General Data Protection Regulation in the practice of idea management

Walldorf-based dacuro GmbH (www.dacuro.de) provides companies with an external data protection officer, assists in fulfilling documentation obligations and advises on all aspects of data protection. dacuro GmbH aims to comply with the requirements of the General Data Protection Regulation (GDPR) without obstructing day-to-day life. The team of lawyers and IT specialists provides support for all challenges of the GDPR, whether of a legal or technical nature.

The European General Data Protection Regulation (GDPR) has been in force since May 25, 2018, and is developing an ever-increasing effect. Many companies have, in the past few years, taken steps to implement the requirements contained therein. Not least for that reason, the number of GDPR guidebooks and implementation aids has also risen. However, many have realised that, when implementing the GDPR, just like when doing the Spring cleaning, some of the problem areas are only gradually starting to become apparent. Such an “area” that is frequently still neglected in terms of data privacy, is idea management.

In this article we, as idea managers, would like to explain to you what basic knowledge on data privacy ought to be available to you. Specific recommendations for action arise from our explanations, which we will summarize at the end. This article should put you in a position to discuss the topic of data privacy professionally with an internal or external data privacy officer, and, building upon that, check your activities for completeness and legal compliance in your sphere of responsibility in idea management.

Our explanations can obviously not constitute legal advice. On top of that, some GDPR requirements are only gradually becoming clear in terms of their application by the authorities and in case law, so that it is, at present, impossible to be certain about the completeness of the explanations.

Target idea management software directly accesses the required HR data within the SAP system, so that a data interface with redundant storage of HR data in the idea management software is dispensed with. This circumstance substantially facilitates compliance with the GDPR, because the personal data is only stored in the idea management system in pseudonymized form. Idea data includes personnel numbers for the submitter, reviewer, person responsible for realization, etc. Only by drawing upon additional information from the personnel tables in the SAP system can the ideas be assigned to a specific person.

The GDPR describes several principles that need to be complied with in every instance of processing personal data. These are the principles of purpose limitation, data economy or data minimization, accuracy, storage limitation, integrity and confidentiality. In addition, each instance of data processing is subject to the controller’s accountability. Said accountability substantiates the necessity of keeping a record of processing activities pursuant to Art. 30 GDPR, which we will deal with later. Obviously, an entry concerning idea management should also exist in this record, from which in particular access rights and erasure deadlines can be inferred.

When implementing idea management, in particular the principles of purpose limitation and data minimization need to be observed, i.e. the processing needs to be appropriate to the purpose of “idea management”, as well as limited to the extent necessary.

The personnel number, name, email address or organizational allocation, which determines the responsible manager or idea manager, is obviously necessary information. In other cases, which data is necessary depends on the circumstances. Personal address data is, for example, necessary if the idea management is linked to a reward shop, which sends non-cash prizes to the private address. In most cases, private address data may, however, be unnecessary.

In many cases it will depend upon the role of the user, in regard to an idea, which personal data is displayed to the user. In the case of a general idea search, e.g. according to keywords, ideas which satisfy their search criteria and have been permitted by the company for said search (e.g. only closed ideas, not pending ideas), will be shown to the user. Anyone enquiring about the purpose of such a search will receive various different answers, such as “I have an idea, but perhaps someone has already thought of it”, or “I have a problem, perhaps there is already a solution.” It is not relevant, for said purposes, to display the submitters, or show even the rewards paid. AS a consequence, such data should in this context not be accesible. In other cases, the decision is more difficult. May the submitter see who was the reviewer, and what is in the review? There may be differing opinions on this, which are connected with the corporate culture of a company.

Use of information, such as the gender, age or nationality, with which statistics on their respective share in registering ideas could be shown, is, in our opinion, generally not permissible, because such data is generally not necessary for idea management. Should a statistical survey on the use of idea management in a company have become necessary, such a time-limited survey can be conducted as a separate processing activity. This then, however, needs to independently fulfill the requirements of the lawfulness (as discussed below) and the above-mentioned basic principles. To describe this in detail would, however, go beyond the scope of this article.

Accountability rests with the idea management, i.e. the idea management needs to be able to provide evidence of complying with the principles.

