PRIVACY CHALLENGES IN GLOBAL HR MANAGEMENT

Size: px

Start display at page:

Download "PRIVACY CHALLENGES IN GLOBAL HR MANAGEMENT"

Bruno Hart
5 years ago
Views:

2 PRIVACY CHALLENGES IN GLOBAL HR MANAGEMENT

3 CORE HR MANAGEMENT CHALLENGES Development Expertise / Talent Management Supervision Staffing Benefits Reporting Evaluation Efficiency Diversity Compensation

PRIVACY CHALLENGES Establish data processing structures

categories Define related data processing purposes

4 PRIVACY CHALLENGES Establish data processing structures to support HR management tasks and goals WHO? WHAT? WHY? REALLY? Define required data subjects Define required data categories Define related data processing purposes Ensure purpose limitation Ensure structure flexibility Information / Policy Management Ensure required Co-Determination

APPLICATION OF LAW National law based on EU

Processing data in the EU is not harmonized and

5 APPLICATION OF LAW National law based on EU Directive Processing data in the EU, when a company is not established in the EU Location of data controlling entity in the EU Definition of Processing data in the EU is not harmonized and often inconsistent (e.g. cookies are sometimes regarded processing data in the EU)

management required National specifics to be respected Understand and

6 CONSEQUENTIAL HR CHALLENGES (APPLICATION OF LAW) Different local laws applicable to group entities No one-fits-all solution Complex policy management required National specifics to be respected Understand and coordinate different legal set-ups and structures a for all entities

7 BASIC PRINCIPLES Personal data must not be kept longer than necessary. The concerned individual (data subject) must be able to rectify, erase or block incorrect data. Personal data must be processed fairly and lawfully. BASIC PRINCIPLES Personal data must be accurate and if necessary kept up to date. Personal data must be collected for explicit and legitimate purposes and must be used accordingly. Personal data must be relevant and not excessive in relation to the legitimate purpose.

CONSEQUENTIAL HR CHALLENGES (BASIC PRINCIPLES) An employee s personal data may be

incorrect data. Personal data must be processed fairly and lawfully.

Personal data must be collected for explicit and legitimate purposes and must be

Personal data must be relevant and not excessive in relation to the legitimate

8 CONSEQUENTIAL HR CHALLENGES (BASIC PRINCIPLES) An employee s personal data may be processed if such data processing relates to employment purposes Personal data must not be kept longer than necessary. The concerned individual (data subject) must be able to rectify, erase or block incorrect data. Personal data must be processed fairly and lawfully. BASIC PRINCIPLES Personal data must be accurate and if necessary kept up to date. Personal data must be collected for explicit and legitimate purposes and must be used accordingly. Personal data must be relevant and not excessive in relation to the legitimate purpose. is necessary for carrying out the employment relationship does not conflict with the employee s overriding legitimate privacy interest is not disproportionate to the reason /purpose is was collected for

9 SPECIAL CATEGORIES OF DATA Member States shall (generally) prohibit the processing of personal data revealing: racial or ethnic origin political opinions religious or philosophical beliefs trade-union membership data concerning health or sex life.

10 EMPLOYEE CONSENT Local law standards vary Debatable validity Revocable at any time Often unnecessary EU Regulation

erally privileged, i.e. each company is regarded a separate entity The forwarding

11 DATA TRANSFER WITHIN A GROUP OF COMPANIES Companies within a group of companies are not generally privileged, i.e. each company is regarded a separate entity The forwarding of data from one company to another within a group of companies qualifies as transfer of data to the effect that the general restrictions on data processing apply

DATA PROCESSING ON BEHALF Forwarding data

transfer of data and thus privileged if the

12 DATA PROCESSING ON BEHALF Forwarding data to a third party is not considered a transfer of data and thus privileged if the data controller has (in writing) assigned / instructed a third party provider to process such data on his behalf provided that such data processing contract / assignment complies with applicable data protection regulation.

DATA PROCESSING AGREEMENT Such contract has to include e.g. clear and binding instructions by the data controller to be strictly observed by the data processor.

13 DATA PROCESSING AGREEMENT Such contract has to include e.g. clear and binding instructions by the data controller to be strictly observed by the data processor. The data processor may only use the data according to such instructions. Such instructions have to ensure that the data processor fully observes local data protection law. Vis-à-vis the data subject or other concerned parties (e.g. competitors), the data controller remains fully liable for any violation of data protection law.

DATA TRANSFER TO US / NON-EU COUNTRIES EU data protection law considers the U.S. a country with an inadequate data protection level This evaluation leads to a general prohibition of data transfer from the EU to the U.

14 DATA TRANSFER TO US / NON-EU COUNTRIES EU data protection law considers the U.S. a country with an inadequate data protection level This evaluation leads to a general prohibition of data transfer from the EU to the U.S. (or any other country not regarded as having an adequate level of data protection)!

