stored on private storage media or end devices.

Personal data that is no longer required is deleted. Electronic storage media and paper documents that are no longer required are disposed of, destroyed or made unusable in such a way that it is no longer possible to gain knowledge of the data stored or contained on them.

e. Encryption of data carriers on laptops 

An appropriate, state-of-the-art hard drive encryption is set up on all employee laptops.  

f. Encrypted exchange of information and files  

The exchange of information and files between customers and Personio takes place, as a rule, in directly  encrypted form using the Personio application (see c.). If the customer’s personal data or confidential  information that cannot be sent using TLS encrypted HTTPS uploads must be transferred to servers, then  this information is transferred with Secure File Transfer Protocol (SFTP) or another state-of-the-art  encrypted mechanism. The customer is responsible for requesting  or providing this secure data transport, if needed. 

g. Email encryption 

In principle, all emails sent by Personio employees or within Personio applications are encrypted with TLS. There may be exceptions if the receiving mail server does not support TLS. The customer must ensure that the mail  servers used for the software service support TLS encryption.  

2.3. Admission control

Denying admission to IT systems and processing facilities with which the processing is carried out to unauthorised  persons. 

a. Electronic door protection 

As a rule, the entry doors to Personio’s premises are locked and electronically secured. The doors are  opened using a personal electronic key. 

b. Controlled key assignment 

Key assignment to Personio employees is handled centrally and documented. These electronic keys can  be deactivated centrally by workplace management or human resources department. 

c. Supervision and accompaniment of external persons 

External parties may only enter with prior authorisation and  accompanied by an employee of Personio. 

d. Physical access control 

Physical secure areas (zones) are defined on the basis of information security and data protection requirements. There is protection  against unauthorised access by appropriate physical safeguards. The physical security concept distinguishes between public areas, controlled areas and high risk zones, which are further restricted internal areas.

Secure zones are defined on the basis of the protection needs of the information assets housed or made accessible within them.

Depending on the specific zone classification, selected or all of the following security features are implemented:

  • Access restriction through personalised access,

  • Video surveillance and door-open sensors at access points,

  • Privacy screens or view guards on potential confidential information, and

  • Further access restriction on high-risk zones.

e. Visitors and delivery

Visitors and delivery procedures are in place to prevent unauthorised persons from accessing internal areas without the accompaniment by a current employee of Personio, the individual’s details are also collected.

2.4. Access control - Authentication 

Prevention of unauthorised use and processing of protected data under data privacy law.

a. Authentication Mechanisms

All data processing systems are equipped with a secure authentication mechanism, such as password protection and multi factor authentication (MFA). Defined procedures are employed to authorise access to information, adhering to the principle of need-to-know. Special protocols are established for granting access rights to privileged systems, such as those controlling critical processes or managing access rights for other systems.

b. Secure Password Policies

For authentication on data processing systems (IT systems), stringent password policies are implemented. Secure passwords, resilient against dictionary attacks and devoid of consecutive letters or digits, are utilised. Passwords are changed promptly upon suspicion of compromise, ensuring past passwords are not reused. Two-factor authentication is enforced to enhance security measures.

c. Clear Desk & Screen Policy

A "clear desk & screen policy" is enforced to maintain physical security standards. When departing the workplace, all in-use computers must be locked (screen lock). Additionally, screen locks are automatically activated after a maximum of 5 minutes of inactivity. Documents containing confidential information are encouraged to not be printed and to not be left open or unattended on desks or in freely accessible storage areas, reducing the risk of unauthorised access.

d. Designation of persons authorised to support and give instructions and corresponding authentication

The customer can determine persons authorised to support and give instructions using system settings, who  can issue instructions to Personio according to the contractual documentation. Classification as a person authorised to support and to give instructions takes place using the contact data stated by Personio (e.g., name, email address, telephone number, user identifier). The customer service team from Personio accepts instructions or issues information exclusively from/to the designated persons and to verify their  identity accordingly in advance. For telephone queries, the individual telephone PIN stored in Personio  must be verified in advance. 

d. Prohibition of disclosure of passwords and of use of “shared accounts” 