The GDPR, moreover, substantiates legally enforceable rights for data subjects. These are the right to information and the right to receive a copy of the data kept at hand, the right to accuracy of the data processed and the right to erasure or restriction of the processing of said data.

What is relevant for idea management here is the employee’s right for information about his or her contributions to ideas (as a submitter, reviewer, person responsible for realization, or in any other role) to be erased if they so request or if such personal data is no longer needed for the purposes of idea management. The scope of the right to erasure does not, however, cover the case where the fulfillment of a legal obligation is in conflict with the latter.

The right to have personal data erased does not require the idea to be deleted. The idea history (descriptions, comments, benefit calculation, etc.) can by all means be retained. The right to erasure rather means that the links to persons need to be removed. This principle of removing the personal reference does, however, include more than is apparent at first sight.

However, before we discuss this point, we would like to address the question of when personal data is no longer needed for the purposes of idea management in a closed idea.

Usually, the following deadlines are laid down in a Works Agreement, which regulate the storage of the idea beyond the mere realization or rejection of an idea:

As a rule of thumb, it may therefore be the case that personal data is no longer needed within the ideas for the purposes of idea management after approx. three years. Caution: this does not, however, mean that the personal data in all ideas may generally be removed after such period of time, as, in addition, you need to observe provisions concerning tax law.

Because of such provisions concerning tax law, you need to differentiate ideas that attract a reward from ideas that do not attract a reward in regard to the erasure period. In regard to ideas that do not attract a reward, it can be established that the personal reference needs to be erased after three years.

Rewards result in additional data in wage and salary accounting. In practice, this concerns wage types with the additional details such as personnel number, wage type ID, amount, date of emergence, ID of the proposal for reference purposes and any cost center ID for allocating the costs of the reward to the cost center making use of the idea. This data falls under the same provisions and archival deadlines as other data relevant to wages and salary.

In accordance with provisions concerning tax law (German Fiscal Code (AO)), a retention period of 10 years applies to accounting documentation and business receipts. This period may, however, still be extended, e.g. if the tax assessment for individual years has only been issued provisionally. This retention period primarily concerns the accounting center at your company. What is to be discussed, then, is whether the long retention period now also relates to the personal data contained in the ideas.

As per our assessment, the question is to be affirmed, i.e. the long retention period is also to be observed for personal data in idea management.  In the “principles of proper management and storage of books, records and documents in electronic form, as well as regarding data access” (GoBD), it says: “Besides the non-fiscal and fiscal books, records and documents on business transactions, all the documents that are of significance in the individual case for understanding and reviewing the records that are required by law for taxation purposes are to be saved (cf. Federal Court of Finance (BFH) judgment of June 24, 2009, BStBl/Federal Tax Gazette II 2010, p. 452).”

In plain English: It is not sufficient to only save the digital wage type receipt at the Accounting Center for the payment of the reward. An auditor could request to inspect the corresponding idea (including the personal data), because the reward can only be verified in that way. The personal data is necessary, as the reward may depend upon personal facts, such as the share of the submitter and the assessment of the proximity to the area of responsibility.

There is a simple and pragmatic approach to this, i.e. to basically delete any ideas that do not carry a reward after three years, and any ideas that do carry a reward following the expiry of the retention period (10 years or more). The disadvantage is the loss of the idea history, however, every company should ask whether ideas that were, in any case, closed over 10 years ago are still worth saving.

Rather than deleting the ideas, it would, obviously, also be conceivable to retain the ideas as such, and only remove the personal reference. This may, however, in practice, prove to be difficult, and involve a lot of effort.

It can, namely, not be excluded that references to persons that are not so easily recognizable are contained in the flowing text describing an idea. Any information and details which permit identification turn a data set into personal data. If, for instance, it is clear from the text that the submitter was male, however there was, at the period of time in question, only one (well-known) man in the corresponding department, that means that personal data is concerned. The same is conceivable if, for example, origin, language, physical features, etc. come into the picture. Such features, taken together, for example, with information on the department or the corporate position, often make it possible for individuals to be identified without the name or contact details.

