Authors: Dr. Eljalill Tauschinsky, dacuro GmbH and Dr. Gerhard Wiechert, target Software Solution GmbH
Walldorf-based dacuro GmbH (www.dacuro.de) provides companies with an external data protection officer, assists in fulfilling documentation obligations and advises on all aspects of data protection. dacuro GmbH aims to comply with the requirements of the General Data Protection Regulation (GDPR) without obstructing day-to-day life. The team of lawyers and IT specialists provides support for all challenges of the GDPR, whether of a legal or technical nature.
The European General Data Protection Regulation (GDPR) has been in force since May 25, 2018, and is developing an ever-increasing effect. Many companies have, in the past few years, taken steps to implement the requirements contained therein. Not least for that reason, the number of GDPR guidebooks and implementation aids has also risen. However, many have realised that, when implementing the GDPR, just like when doing the Spring cleaning, some of the problem areas are only gradually starting to become apparent. Such an “area” that is frequently still neglected in terms of data privacy, is idea management.
In this article we, as idea managers, would like to explain to you what basic knowledge on data privacy ought to be available to you. Specific recommendations for action arise from our explanations, which we will summarize at the end. This article should put you in a position to discuss the topic of data privacy professionally with an internal or external data privacy officer, and, building upon that, check your activities for completeness and legal compliance in your sphere of responsibility in idea management.
Our explanations can obviously not constitute legal advice. On top of that, some GDPR requirements are only gradually becoming clear in terms of their application by the authorities and in case law, so that it is, at present, impossible to be certain about the completeness of the explanations.
Before we embark on setting out the data protection requirements of idea management, some terms should first be clarified.
The key term of data protection is that of “personal data”. In general, that means data that can be assigned to an identifiable person. “Personal data” in idea management, includes, for example, the name, staff ID, email address, but also any links with which a person can be connected with an idea (e.g. as the submitter, reviewer or person responsible for realization) or a group of employees (e.g. as an idea management committee member or idea manager) – i.e. any data which can be assigned to an identifiable employee.
Data protection takes place in the context of the “processing” of personal data by a “controller”. The term “processing” is very broadly construed, and covers, inter alia, the storage, display or erasure of the data of an identifiable person. This person is then known as the “data subject”.
The “controller” within the meaning of the GDPR is always the legal person within the sphere of which the data processing takes place. Within an organization, however, the organizational unit of Idea Management is responsible for the processing of personal data in the idea management system.
In most cases, a manufacturer of standard software for idea management may not only be commissioned with delivering the software, but also with the implementation and support. Thus, the software company becomes a “processor”, which processes personal data on behalf of the controller.
The personal data processed needs to be appropriately protected by the controller. This not only concerns measures such as protection against viruses or controlling access to the server room. The GDPR also explicitly names “pseudonymization” as a measure for protecting the data of data subjects.
“Pseudonymization” of personal data in idea management means that the latter can no longer easily be assigned to a specific person. For example: For all roles (submitter, reviewer, responsible persons ...), IDs are used to identify the role owner. Only by drawing upon information from the separately protected human resources system can it be assigned to a specific person.
target idea management software directly accesses the required HR data within the SAP system, so that a data interface with redundant storage of HR data in the idea management software is dispensed with. This circumstance substantially facilitates compliance with the GDPR, because the personal data is only stored in the idea management system in pseudonymized form. Idea data includes personnel numbers for the submitter, reviewer, person responsible for realization, etc. Only by drawing upon additional information from the personnel tables in the SAP system can the ideas be assigned to a specific person.
The GDPR describes several principles that need to be complied with in every instance of processing personal data. These are the principles of purpose limitation, data economy or data minimization, accuracy, storage limitation, integrity and confidentiality. In addition, each instance of data processing is subject to the controller’s accountability. Said accountability substantiates the necessity of keeping a record of processing activities pursuant to Art. 30 GDPR, which we will deal with later. Obviously, an entry concerning idea management should also exist in this record, from which in particular access rights and erasure deadlines can be inferred.