The prohibition of disclosure of passwords applies to both users of Personio and also employees of  Personio, and the use of so-called “shared accounts” for access to customer, admin and administrative  systems is also prohibited (i.e., only personal and individual user login can be used when logging in to the  system.) 

e. Use of anti-virus software 

Personio employee’s laptops are equipped with anti-virus software on all IT systems of the company or used within the company, which is regularly updated  

In principle, no computers may be operated without resident virus protection, unless other equivalent state-of-the-art security measures are taken. Prescribed security settings may not be deactivated or bypassed. 

f. Public wireless networks and connection with the company network

Personio employees are highly discouraged from connecting to public wireless networks, but may do so over a VPN connection provided by the organisation.

2.5. Access control - Authorization

Guarantee that the persons authorised to use an automated processing system only have access to the personal  data included in their access authorisation. 

a. Roles and authorisation concept 

i. Roles and authorisation concept customer system 

The customer’s administrators can individually configure a multilevel role concept for assigning rights, and in the process distinguish between viewing, suggestion and processing rights for individual users according to the function or department within Personio.  

ii. Roles and authorisation concept admin system 

The access to the admin system is, as a rule, restricted to trained employees in the customer service  and product teams. Employees from the sales and finance team have access to  customer systems using the admin system only during the trial period or to corresponding  billing data, and hence they cannot view customer data.  

iii. Roles and authorisation server/ database system 

The access to the server/database system is, as a rule, restricted to a limited number of trained  employees in the product team. 

b. Controls of access authorisation for Personio to customer systems by the customer

The customer has the option of deciding via the system settings in the customer system whether Personio can  access the customer system. In this process, the authorisation of access is deactivated as a default setting,  and it can be activated or deactivated at any time by Personio users who are authorised by the customer.  

c. Assignment of access rights 

At Personio, the assignment of access rights is carried out as a rule according to the “need-to-know”  principle. Hence only persons who demonstrably need access receive access and only as long as they need  it. Access authorisations are documented centrally and are withdrawn by the administrator  immediately after expiry of the need for access. Access is restricted to the minimum necessary privileges.  Access to the admin system or server/database system is enabled by the management, the senior leaders of  the product or the information security team and this takes place as a rule using  the 4-eyes principle. The administrators or the Information Security team check regularly whether  authorisations that have been granted are still required. Moreover, supervisors are obligated to apply for  appropriate correction of authorisations with the IT team if employees’ duties are modified. If  employees leave the company, then the Human resources team notify the administrators promptly of pending changes, so that the corresponding authorisations  can be withdrawn. Authorisations must be revoked if possible within 24 hours of the employee’s leaving  the company. 

d. Host-based intrusion detection system (HIDS) 

Each server system is equipped with a host-based intrusion detection system. This system monitors at  least the parameters, such as conspicuous system log entries, signatures of known rootkits and trojans,  anomalies in the device file system or brute-force attacks. All parameters are assessed in real time except  for modifications in file systems. File systems are verified at least once per day. In the case of anomalies,  the responsible employees of Personio are notified immediately by e-mail  message. 

e. Use of a packet filter firewall 

Personio’s servers are protected by packet filter firewalls, which ensure that no services are accessible directly from  the internet. Publicly accessible services are routed through load balancers or bastion hosts, which only  permit the logs that are needed for the respective device. 

f. Logging of login and logout processes 

Attempts to log in and out of admin, customer and server systems/software are logged (at least with email address, user ID, IP address, result of the login attempt and time stamp), and this log is currently  stored for up to 30 days. These logs can be analysed on request and/or if there is a specific suspicion. 

