1. Access and authorization management
  • Immediate deactivation of all accessesBlock user accounts, VPN, e-mail, company software and access to sensitive systems (ERP, CRM, HR tools) on the employee's last working day.
  • Password changesFor generic or shared accounts, change passwords immediately after the employee leaves.
  • Systematic reviewChecking and revoking authorizations in operating systems (Windows, Linux, etc.), applications (time recording, specialist applications), cloud services (Microsoft 365, Google Workspace) and other platforms.
  • DocumentationLog all withdrawal and deactivation measures to ensure audit compliance and traceability.
  1. Dealing with business e-mails
  • Deactivate or redirect email accountBlock the business e-mail account immediately after leaving or redirect it to a substitute account. Permanent forwarding only if absolutely necessary and in compliance with transparency.
  • Private e-mails:
    • If private use was permitted, private e-mails should be viewed by authorized persons and coordinated with the (former) employee (if still reachable).
    • Hand over private e-mails to employees or hand them over securely on data carriers.
    • All private e-mails must then be deleted from the business account.
    • Ensure that no unauthorized access to personal data of third parties takes place.
  • Business-relevant e-mails:
    • Archiving or orderly transfer to successors to comply with statutory retention periods (e.g. HGB, AO).
  1. Publication of company resources
  • Inventory checkEnsure the return of all devices provided (laptop, smartphone, USB sticks, hardware tokens, access cards).
  • Data transfer: Check returned devices for stored data to ensure that all relevant information is available in an up-to-date or more up-to-date form than on existing network drives. Check whether there is any data that needs to be transferred or integrated into central systems.
  • Secure data deletionSecurely delete sensitive company data on returned devices (e.g. using certified tools) to prevent unauthorized access.
  • Personal certificates and tokensRemove or invalidate certificates from servers and hardware tokens that are no longer required.
  1. Data transmission and backup
  • Transferring business-relevant dataAll documents, files and data relevant to business operations are transferred to the responsible colleagues, successors or superiors in a structured manner.
  • Prevention of unauthorized data transfersEnsure that no relevant company data remains on private devices, external storage media or unauthorized cloud services.
  • Checking backupsCheck whether the employee's personal data is available in backups. Personal data that is no longer required must, as far as technically possible and legally permissible, be removed from backups or handled in a controlled manner using suitable deletion concepts.
  1. Communication
  • Internal and external informationInform staff and, if applicable, customers about the departure to ensure clear information about new contact persons.
  • Out of office noteSet up an out-of-office note in the e-mail system that indicates the permanent absence and names the new contact person.
  1. Data protection aspects (incl. Art. 15 GDPR)
  • Check consents: Revoke and document any consent given (e.g. use of photos, profiles on the website or intranet).
  • Deletion of personal data:
    • Private personal data of the former employee that is stored in the company and is no longer required must be deleted in accordance with Art. 17 GDPR. Prior to this, the employee should be offered the opportunity to hand over their personal data upon request.
    • Observe statutory retention obligations (e.g. pay slips): Keep only for the prescribed period. Delete or destroy immediately after the deadlines have expired.
  • Right to information and data transfer pursuant to Art. 15 GDPR:
    • The employee has the right to receive information about the personal data stored about him/her. Upon request:
      • Provision in a structured, common and machine-readable format (e.g. CSV, PDF).
      • Before transmission, carefully check that no personal data of third parties is unlawfully disclosed. If necessary, minimize or redact data.
      • Document the process of data disclosure and transfer in order to comply with accountability obligations under the GDPR.
  1. Information security measures
  • IT forensics in case of suspicionIn the event of indications of data misuse or compliance violations, initiate IT forensic analyses before the employee leaves.
  • Logging of the offboardingLog all actions taken (deactivations, surrenders, deletions).
  • Final discussion and sensitizationInform the employee that secrecy and confidentiality obligations continue to apply after leaving the company. Point out possible legal consequences in the event of violations.
  1. IT-Grundschutz-compliant measures
  • Physical securityCheck access rights to buildings and server rooms; deactivate or withdraw locking cards, keys and hardware tokens.
  • Network and system monitoringAfter deactivating all accesses, ensure that no unauthorized use of resources takes place (monitor logs, use anomaly detection).
  1. Checklist for offboarding
  2. Deactivate accessesUser accounts (AD, ERP, CRM, mail), remote access (VPN, cloud).
  3. Reclaiming company resourcesHardware, software licenses, documents.
  4. Ensure data transferTransfer business-relevant files and information to responsible colleagues.
  5. Manage e-mail accountForwarding to substitutes, setting up out-of-office notes, deleting private e-mails.
  6. Internal/external communicationInformation on resignation, appointment of new contact persons.
  7. Data protection and information security:
    • Checking and revoking consent
    • Observe the right to information according to Art. 15 GDPR (provide data if necessary)
    • Delete or transfer private data
    • Comply with retention obligations
    • Document and check safety measures
  8. DocumentationRecord all offboarding steps, decisions and handovers.
DSB buchen
en_USEnglish
de_DEDeutsch es_ESEspañol fr_FRFrançais pl_PLPolski en_USEnglish