When implementing idea management, in particular the principles of purpose limitation and data minimization need to be observed, i.e. the processing needs to be appropriate to the purpose of “idea management”, as well as limited to the extent necessary.
The personnel number, name, email address or organizational allocation, which determines the responsible manager or idea manager, is obviously necessary information. In other cases, which data is necessary depends on the circumstances. Personal address data is, for example, necessary if the idea management is linked to a reward shop, which sends non-cash prizes to the private address. In most cases, private address data may, however, be unnecessary.
In many cases it will depend upon the role of the user, in regard to an idea, which personal data is displayed to the user. In the case of a general idea search, e.g. according to keywords, ideas which satisfy their search criteria and have been permitted by the company for said search (e.g. only closed ideas, not pending ideas), will be shown to the user. Anyone enquiring about the purpose of such a search will receive various different answers, such as “I have an idea, but perhaps someone has already thought of it”, or “I have a problem, perhaps there is already a solution.” It is not relevant, for said purposes, to display the submitters, or show even the rewards paid. AS a consequence, such data should in this context not be accesible. In other cases, the decision is more difficult. May the submitter see who was the reviewer, and what is in the review? There may be differing opinions on this, which are connected with the corporate culture of a company.
Use of information, such as the gender, age or nationality, with which statistics on their respective share in registering ideas could be shown, is, in our opinion, generally not permissible, because such data is generally not necessary for idea management. Should a statistical survey on the use of idea management in a company have become necessary, such a time-limited survey can be conducted as a separate processing activity. This then, however, needs to independently fulfill the requirements of the lawfulness (as discussed below) and the above-mentioned basic principles. To describe this in detail would, however, go beyond the scope of this article.
Accountability rests with the idea management, i.e. the idea management needs to be able to provide evidence of complying with the principles.
According to the data privacy laws, any data processing needs to be “lawful”, i.e. it has to be undertaken based on recognized grounds. Such grounds are listed in Art. 6(1) GDPR, and include, for example, consent, or a contract with the data subject, but also the fulfillment of specific statutory obligations. The lawfulness of the processing will, generally, emerge from your works agreement on idea management.
It is, however, to be kept in mind that, basically, only the data processing procedures that are “indispensable” in regard to such specific “grounds” are covered by a legal basis. It may therefore be consequently necessary to obtain additional consent. In this respect, we recommend you provide for a check box on the submission form for an idea, with which the submitter needs to declare his or her consent to said data processing.
It is, however, to be kept in mind that it is an integral component of consent under data privacy law that it can also be revoked. Should you wish to include such a check box for obtaining consent, internal processes need to be in place to keep the evidence at hand, as well as to implement any revocation.
If personal data is gathered from a data subject, the idea management system needs to inform the data subject about this fact and give specifics about the processing activities.
Personal attributes (name, email address, organizational allocation, etc.) are probably never gathered by the idea management, but by the office responsible for the HR administration. The HR master data needed is made available to the idea management.
If, however, an employee is assigned a certain role in the idea management process (e.g. as a reviewer, responsible persons, person responsible for realization ....) of an idea, personal data will also be gathered, as a result, which triggers a corresponding information reporting obligation. In this respect, an email to the data subject containing the relevant information is sufficient. Logically, the recipient can directly access the software from this email, via a link, in order to complete any additional task there.
The GDPR, moreover, substantiates legally enforceable rights for data subjects. These are the right to information and the right to receive a copy of the data kept at hand, the right to accuracy of the data processed and the right to erasure or restriction of the processing of said data.
What is relevant for idea management here is the employee’s right for information about his or her contributions to ideas (as a submitter, reviewer, person responsible for realization, or in any other role) to be erased if they so request or if such personal data is no longer needed for the purposes of idea management. The scope of the right to erasure does not, however, cover the case where the fulfillment of a legal obligation is in conflict with the latter.