2.6. Separability 

Guarantee that personal data collected for different purposes can be processed separately and are separated  from other data and systems so as to prevent unplanned use of these data for other purposes. 

a. Separation of development, test and operating environments

Data from the operating environment may only be transferred to test or development environments if  they have been completely anonymised before transfer. Anonymised data must be transferred in  encrypted form or over a reliable network. Software that is to be transferred into the operating  environment must first be tested in an identical test environment. Programs for error analysis  or creation/compiling of software may only be run in the operating environment if this cannot be avoided.  This is the case above all if error situations are dependent on data that have been corrupted due to  requirements for anonymisation when transferring into test environments. 

b. Separation in networks

Personio separates its networks according to tasks. In this process, the following networks are used long term; operating environment (“production”), testing environment (“staging”), office IT employees, office IT guests. In addition to these networks, further separate networks are created as needed, e.g., for restore tests and penetration tests. Separation of networks is achieved, according to technical possibilities, either  physically or using virtual networks. 

c. Customer separation by software 

Personio ensures the separate processing and storage of data of different customers using a logical customer  separation based on multi-tenancy architecture. In this process, the classification and identification of the  data is handled using the assignment of a non-ambiguous identifier to each customer (e.g., customer number/  “company ID”). The architecture is safeguarded by implementation of integration tests that ensure that  no database queries are carried out without query and classification to this identifier, and the risk of  bypassing client separation due to programming errors is minimised. In addition, regular security audits  and binding code reviews (4-to-6 eye principle) provide security for the architecture. 

Measures to ensure integrity 

Integrity designates the ensuring of intactness (integrity) of data and the correct operability of systems. 

2.7. Control of transport and disclosure 

Guarantee that the confidentiality and integrity of data is protected when transferring personal data, as well as  when transporting data carriers 

  • Pseudonymisation and anonymisation

Measures for pseudonymisation and anonymisation of personal data are implemented to the extent necessary. Data in development environments used for testing purposes is anonymised or pseudonymised wherever possible

  • Transfer and dissemination control

Mechanisms to secure data traffic and communication connections, as well as to monitor and log activities in networks, have been established to the necessary extent. Where appropriate, firewalls and intrusion detection and prevention systems (IDS / IPS) are implemented. 

Secure end-to-end encryption of personal data transmitted via public communication networks is ensured. When establishing secure connections (VPN tunnels) providing access to IT resources via public networks, two-factor authentication is employed as standard practice. When transporting personal data stored on data carriers, encryption is utilised among other measures to safeguard the data against unauthorised access, manipulation, or loss.

c. Prohibition of disclosure to unauthorised third parties 

Disclosure of personal data at the customer’s order may only take place within the scope of instructions and  to the extent required for provision of the contractual services for the customer. Disclosure of personal  data from the assignment to unauthorised third persons, e.g., through storage in another cloud memory,  is especially prohibited. 

2.8. Input control 

Guarantee that it can be verified and determined afterward which personal data have been input or modified in the automated processing system when and by whom. 

a. Logging of system activities within the admin and customer system, as well as assessment 

Significant system activities are logged (at least: user ID, rights according to role concept, IP address,  system components or resources, type of activities carried out, as well as timestamp) and currently kept  for up to 30 days. This includes especially the input, modification and deletion of data, users and  authorisations, as well as the modification of system settings. If requested or if there is a specific suspicion,  an appropriate analysis of the logs can be conducted. 

Measures to ensure availability 

Services, functions of an IT system, IT applications or IT networks or also information are available if these can  always be used as intended by the users. 

2.9. Availability controls 

Guarantee that personal data are protected from accidental destruction or loss. 

a. Data security procedures/ backups 

To ensure appropriate availability, Personio implements a backup concept for the database with the  customer’s data stored on it at least every 30 days, as well as the storage medium with corresponding stored documents in  accordance with the state of technology.  

Data backups of databases and operating system images are taken to the extent required and with the aim of preventing the loss of personal data in the event of a technical malfunction or human error. Backups are performed for network drives and servers in productive operation, and the performance is logged and monitored. The recovery of data data backups is tested on a periodic basis.

b. Geo-redundancy in relationship with server infrastructure of the productive data and backups 

To ensure geo-redundancy in the event of an unforeseen event, e.g. a natural disaster, Personio  ensures that appropriate requirements for spatial separation in relation to the server infrastructure  of the production data and backups are observed. This can be ensured by using different computer centres  at sufficient distances or by computer centres of different availability zones. 

c. Capacity management 

There is capacity management including monitoring and automatic notifications of responsible Personio  employees in the event of capacity bottlenecks.  

d. Warning systems for monitoring of the accessibility and conditions of the server systems 

There are warning systems for monitoring of the accessibility and conditions of the server systems. If there  is downtime, engineering is notified automatically so they can take troubleshooting  measures immediately.  

e. IT malfunction management (“incident response management”)

There is a concept and documented procedures for handling malfunctions and security-related incidents. 