Electronic documents that can be attached to an idea moreover frequently contain personal data in the so-called “metadata”. Thus, often, for example, the author or the most recent change is recorded via the document properties. Also in this case, personal data is concerned. That is, on the face of it, not immediately visible, and may even not be known to many people.

Deleting the entire idea is therefore the more cautious option.

As a last point, it should be mentioned that data also needs to be erased upon the request of the data subject, as the case may be, prior to the expiry of “normal” retention periods. Should a submitter withdraw his or her idea, and thus forfeit priority claims, and should he or she not have received a reward, the idea data must be erased upon request without delay, or the personal reference removed. A company may not then claim any proprietary interest in such (personal) data without their being a legal obligation to retain them. This does not, however, necessarily mean that the gist of the proposal for improvement cannot nevertheless be retained and implemented. The employee in question has then, as the case may be, has only taken care that no informational link to the fact that they was the submitter of said idea to exist.

Let us summarize the above explanations: The obligation to erase personal data from the idea management system exists, in regard to ideas not carrying a reward, after three years; in regard to ideas carrying a reward, at the earliest after ten years. An extension occurs if reasons for keeping accounting documentation for a longer period exist. The fulfillment of provisions concerning tax law does not permit any earlier erasure of personal data associated with ideas carrying a reward. Prior erasure is, however, possible upon request – especially if no further transactions or procedures, such as being paid a reward, were triggered by the idea. The retention obligations under tax law generally take precedence over an erasure request.

The “target” software offers all the necessary options for implementing the “right to be forgotten”, irrespective of which of the possible routes the customer chooses.

As already mentioned above, idea management is also reflected in the record of processing activities. The idea manager may significantly influence the information incorporated there. Although the record of processing activities may perhaps appear a tiresome exercise, the content of it is indeed extremely relevant. Thus, not only the Data Privacy Officer will base his or her risk assessment on the information stored here, but the supervisory authorities will also, in the event of a complaint, regularly retrieve the corresponding entries in the records. The description provided there then influences the official assessment of the situation complained about. 

The idea management system needs to create an entry, from which, among other things, the purpose of the processing activity, the legal basis for gathering it, the category of the data processed, the access authorization and the indicative deadlines for erasure can be seen, as well as the existence of a contract data processing relationship.

Care is to be taken here to ensure that the data processing in regard to the roles existing in the idea management system is described clearly, and the various possible cases (e.g. with/without a reward) are clearly defined, in order to avoid subsequent objections by the authorities.

We are summarizing for you the recommendations for action arising from the above explanations, in accordance with the following classifications:

• Documentation of the processing procedures
• Selecting the partner for software and services
• Configuring and operating the software

In regard to “documentation”, please note these points:

• Create an Intranet page with a data privacy policy for the idea management system.
• Create an entry in the procedure record.

In regard to selecting the partner for the software and services, please note these points:

• Only select a partner who offers adequate guarantees under the GDPR.
• Conclude a contract data processing agreement.

In regard to “Configuring and operating the software”, please note these points:

• Minimize the personal data.
• Show only the data necessary, according to the role or task.
• Link to the data privacy policy in the idea management software and in all emails that are sent concerning  idea management.
• Link to the Works Agreement in the idea management software.
• Provide for a mandatory check box for consent on the submission form.
• Inform a person each time that an idea is allocated to him or her.
• Delete ideas not carrying a reward after approx. three years – or - remove personal data in ideas not carrying a reward after such period.
• Delete ideas carrying a reward following the expiry of the archival period (10 years or more) – or - remove personal data in ideas carrying a reward after such period.

Additional information is available for "target" customers in the “my target” area (login required).

Many companies are only gradually grasping the extent of the data privacy obligations. There will more than a few who have not yet at all considered the relevance of idea management systems when implementing the GDPR. Since, however, personal data is also processed in the context of idea management, the GDPR compliance does play a role.

This circumstance should, however, not be any reason to panic. Although, for GDPR-compliant implementation of idea management, there are one or two points to note, nobody is, in this respect, expected to do the impossible. It will generally be possible for the recommendations for action specified above to be implemented quite well as long as some care and time is invested.