GDPR: Questions to Ask About HR Data and Third-Party Employers
By Adrienne Drew, Globalization Partners
The European Union’s General Data Protection Regulation (EU) 2016/697 of 27 April 2016 (GDPR) is now two years old, and the European Union—and the entire world—has changed in innumerable ways. Following the two-year anniversary of GDPR implementation, companies doing business in the EU should evaluate whether all aspects of their data processing are in compliance. Remembering that the Directive applies to actors within the EU but also that GDPR has an extraterritorial scope, companies in the US and elsewhere who did not previously need to comply with the Directive should re-evaluate whether they now may have GDPR compliance obligations.
Entities who have vendor or employer relationships with EUbased individuals should specifically ensure their GDPR compliance efforts include their human resources data as well. A good starting point is to determine why GDPR applies. Companies with vendor, contractor, or employer relationships might have to comply with GDPR because GDPR applies to those who “monitor” the behaviour of individuals located within the EU (Article 3). GDPR doesn’t define “monitor”, but human resources functions such as tracking activities in order to review workers’ performance, reimbursing expense claims, and tracking time (the European Court of Justice held last year that EU employers must track time for all employees: curia.europa.eu), and administering leave programmes require some degree of monitoring. Thus, a multinational entity that has contractors or employees in the EU has obligations under GDPR even if it doesn’t have an EU presence or sell goods or services into the EU, and even if its EU-based employees are not EU citizens.
As US companies expanding into Europe increasingly use third-party employers to help manage their global workforces, they need to consider GDPR when choosing their partner. When a company entrusts its workforce to a partner, it is also trusting that partner to manage HR data properly. The following questions may help in making that choice.
What Is Their Approach to Global Data Security Requirements?
Global partners should be familiar with the laws governing data compliance in every territory in which a company will hire employees. These laws include more than just GDPR in the EU. There are robust data-privacy laws in many other countries that are high priorities for expansion, such as Singapore, Argentina, South Korea, Hong Kong, Australia, and Malaysia.
It is prudent to confirm the partner is aware of and complies with the laws in each jurisdiction where an organisation has targeted expansion.
Can They Validate a Legal Basis for Their Data-Collection Practices?
One of the most dramatic impacts that GDPR has had on employer data management is to largely disqualify employee consent as a means to authorise the employer’s collection and processing of data. GDPR requires any consent to be freely given, specific, informed, and revocable (Article 7). Consent in the employment context is unlikely to qualify as freely given because the imbalance of power between an employer and employee means an employee is unlikely to refuse consent even if he or she has concerns. As an alternative to consent, a service provider should be able to articulate a legal basis for their data collection and processing practices (Article 6).
What About International Transfer Requirements?
A frequent feature of global data privacy laws is a restriction on the ability to transfer personal data outside of the country of origin. Some countries require data-subject consent prior to an international transfer, and, in some cases, valid consent requires the data subjects to have received explanatory material about what information will be transferred, how, and to where. GDPR and other global privacy laws require additional legal safeguards before data may be transferred across international lines.
Find out what safeguards are being used, and where. The EU/ US and Swiss/US Privacy Shields are an example of a safeguard that authorises the transfer of data from within the European Economic Area (EEA) to the US.
Are They Authorised to Make Cross-Border Transfers of HR Data?
It is important that the provider is authorised to transfer the correct type of data across international lines. The Privacy Shield is one way a US-based company can obtain authorisation to transfer personal data out of the EEA.
When a company certifies to the Privacy Shield, it commits to having a uniform methodology to approach, manage, and protect data that originates in the EEA. US companies may certify under the Privacy Shield for Non-HR Data, and for HR Data. Most HR services providers deal with human resources data, so they should certify their compliance with Privacy Shield accordingly. Evaluate whether the provider’s international transfer mechanism covers the correct type of data.
Importance of Privacy Notices
Many global privacy laws, including GDPR, require the data subject to be informed of the manner in which personal data will be collected and processed. Privacy notices, made available to the data subject at the time of collection, are critical to recognising the data subject’s rights under these laws. Ask the provider to show you their privacy notices for review, and to explain their data-collection practices.
Understanding an organisation’s data-privacy obligations, including the types of data those obligations attach to, is an essential component of any compliance programme. Asking questions about the issue included above can help focus a growing company on important aspects of its relationship with a third-party employer.
Adrienne DrewGGI member firm
Boston (MA), USA
T: +1 617 340 3023
Published: GGI Insider, No. 108, July 2020 l Photo: Marcio - stock.adobe.com