These include especially the planning and preparation of response to events, procedures for monitoring,  detection and analysis of security-related incidents, as well as the determination of the corresponding  responsibilities and channels for reporting in the event of a breach of protection of personal data in the  context of legal requirements. 

f. Further measures to ensure the availability in data  centres 

An automatic fire detection and fire-fighting system is installed in the data centre. The fire detection  system uses smoke sensors throughout the entire surroundings of the data  centres, in mechanical  and electrical areas of the infrastructure, cooling rooms and also in the rooms where the generators are  housed. All electricity supply systems have a redundancy measure. An interruption-free electricity supply ensures that  critical areas of the facilities are supplied with electricity in the event of a power failure. Moreover, the  data  centre is equipped with generators that can supply the entire facilities with emergency  electricity. The data centre is also equipped with climate control and temperature control.  Preventive maintenance measures are carried out to guarantee the continuing operation of the facilities. 

2.10. Recoverability 

Guarantee that systems used can be recovered in the event of physical or technical malfunctions. 

a. Regular tests of data recovery (“restore tests”)  

Regular, complete restore tests are conducted to ensure the recoverability in the event of an emergency/  catastrophe. 

b. Emergency plan (“disaster recovery concept”) 

There is a concept for handling emergencies/ catastrophes, as well as an appropriate emergency plan.  Personio ensures the recovery of all systems on the basis of data security/ backups, as a rule within 24  hours. 

Measures for verification and evaluation 

Presentation of procedures for regular verification, assessment and evaluation of the effectiveness of technical  and organisational measures. 

a. Data Privacy and Information Security Team 

A data privacy and information security team is set up for planning, implementing and assessing measures  in the field of data protection and data security and making adjustments. 

b. Risk Management

There is a process for analysis, assessment and classification of risks in order to derive measures based on these risks and regularly assess the effectiveness of these measures in the context of Personio’s data  protection and information security management system. 

c. Independent verification of information security 

i. Conducting audits 

Internal audits on data protection and information security are conducted on an annual basis by an external party to ensure an independent and unbiased review of our Security Program. The  audits are conducted using common audit criteria /schemes (especially legal requirements of the  GDPR security standard, etc.), and compliance with the requirements outlined in international standards such as ISO/IEC 27001.

ii. Verification of compliance with security guidelines and standards

Compliance with the security guidelines, standards and other security requirements that must be applied respectively when processing personal data is verified regularly. These take place when possible using random samples and unexpectedly. 

iii. Verification of compliance with technical requirements

 A member of the Information Security team conducts regular automated and manual scans for vulnerabilities to verify the security of applications and infrastructure, as well as the regular  on-going development of the product. An external service provider conducts detailed penetration  tests as needed in order to inspect applications and infrastructure in a targeted manner for  vulnerabilities.  

iv. Process for continual improvement of the data privacy and information security management  system 

The data protection and information security processes also include a regular verification and  assessment of the technical and organisational measures taken. This also includes an improvement  and suggestion system in which employees can participate. In this manner Personio guarantees  continuous improvement of the processes for handling personal data.  

d. Control of assignments 

Guarantee that personal data that are processed on assignment can only be processed according to the  customer’s instructions. 

i. Processing on instructions 

Personio employees are instructed to process the customer’s personal data only if there  are documented instructions from an authorised Personio user. In accordance with applicable documentation, Personio may receive the customer's instructions in writing, or in the electronic  formats offered for this purpose by Personio. Oral instructions are only permitted if time is short, and  the customer must confirm them promptly in writing or in an electronic format offered by Personio. 

ii. Diligent selection of suppliers 

The engagement of suppliers is handled when outsourcing on the basis of a  diligent selection process in collaboration with the Information Security team, Procurement team, the Privacy and Legal team according to established criteria, especially regarding data  protection and IT security, including but not limited to the following:

● Checking of documentation and compliance with technical and organisational measures  pursuant to Art. 32 GDPR 

● According to the level of protection and scope of the personal data, if possible, commissioning of  only ISO/IEC 27001 certified companies (this applies in all cases for data centres). A risk assessment is likewise conducted for the respective suppliers to prevent risks during the  process, if the third-party provider works regularly with personal data.  

iii. Processing by assignment pursuant to Art. 28 GDPR 

The use of a subcontractor may only take place in accordance with the data protection terms   agreed between Personio and the customer in accordance with Art. 28 GDPR. 

iv. Conducting regular checks/ Requiring evidence 

Before the procurement of any new sub-contractor and afterwards at regular intervals Personio will make sure of compliance  with technical and organisational measures by the sub-contractors that it employs or have evidence  of these submitted.

General information

Pursuant to Article 32 of the GDPR, Personio implements a series of technical and organisational measures to ensure a level of protection appropriate to the risk to the rights and freedoms of natural persons. 

Additionally, pursuant to Article 46 of the GDPR, Personio implements additional technical and organisational measures based on the recommendations on supplementary measures developed by the European Data Protection Board for the transfer of personal data to third countries. Such measures are implemented to satisfy the judgement of the Court of Justice of the European Union in Case C-311/18, also known as Schrems II, related to the use of legal instruments for the transfer of personal data to third countries.

The additional technical and organisational measures are necessary as Personio GmbH & Co. KG ("Personio") may transfer personal data to its subsidiary based in the United States, Personio Corp. It is important to note that all customer personal data resides in the EU.

Technical and organisational measures according to Art. 32 GDPR

Personio has taken the following additional technical and organisational measures within the meaning of Article 32 of the GDPR and the supplementary measures following Schrems II.

1. Measures to ensure confidentiality

Guarantee that the in-house organisation meets the special requirements of data privacy when dealing with data transfers between Europe (European Union and the UK) and third countries.

1.1 Transport encryption

a. Policy directive

Personio’s information security policies mandate the encryption of personal data both in transit and at rest. Policy measures exist to determine the protection of personal data when an employee resides in a third country.

b. Zero-trust based access technology implementation

Further measures are in place when handling personal data. Two layers of encryption are deployed in such cases, where the application layer encrypts traffic using TLS v1.2 or higher, and the network layer encrypts traffic using Zero-Trust based access technology.

1.2 Access restrictions

a. Role and authorisation concept

The role and authorisation concept was updated to ensure the differentiation between Personio members of staff situated in Europe and in third countries. Access from third countries is restricted and segmented.

b. Network segregation

Systems that process and store personal data are identified and protected with location aware authentication. Access to such systems is only possible when using company provided Zero-trust access technology.

c. Technology enforcement

Personio’s computers are hardened with centralised management software in the form of endpoint protection. This enforces the installation of security guidelines and the use of Zero-trust based access by employees residing in third countries.

1.3 Data transfer restrictions

a. Policy directive

Personio’s information security policies include rules that control the movement of personal data to a third country.

b. Device control 

Personio’s computers are technically configured to block data transfers to removable media, such as USB sticks and external hard drives.

1.4 Kill switch mechanism

a. Access revocation process

A process for revoking access is in place in case access to personal data from personnel residing in a third country must be immediately cut off. Management and execution of such a process resides in Europe and no third country personnel is necessary to deploy the enforcement.

b. Technical procedures

Personnel within Europe follow documented and proven technical procedures in order to execute the revocation process at any time it is required. The process is reviewed periodically by Management as part of the security program’s continuous improvement process.

1.5 Global access management in the EU

a. Policy directive

Security policies are enhanced to determine, for all systems containing personal data, that the technical administration is also performed by personnel within Europe. 

b. Centralised access management

At all times, for all systems containing personal data, personnel are employed within Europe to perform system administration tasks alongside employees residing in third countries. This ensures compliance with the access revocation process for potential administrators residing in third countries.

Version 30-04-2024