General Data Protection Regulation | STAFFOMATIC


Personal data is a valuable asset. That is why STAFFOMATIC offers the highest level of data security.

What does STAFFOMATIC do to ensure compliance with the GDPR?

Hosting in Germany

The management of the servers (application servers and database servers) is also handled by a partner from Germany.

GDPR-compliant partners

We use third-party software for efficient and smooth business operations. Conformity with the GDPR is an obligatory selection criterion for us. This enables us to ensure that all data stored by us is secure, even when processed by third parties.


Our IT infrastructure is encrypted according to the latest standards, or runs in our own private networks. Access rights to IT systems for employees are assigned according to the principle of necessity.

We make these guidelines and the documentation of our IT security available in the user account under Settings.

Trained employees

Our employees are familiar with the requirements of data protection and our data protection guidelines. You will receive regular training in data protection from our partner and undertake to treat personal data confidentially.

Data Protection Management System (DPMS)

Our business processes are increasingly digitalized and networked, which creates certain risks for the confidentiality, integrity and earmarking of data. We would like to take this into account and provide adequate protection of the personal data processed by us against misuse and other risks. How we handle personal data internally at STAFFOMATIC is regulated in our data protection management system, which is mandatory for all employees.

Data Protection Officer (DPO)

To ensure professional and secure handling of your personal data, we have decided to work together with an external data protection officer. This guarantees us professional advice in dealing with data and - through regular checks - a high data protection standard. It also provides us with reliable information about current changes in data protection law.

Insurance in case of data protection breakdown

Unfortunately, there is no 100% security for personal data. In order to provide additional security in the event of a data breach, e.g. a hacker attack, we have decided to take out insurance.m In the event of an attack, we have the support of a professional service provider with extensive experience in dealing with an attack.

In principle, our application stores and processes as little data as possible. For our service to work, however, it is necessary to collect and process some data. What these are and how they are processed, follows here:

Email adress

For the user of STAFFOMATIC the email address is required. It is used for logging in and communication.

Company data

When creating your STAFFOMATIC account we ask for further data, e.g. the company name. This data will later help you to use STAFFOMATIC. The company name is used to create an account URL (e.g.:

shift hours

Shift times are saved in order to be able to use shift planning and evaluation. These are assigned to the assigned user. (Example: When does employee X work)

First name and surname

First name and surname are not mandatory fields. STAFFOMATIC can also only be used with your email address. However, specifying names makes it much easier to use the application, since it is easier to assign names.

Invoice details

In order to be able to continue using STAFFOMATIC after the test phase, it is necessary to enter invoice data. Depending on the payment method, credit card data or account data for the SEPA direct debit mandate are stored here. This data is stored by our payment partners, who are of course all GDPR-compliant and store the data securely.

Other profile data

Each STAFFOMATIC user can manage the entry of additional profile data in his or her own profile. For example, address data and contact data can be added or when the user can be used for shifts. It is also possible to save files for users.

Contract for order processing

Of course we provide all customers with a GDPR-compliant contract for order processing. After creating a test account, the AV contract can be downloaded from the Settings menu.

Data protection declaration

Here you will find our privacy policy, which must be confirmed when creating your STAFFOMATIC account.


What is the GDPR?

The Basic Data Protection Regulation (GDPR) will replace the 1995 Data Protection Directive 95/46/EC. The new regulation creates a European-wide data protection law that ensures a homogeneous standard in all EU member states.

The aim of the Regulation is to create a safer environment for personal data. The 99 articles in eleven chapters limit the amount of data that can be collected, the way in which it is processed and how long it can be stored.

Who does the GDPR apply to?

The GDPR regulates data protection for all EU citizens and people residing within the EU. This means that as soon as consumers in the EU communicate online or personal data of EU citizens are processed or stored, an American company is also affected.

What are personal data?

Personal data are individual details about personal or factual circumstances of a specific or identifiable natural person (data subject). ( §3 BDSG)

Personal data includes information that relates to a directly or indirectly identifiable person. In addition to names, addresses, photos, telephone numbers or bank details, e-mail and IP addresses are also included, as they provide clear information on individuals, especially in connection with each other. Information such as political opinions, ethnic origin, contributions from social platforms and much more also belong to the personal data defined by law.

Do I need a contract for order processing?

As soon as a company commissions an external service provider to collect, process or use personal data in accordance with instructions, this is an order processing (originally order data processing) according to the GDPR. An DPA (Data Processing Agreement) contract is obligatory! While not much changes for the client (you) with the entry into force of the GDPR, the contractor (STAFFOMATIC) is taken more into the duty by the GDPR. In future, the contracting authority and the contractor will be jointly liable for the processing of data (Joint Control).

An order processing is often enclosed in:

  • external payroll accounting
  • Newsletter dispatched by provider
  • Use of cloud services, e.g. for human ressource management
  • file destruction
  • tracking services
  • Customer Help Desks
  • Outsourced data centers
  • Callcenter
  • External backup security storage/archiving

Where can I find the contract for order processing?

After creating your test account, the contract is available for download from the Settings menu.

Is my data secure?

We at STAFFOMATIC take the security of your data very seriously. Our servers are hosted in a modern data center in Germany.

All transmissions are SSL-encrypted or take place in a private network.

Will the stored data be passed on to third parties?

No! The data collected and stored is used exclusively for the provision of the STAFFOMATIC software. Data will not be passed on to third parties. A sale or passing on to third parties is generally excluded by STAFFOMATIC and is not supported at any time.

Is there a certification according to GDPR? Is STAFFOMATIC certified according to GDPR?

There is as yet no official and recognised GDPR certification procedure. However, STAFFOMATIC takes all necessary steps to ensure maximum data security.

What happens to my data if I cancel the contract with STAFFOMATIC?

All user data will be deleted after 48 hours.

Account data such as invoice data and company data will continue to be stored after the legal retention periods.