PL EN DE
Best practices for IT service management

The dedicated SNP service organization ensures the quality and continuity of handling of all outsourcing contracts. Our work is based on ISO 20000, ISO 27001, PCoE (SAP Partner Center of Expertise) standards.

SNP Poland is the leader of SAP services market in Poland.
For 25 years (until 2017 - as BCC) we have been providing a full range of implementation, development and maintenance of SAP systems. We provide IT security and software development services.

We are a part of SNP Group - a leading global provider of solutions for transformation of SAP environments .

Since 1995 we have successfully accomplished hundreds of IT project in many countries worldwide.

Our experts present the most interesting solutions of IT world.

See the webinar archive, register for upcoming webinars.

See upcoming webinars:

    No results

Dlaczego uważamy, że SNP jest dobrym pracodawcą? Bo łączymy cechy rzadko spotykane w jednej organizacji - duże możliwości rozwoju, a zarazem dobrą atmosferę i elastyczność środowiska pracy. Dowiedz się więcej, na czym to polega w praktyce!

GDPR Cockpit for HR: GDPR for SAP HR

A recipe for the protection of employee data

Share
Print:
For companies employing hundreds or even thousands of employees, it is a real challenge to maintain the GDPR standards for data processed in the SAP HR system. This is where SNP GDPR Cockpit for HR comes to the rescue.
 

SNP GDPR Cockpit for HR is a specialized tool supporting the maintenance of GDPR standards for data processed in SAP HR systems (data about employees, associates, temporary employees). It is a fast-deployment add-on to the SAP HR standard. The product can be adapted to the specific needs of any organization.

For SAP HR

For companies using the SAP HR system, SNP has prepared a solution that automates a number of activities required by the GDPR. Data anonymization, deletion, archiving of documents or sending of information – these are ready-to-use mechanisms that have been included in the cockpit.

The target users of the cockpit may be a data controller, HR specialists and a data protection officer. SNP GDPR Cockpit for HR is an SAP GUI application available in two language versions – Polish and English. The menu can be adapted to the requirements of a specific user (a sample menu is shown in Fig. 1), in particular, customers can add their catalogs and functions.

SNP GDPR Cockpit for HR Menu

The cockpit supports 5 groups of key activities defined by the GDPR:

  1. Maintaining a record of data processing activities;
  2. Keeping a register of breaches;
  3. Managing the rights of people whose data is processed in our systems;
  4. Managing consents to data processing;
  5. Audit of data changes.

Record of data processing activities

The GDPR provides that the record of data processing activities does not have to be kept in enterprises employing less than 250 people, unless:

  • processing may violate the rights or freedoms of persons, e.g. it may result in discrimination, identity theft or identity fraud,
  • processing includes specific categories of data (e.g. biometric data) or data on convictions and law infringements,
  • processing is not occasional, e.g. processing of data related to customer management or personnel management.

Pursuant to the last provision, this record has to be maintained in almost every company that has employees.

SNP Cockpit for HR supports the creation and versioning of the record, however this function can also be used by the customer keeping a record in another tool. How? The contents of the record are defined in Article 30 of the GDPR. The SNP application automatically generates a record proposal (by analyzing contents in all infotypes in use, including custom ones, and in key HR tables). This proposal can be further edited and expanded or used as a source of information for the external record of data processing activities. If the record is maintained in the cockpit, elements that are processed outside the SAP HR system, e.g. biometric data for the access control system, GPS location data or employee photo, should be added to the generated proposal.

Informing and rights of individuals

When talking about the rights of people whose data we process, we must remember about the fulfillment of the information obligation. The SNP cockpit enables us to send to people whose data we process in SAP HR the previously prepared documents that are relevant for personal data protection, and to archive them (which is important from the point of view of the accountability rule in the case of control). In connection with the new requirements of the GDPR, some customers will probably decide to perform the information obligation again or to supplement information on employees’ rights. In both cases, you can use the SNP tool.
The GDPR does not explicitly define whether information obligations should be fulfilled again in the case of persons whose data was obtained before May 25, 2018. On November 29, 2017, the Working Party Art. 29 addressed the issue of updating the information obligation, invoking Recital 171 of the GDPR. According to it, the processing taking place on the day of application of the Regulation (May 25, 2018) should be adjusted to the provisions of the GDPR in the period of two years prior to that date. Therefore, the Working Party is in favor of full performance of the information obligation in accordance with the GDPR. SNP GDPR Cockpit can automate this process.

Function of Informing People

SNP GDPR Cockpit for HR supports the exercise of the following rights:

  • the right of access to data – at the request of an individual, we can generate a relevant data report together with the purpose of processing;
  • the right to erasure – the cockpit offers the functions of selective or complete deletion of data from the SAP HR system;
  • the right to data portability – from the cockpit we can generate a readable file in CSV format with all the data we process in SAP HR for a given person.

Each request of a right holder related to the exercise of rights should be registered in the cockpit along with comments, attachments and status. The cockpit has a built-in deadline monitoring functionality that minimizes the risk of untimely handling of a request.

Request Handling Screen

Managing individuals’ consents

The cockpit can be used to register individuals’ consents to the processing of their data. The scan of the original document or the content of correspondence can be attached to the consent information. Most likely, many employers will ask employees or associates for additional consents, for example to the publication of photos on the website, processing of location data or transfer of data to a training company. It should be remembered that the data subject has the right to withdraw their consent at any time – the consent history is stored in the system.

