< Back

Share |

Cross-border HR data transfers under the GDPR

March 2017

The position under the General Data Protection Regulation 2016 (GDPR) relating to international transfers of personal data is similar to the existing regime under the Data Protection Directive (DPD). There are, however, a number of key differences that are likely to have major practical implications.

Current position

The starting point under the DPD is that employers are prohibited from transferring personal data outside the European Economic Area to a third country that does not have adequate data protection. The European Commission has the power to approve particular countries as adequate, taking into consideration the protections in place in that country and any international commitments. The new EU-US Privacy Shield regime, for example, is considered to provide adequacy for those organisations self-certifying under it in the USA.

Businesses may also transfer personal data on the basis of a mechanism from which an adequate level of data protection can be adduced (e.g. the standard contractual clauses approved by the EU Commission (Model Clauses) or Binding Corporate Rules (BCRs) for intra-group transfers, or if one of the derogations under the DPD applies.

Cross-border transfers under the GDPR

In terms of cross-border transfers, the general principles under the GDPR look much the same as under the DPD. Data can be transferred under (i) a Commission Adequacy Decision like the one used to give effect to the EU-US Privacy Shield (the GDPR contains details of how these should be reached), (ii) Model Clauses or (iii) BCRs for intra-group transfers.

The good news for employers wanting to transfer employee data cross-border is that their current arrangements may continue to be valid under the GDPR (although in terms of the UK, Brexit may have an impact further down the line).

  • The GDPR explicitly acknowledges as valid the current requirements for BCRs for controllers and processors, which is helpful for data transfers involving those Member States that do not as yet recognise BCRs.
  • Under the GDPR, Model Clauses may be used without such prior approval.
  • Further, employers are likely to be able to use a new regime of transfers based upon certifications, provided that binding and enforceable commitments are made by the controller or processor to apply the appropriate safeguards.

In addition, under the GDPR there will still be limited possibilities to transfer data where it is necessary for the performance of a contract or with the consent of the data subject, although this is likely to be difficult to achieve in an HR context as discussed in our article.

The GDPR makes it clear that it is not lawful to transfer personal data out of the EEA in response to a legal requirement from a third country. It also imposes significant penalties for breaches, including non-compliant transfers.

All of this this will be relevant where employers wish to transfer employee data abroad, perhaps in order to keep employee data in a central global HR function or in the context business expansion and acquisitions. Employers will need to think ahead on these points; those providing information as part of a TUPE transfer, business sale or funding round, for example, will need to consider whether they have sufficient grounds to make the necessary transfers.

Expanded territorial reach

Multi-national employers will need to look at their global footprint and data flows in light of the expanded territorial scope of the GDPR. From May 2018, non-EU data controllers and data processors will be subject to the GDPR if they either:

  • offer goods or services to data subjects in the EU irrespective of whether payment is received; or
  • monitor data subjects' behaviour insofar as their behaviour takes place within the EU.

In practice, this means many non-EU businesses that were not required to comply with the DPD will be required to comply with the GDPR.

Brexit

The question of adequacy may become more relevant in the UK following Brexit as it is not at all clear that the UK will be considered to provide adequate protection to EU personal data for the purposes of importing EU data. While the UK government has highlighted keeping EU data flows open as a priority, there are, as yet, no guarantees.

What should you be doing?

The important thing is to take steps early in order to minimise disruption to your business and the risk of breaches (and consequently sanctions). To do this, you will need to understand where the risks are, and what the needs of the business are going forward. For example, if your central HR function is based in the US, with scattered local support in the EMEA region, you will need to plan ahead in order to meet the obligations under the GDPR while still exchanging employee data in a way that allows the business to function efficiently. The following considerations would assist with this.

  • Understand the type and nature of the employee data held by the employer
  • Establish where this is being held (including whether any cloud storage or similar methods of data storage are used)
  • Map out data flows and storage locations
  • Understand why the data is being held and investigate the actual use of data
  • Understand how that data is being processed, and what is being done with it
  • Establish whether any explanation has been provided to employees and, if so, the reason provided for storage, transfer and processing
  • Consider whether there are alternatives for the method of storage and/or location of any employee data
  • Consider whether it is necessary for the business to process the data in the current way
    • Can smaller data sets be used?
    • Can data be anonymised, pseudonymised or similar?
    • Does the business need this data?
  • Look ahead to any new requirements or obligations in relation to employee data (gender pay reporting would be a good example) – think about how best to go about this, bearing in mind data protection risks
  • Consider whether additional steps should be taken with regard to informing employees as to:
    • the purpose for processing;
    • data transfers and data storage;
    • other treatment of employee data
  • Consider how to message any information, changes, updates, new policies and requests for consent to employees

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Cross-border HR data transfers under the GDPR
Stephanie Creed

Stephanie Creed      


Stephanie looks at the options available to employers wishing to export HR data under the GDPR

"The good news for employers wanting to transfer employee data across borders is that their current arrangements may well continue to be valid under the GDPR (although in terms of the UK, Brexit may have an impact further down the line)."