The right to have personal data erased does not require the idea to be deleted. The idea history (descriptions, comments, benefit calculation, etc.) can by all means be retained. The right to erasure rather means that the links to persons need to be removed. This principle of removing the personal reference does, however, include more than is apparent at first sight.
However, before we discuss this point, we would like to address the question of when personal data is no longer needed for the purposes of idea management in a closed idea.
Usually, the following deadlines are laid down in a Works Agreement, which regulate the storage of the idea beyond the mere realization or rejection of an idea:
As a rule of thumb, it may therefore be the case that personal data is no longer needed within the ideas for the purposes of idea management after approx. three years. Caution: this does not, however, mean that the personal data in all ideas may generally be removed after such period of time, as, in addition, you need to observe provisions concerning tax law.
Because of such provisions concerning tax law, you need to differentiate ideas that attract a reward from ideas that do not attract a reward in regard to the erasure period. In regard to ideas that do not attract a reward, it can be established that the personal reference needs to be erased after three years.
Rewards result in additional data in wage and salary accounting. In practice, this concerns wage types with the additional details such as personnel number, wage type ID, amount, date of emergence, ID of the proposal for reference purposes and any cost center ID for allocating the costs of the reward to the cost center making use of the idea. This data falls under the same provisions and archival deadlines as other data relevant to wages and salary.
In accordance with provisions concerning tax law (German Fiscal Code (AO)), a retention period of 10 years applies to accounting documentation and business receipts. This period may, however, still be extended, e.g. if the tax assessment for individual years has only been issued provisionally. This retention period primarily concerns the accounting center at your company. What is to be discussed, then, is whether the long retention period now also relates to the personal data contained in the ideas.
As per our assessment, the question is to be affirmed, i.e. the long retention period is also to be observed for personal data in idea management. In the “principles of proper management and storage of books, records and documents in electronic form, as well as regarding data access” (GoBD), it says: “Besides the non-fiscal and fiscal books, records and documents on business transactions, all the documents that are of significance in the individual case for understanding and reviewing the records that are required by law for taxation purposes are to be saved (cf. Federal Court of Finance (BFH) judgment of June 24, 2009, BStBl/Federal Tax Gazette II 2010, p. 452).”
In plain English: It is not sufficient to only save the digital wage type receipt at the Accounting Center for the payment of the reward. An auditor could request to inspect the corresponding idea (including the personal data), because the reward can only be verified in that way. The personal data is necessary, as the reward may depend upon personal facts, such as the share of the submitter and the assessment of the proximity to the area of responsibility.
There is a simple and pragmatic approach to this, i.e. to basically delete any ideas that do not carry a reward after three years, and any ideas that do carry a reward following the expiry of the retention period (10 years or more). The disadvantage is the loss of the idea history, however, every company should ask whether ideas that were, in any case, closed over 10 years ago are still worth saving.
Rather than deleting the ideas, it would, obviously, also be conceivable to retain the ideas as such, and only remove the personal reference. This may, however, in practice, prove to be difficult, and involve a lot of effort.
It can, namely, not be excluded that references to persons that are not so easily recognizable are contained in the flowing text describing an idea. Any information and details which permit identification turn a data set into personal data. If, for instance, it is clear from the text that the submitter was male, however there was, at the period of time in question, only one (well-known) man in the corresponding department, that means that personal data is concerned. The same is conceivable if, for example, origin, language, physical features, etc. come into the picture. Such features, taken together, for example, with information on the department or the corporate position, often make it possible for individuals to be identified without the name or contact details.
Electronic documents that can be attached to an idea moreover frequently contain personal data in the so-called “metadata”. Thus, often, for example, the author or the most recent change is recorded via the document properties. Also in this case, personal data is concerned. That is, on the face of it, not immediately visible, and may even not be known to many people.
Deleting the entire idea is therefore the more cautious option.
