Home :: Forums :: Share & Discuss

HR Systems and Data Privacy in Europe

Posted May 20th, 2008 by Yvan

Have you ever had the chance to bring your organisation into compliance with the requirements of the European Commission's (or any country local authority) directive on data privacy?

I have and if you have not, you might want to read my story especially if you plan to implement one of the following changes:

  • A HR Shared Services Centre managing several countries
  • A new HR System implementation especially if it is an ERP (SAP, Peoplesoft, Oracle, etc…) which by default will involve several countries
  • Outsourcing some of your Human Resources activities (i.e. Payroll, etc…)


The examples listed above might differ but will have a main common key driver– “sharing data while protecting personally identifiable information”.

The project I had to work on involved the deployment of SAP in a European country. The SAP servers (meaning “the data”) were based in the US. The data could be accessed by HR employees in and outside of Europe. All that together made it quite easy to realise that we were facing a potential Data Privacy issue.

Here is what we did:

  • First of all we liaised with our local HR based in the concerned country and asked them to engage with their local authorities in order to understand what were the Data Privacy requirements
  • Then we involved both an internal (within the company) and an external (within the impacted country) lawyer to work on the requirements
  • Both lawyers came up with a Data Transfer Agreement (DTA) in order to be able to transfer data outside of the country (4-6 weeks)
  • We submitted our DTA for approval by the Work Council
  • The Work Council review the wording, amend some contents, etc…
  • Concurrently, our internal and outside lawyers submitted a draft copy of the DTA to the local Data Protection Authority in order to identify any concerns
  • We received the approved DTA from the work council and submitted it to the local Data Protection Authority (2-3 weeks)
  • We submitted our final DTA for approval to the local authority
  • We finally received the approved DTA from the local authority (4 weeks) which meant the beginning of the transfer of the personal data in SAP


Here is a list of the lessons learned:

  • Do not underestimate to time it takes to get the DTA approved and signed by all parties. Also Data Privacy is rarely taken initially as a priority until it is recognised as a Go/No Go project criteria
  • Make sure to involve both internal and external lawyers from the beginning. In our case, they both came up with different text interpretations!!!
  • Do not forget to submit your Data Transfer Agreement (DTA) to the Work Council. Our Work Council “understood the need of the organisation and was further comforted by the fact that the DPA has strict privacy requirements.” This might not be always the case.
  • Be prepared for questions like

    • How long are data kept in the HR system after an employee termination?
    • How can employees access and update their own data?
  • Data Privacy is different in each country and a DTA might need to be approved by local authorities in more than one country
  • Data Privacy is getting a lot more complex when data has to be transferred to a third country outside of Europe
  • Be clear from the beginning as to what private data you plan to use. You do not want to go through the same process a second time for one missing data


Hope this article was or will be useful to you. Good luck and do not hesitate to share back your experience.

‹ Why communication is that important?