GDPR (DSGVO) in ERP
The General Data Protection Regulation (GDPR, DSGVO) — in force since May 2018 — establishes the European framework for personal-data processing. For ERP-bearing organisations, GDPR applies broadly: employee records, customer master data, supplier-contact information, site-access logs, system audit trails. GDPR is not a single module to be added to ERP; it is a structural requirement affecting almost every operational data flow. Compliance depends on technical configuration, organisational processes and ongoing governance.
GDPR principles applied to ERP
- Lawful basis — each processing activity needs a documented legal basis (contract, legitimate interest, consent, legal obligation, vital interest, public task)
- Purpose limitation — personal data collected for one purpose cannot be reused for incompatible purposes
- Data minimisation — collect only what is needed for the documented purpose
- Accuracy — mechanisms to correct inaccurate personal data on request
- Storage limitation — deletion or anonymisation after retention period elapses
- Integrity and confidentiality — security controls protecting personal data
- Accountability — documented evidence of compliance for each processing activity
Data-subject rights
Data subjects (individuals whose personal data is processed) have specific rights under GDPR. ERP must support each. Right of access (Article 15): provide a copy of all personal data held; ERP must support data-subject-specific extraction across all modules. Right to rectification (Article 16): correct inaccurate data on request. Right to erasure (Article 17, 'right to be forgotten'): delete personal data when no longer needed for the documented purpose. Subject to exceptions for legal-retention obligations (GoBD, tax law). Right to data portability (Article 20): provide data in structured machine-readable format. Right to object (Article 21): to processing based on legitimate interest. Right execution typically requires coordinated workflows across ERP, HR, CRM, marketing-automation and adjacent systems — a single ERP request rarely covers all stored copies.
Retention and deletion
GDPR mandates deletion of personal data when no longer needed, but other regulations require retention for specific periods. The intersection creates tension. Tax records (GoBD): 10 years for business records that touch tax-relevant data. Employment law: typically 10 years for payroll records, 30 years for some pension-related records. Health and safety: extended retention for accident records. Commercial code: 10 years for contracts and business correspondence. Modern ERP supports retention-based deletion via configurable schedules per data category, with audit trails of what was deleted when. The operational discipline is harder than the technology: documenting which retention applies to which data, coordinating across systems, handling exceptions. Specialist tools (OneTrust, TrustArc, BigID) supplement ERP-side capabilities for organisations with complex data landscapes.
Data processing agreements
Cloud ERP vendors process personal data on behalf of the customer (the controller). The relationship is governed by a Data Processing Agreement (Auftragsverarbeitungsvertrag — AVV in German). Key elements: scope of processing, instructions from controller to processor, security measures (Article 32), sub-processor management (Article 28), breach-notification obligations, audit rights, termination consequences. Major cloud ERP vendors publish standard DPAs and sub-processor lists; negotiating significant customisations is generally limited to enterprise customers. For DACH mid-market selecting cloud ERP, reviewing the DPA and sub-processor list is a standard part of vendor evaluation, often with internal data-protection-officer involvement.
Related Topics
Frequently Asked Questions
How do we balance GDPR deletion rights with GoBD retention obligations?
GoBD retention takes precedence for tax-relevant data — you cannot delete what you are legally required to retain. The pragmatic pattern: separate tax-relevant master and transaction data (retained 10 years) from non-tax-relevant data (deletable on request). Employee personal data has its own retention regime under employment law. Internal data-flow documentation should explicitly address these conflicts.
Is cloud ERP from US vendors a GDPR risk?
Manageable with the right contractual and technical controls. The 2023 EU-US Data Privacy Framework provides a transfer mechanism replacing the invalidated Privacy Shield. Major US cloud vendors (Microsoft, Oracle, Salesforce, NetSuite, AWS, Google) maintain EU data residency options and DPAs aligned with GDPR. Verify the specific data flows in the selected configuration during vendor evaluation.
What is the role of the Data Protection Officer in ERP selection?
For DACH organisations with mandatory DPO (over 20 employees or processing sensitive data), the DPO should be involved in ERP selection from early stages — reviewing vendor DPAs, assessing data flows, validating retention configuration, signing off on transfer mechanisms. Including the DPO retrospectively after vendor selection has been a consistent source of regulatory and operational friction.