As a last point, it should be mentioned that data also needs to be erased upon the request of the data subject, as the case may be, prior to the expiry of “normal” retention periods. Should a submitter withdraw his or her idea, and thus forfeit priority claims, and should he or she not have received a reward, the idea data must be erased upon request without delay, or the personal reference removed. A company may not then claim any proprietary interest in such (personal) data without their being a legal obligation to retain them. This does not, however, necessarily mean that the gist of the proposal for improvement cannot nevertheless be retained and implemented. The employee in question has then, as the case may be, has only taken care that no informational link to the fact that they was the submitter of said idea to exist.
Let us summarize the above explanations: The obligation to erase personal data from the idea management system exists, in regard to ideas not carrying a reward, after three years; in regard to ideas carrying a reward, at the earliest after ten years. An extension occurs if reasons for keeping accounting documentation for a longer period exist. The fulfillment of provisions concerning tax law does not permit any earlier erasure of personal data associated with ideas carrying a reward. Prior erasure is, however, possible upon request – especially if no further transactions or procedures, such as being paid a reward, were triggered by the idea. The retention obligations under tax law generally take precedence over an erasure request.
The “target” software offers all the necessary options for implementing the “right to be forgotten”, irrespective of which of the possible routes the customer chooses.
As idea management is frequently implemented by external software, the question has to be posed here, whether external data processing services are concerned. If the service provider is given access to personal information, a data processing agreement needs to be drawn up between the controller and the processor. Such access exists if (unencrypted) data is stored on a service provider’s system, or if a service provider is given access to personal data via remote access.
Instances of maintenance access can often not be limited in such a way that access to databases containing the actual data of employees is impossible. To that extent, in most cases a contractual data processing relationship under Art. 28 GDPR exists. However, if the service provider’s access is only limited to (development) systems, where no information whatsoever on real persons resides, a data processing agreement is not required.
A controller may only draw upon a processor (in the specific case, a service provider who provides software and services within the idea management system) – in particular in light of expertise, reliability and resources - that offers adequate guarantees that technical and organizational measures which satisfy the requirements of the GDPR are being complied with. Such guarantees are made in the course of signing the agreement, and are, as the case may be, in turn reinforced by reports.
The “target” software solution has introduced an entrepreneurial data privacy organization which is regularly reviewed and monitored. We will, upon request, provide our customers with a sample agreement on data processing. The technical and organizational measures of “target” are periodically updated in the light of new technical options. Recurrent training events on data privacy are mandatory for all employees.
As already mentioned above, idea management is also reflected in the record of processing activities. The idea manager may significantly influence the information incorporated there. Although the record of processing activities may perhaps appear a tiresome exercise, the content of it is indeed extremely relevant. Thus, not only the Data Privacy Officer will base his or her risk assessment on the information stored here, but the supervisory authorities will also, in the event of a complaint, regularly retrieve the corresponding entries in the records. The description provided there then influences the official assessment of the situation complained about.
The idea management system needs to create an entry, from which, among other things, the purpose of the processing activity, the legal basis for gathering it, the category of the data processed, the access authorization and the indicative deadlines for erasure can be seen, as well as the existence of a contract data processing relationship.
Care is to be taken here to ensure that the data processing in regard to the roles existing in the idea management system is described clearly, and the various possible cases (e.g. with/without a reward) are clearly defined, in order to avoid subsequent objections by the authorities.
We are summarizing for you the recommendations for action arising from the above explanations, in accordance with the following classifications:
In regard to “documentation”, please note these points:
In regard to selecting the partner for the software and services, please note these points:
In regard to “Configuring and operating the software”, please note these points:
Additional information is available for "target" customers in the “my target” area (login required).
Many companies are only gradually grasping the extent of the data privacy obligations. There will more than a few who have not yet at all considered the relevance of idea management systems when implementing the GDPR. Since, however, personal data is also processed in the context of idea management, the GDPR compliance does play a role.
This circumstance should, however, not be any reason to panic. Although, for GDPR-compliant implementation of idea management, there are one or two points to note, nobody is, in this respect, expected to do the impossible. It will generally be possible for the recommendations for action specified above to be implemented quite well as long as some care and time is invested.