Consent Management

Register of breaches

A new obligation of entrepreneurs will also be to report a breach of personal data protection immediately, not later than within 72 hours from identifying the breach, to the appropriate supervisory authority (the President of the Office for Personal Data Protection). In some cases, you should also inform the data subject about an incident – when the incident may cause a high risk of violation of their rights and freedoms.

Not all breaches should be reported to the supervisory authority. According to the GDPR, the breaches that are unlikely to result in the risk of violating the rights and freedoms of natural persons should not be reported. The 72-hour limit is treated with common sense – after reporting a violation, the notification may be supplemented systematically as new information becomes available and the circumstances of its occurrence are identified. Further information required by the regulations may be sent later than within the indicated 72 hours, unless it can be done earlier.

The data controller is obliged to keep a register of breaches in which any breaches of the personal data protection will be recorded, regardless of whether they may cause a risk of violation of the rights and freedoms of natural persons or not. This register will also be useful for supervisory authorities, since it will enable them to check during an audit whether the data controller fulfils their obligations with due diligence. It is to prevent the excess of notifications sent to supervisory authorities.

SNP GDPR Cockpit for HR supports the whole process – from identifying a breach to reporting it to a supervisory authority or persons whose rights and freedoms are at risk. Expiring deadlines are indicated by means of relevant colors. Electronic breach notifications can be sent from the register to the supervisory authority.

Register of Breaches

What next?

SNP GDPR Cockpit for HR can be launched in an organization within a few weeks. The application is open to new functionalities – in particular, customers can place their own documentation in the cockpit catalog. A few improvements, including those concerning breach notifications, are planned. The draft of the new act on the protection of personal data provides that the President of the Office for Personal Data Protection will maintain an appropriate ICT system enabling controllers to report breaches. It is likely that the supervisory authority will prepare and make available a notification form similar to the one for entrepreneurs from the telecommunications sector based on Art. 174a of the Telecommunications Law. When the new specification is announced, we will replace the standard e-mail notification with the target format in our cockpit.

 

Lepszy Biznes

magazyn klientów SNP

Przejdź do bazy artykułów
Share
Print:

Contact form





  1. Personal data is processed pursuant to Article 6 (1) (a) of the Regulation of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016 – the General Data Protection Regulation
  2. The data controller is SNP Poland Sp. z o.o. with its registered office in Złotniki, ul. Krzemowa 1 62-002 Suchy Las. Contact data of the Data Protection Supervisor: dpo.pl@snpgroup.com.
  3. Consent to data processing is voluntary, but necessary for contact. Consent may be withdrawn at any time without prejudice to the lawfulness of the processing carried out on the basis of consent prior to its withdrawal.
  4. The data will be processed for the purposes stated above and until this consent is withdrawn, and access to the data will be granted only to selected persons who are duly authorised to process it.
  5. Any person providing personal data shall have the right of access to and rectification, erasure, restriction of processing, the right to object to the processing and to the transfer of data, the right to restriction of processing and the right to object to the processing, the right to data transfer.
  6. Every person whose data is processed has the right to lodge a complaint with the supervisory authority, which is the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw).
  7. Personal data may be made available to other entities from the group that SNP Poland Sp. z o.o. is part of – also located outside the European Economic Area, for marketing purposes. SNP Poland ensures that the data provided to these entities is properly secured, and the person whose data is processed has the right to obtain a copy of the data provided and information on the location of the data provision.

Please write an email or call

E-mail office.pl@snpgroup.com
Phone +48 61 827 7000

SNP Poland Sp. z o.o.

Headquarter:
Złotniki, ul. Krzemowa 1
62-002 Suchy Las near Poznań, Poland

Contact us

How can we help?
Write us
Send email
Call us





  1. Personal data is processed pursuant to Article 6 (1) (a) of the Regulation of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016 – the General Data Protection Regulation
  2. The data controller is SNP Poland Sp. z o.o. with its registered office in Złotniki, ul. Krzemowa 1 62-002 Suchy Las. Contact data of the Data Protection Supervisor: dpo.pl@snpgroup.com.
  3. Consent to data processing is voluntary, but necessary for contact. Consent may be withdrawn at any time without prejudice to the lawfulness of the processing carried out on the basis of consent prior to its withdrawal.
  4. The data will be processed for the purposes stated above and until this consent is withdrawn, and access to the data will be granted only to selected persons who are duly authorised to process it.
  5. Any person providing personal data shall have the right of access to and rectification, erasure, restriction of processing, the right to object to the processing and to the transfer of data, the right to restriction of processing and the right to object to the processing, the right to data transfer.
  6. Every person whose data is processed has the right to lodge a complaint with the supervisory authority, which is the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw).
  7. Personal data may be made available to other entities from the group that SNP Poland Sp. z o.o. is part of – also located outside the European Economic Area, for marketing purposes. SNP Poland ensures that the data provided to these entities is properly secured, and the person whose data is processed has the right to obtain a copy of the data provided and information on the location of the data provision.

General contact for the company
office.pl@snpgroup.com

Question about products and services
info.pl@snpgroup.com

Question about work and internships
kariera@snpgroup.com

+48 61 827 70 00

The office is open
Monday to Friday
from 8am to 5pm