Such exemptions are for example: DATA TRANSFER

needs, several exemptions are regulated to enable

The data subject has unambiguously consented to

for the performance of a contract between the data

granted status of adequate data protection to data

15 Such exemptions are for example: DATA TRANSFER EXEMPTIONS To avoid interference with economic needs, several exemptions are regulated to enable such transfer. The data subject has unambiguously consented to the proposed transfer The transfer is necessary for the performance of a contract between the data subject and the data controller EU Commission granted status of adequate data protection to data receiving country Safe Harbor, Model Clauses, BCR Individual approval of local data protection authority

Conflicts with HR tasks Conflicts with local management

16 CONSEQUENTIAL HR CHALLENGES (DATA TRANSFER) Centralization of HR data outside the EU Accessibility from outside the EU Conflicts with HR tasks Conflicts with local management Selection of Service / IT Provider Conflict of laws, e.g. Sarbanes Oxley / ITAR

18 LEGAL ENTITIES Example Inc., USA Germany France UK The Netherlands Switzerland India

19 HR MANAGEMENT STRUCTURE Global HR Management Example Inc., USA Local HR Management Service Provider Germany France UK The Netherlands Switzerland India

HR DATA - GENERAL #1 #2 #3 Data Subjects Data

details Payroll Supervision Management /

20 HR DATA - GENERAL #1 #2 #3 Data Subjects Data Categories Purposes of Data Processing Employees Contractors Applicants Contact details Qualification details Job details Administrative details Payroll Supervision Management / Administration Interaction / Network Employee development Efficiency Legal obligations

required for tax purposes France Social Security

21 SPECIFIC NATIONAL REQUIREMENTS USA Place of Birth is required Germany Data revealing religion is required for tax purposes France Social Security number is regarded sensitive data UK Diversity Questionnaire

22 TASK: Example Inc., USA a) Install global HR platform accessible from all locations (except India), which includes all employee and contractor data b) Assign Indian entity to calculate payroll details for all entities

23 PATH

24 DATA MAP Data Controller Data Subjects Data Categories Purposes of Data Processing Access Levels Data Processor Management Location Human Ressources

25 DATA CONTROLLER Example Inc., USA Germany France UK The Netherlands Switzerland India Data Processor

26 DATA SUBJECTS & CATEGORIES Name, Address Date of Birth / Age WHAT? Place of Birth Nationality Religion WHO? Social Security Number Family Status Tax Class Salary / Bonus Vacation entitlement Evaluations Manager EMPLOYEES CONTRACTORS Sick leave APPLICANTS Business Contact Company Car / Car License Diversity program Relatives (Name, Date of Birth) Disciplinary Measures Emergency Contact Qualification details Development Plan Bank Account details Employment details (history, job description, etc.)

27 DATA FLOW

28 EXAMPLE GERMANY

DATA MAP GERMANY Example GmbH Germany Data Subjects

Age Place of Birth / Nationality Religion Tax Class /

Date of Birth) Emergency Contact Bank Account details

Evaluations Manager Business contact details Sick leave

29 DATA MAP GERMANY Example GmbH Germany Data Subjects Employees Data Categories Name, Address Date of Birth / Age Place of Birth / Nationality Religion Tax Class / Social Security Number Family Status Relatives (Name, Date of Birth) Emergency Contact Bank Account details Qualification details Employment details (history, job description, etc.) Salary /Bonus Entitlement Vacation entitlement Evaluations Manager Business contact details Sick leave days Purposes of Data Processing Access Levels Data Processor HR Management USA Other local HR Management

30 Bank Account details Employment details Salary Vacation entitlement Evaluations Manager Sick leave Social Security Number Tax Class

31 2-STEP ASSESSMENT STEP 1: Lawful data processing by local standards STEP 2: Data Transfer / Adequate Privacy Guarantee

32 PURPOSE LIMITATION Personal data must be collected for explicit and legitimate purposes and must be used accordingly Personal data must be relevant and not excessive in relation to the legitimate purpose

Qualification details Employment details (history, job description, etc.

33 Data Categories 2-STEP ASSESSMENT GERMANY Name, Address Date of Birth / Age Place of Birth / Nationality Religion Tax Class / Social Security Number Family Status Relatives (Name, Date of Birth) Emergency Contact Bank Account details Qualification details Employment details (history, job description, etc.) Salary /Bonus Entitlement Vacation entitlement Evaluations Manager Business contact details Sick leave days STEP 1: Data Processing STEP 2: Data Transfer/ Guarantee

34 PRIVACY GUARANTEE USA / Non-EU EU USA: Safe Harbor Model Clauses BCR France UK Switzerland: Adequacy Decision The Netherlands India: Data Processor Model Clauses German Specifics

35 DATA PROCESSING ON BEHALF (INDIA) Draft written Data Processing Agreement Provide clear processing instruction Ensure supervision rights Monitor and audit processor activities Be aware of legal responsibility

36 SOLUTION PATH - GERMANY Data Map Allocate data subjects, categories, processing purposes, transfers Step 1 Ensure local data processing is in accordance with national law Step 2 Evaluate purpose of transfer and privacy guarantees Data Transfer/Guarantee (Step2) EU Purpose Limitation USA / Non-EU Purpose Limitation Ensure adequate data protection and security guarantee Data Processor Establish written processing agreement / instructions

37 TYPICAL TRAPS AND THRESHOLDS Social Security Numbers Bank Account Data Diversity Programs Whistle-blowing Screenings (e.g. US export control) monitoring Discussion Practical application of 2-Step Assessment

38 THANK YOU! Jana C. Fuchs Co-Leader Data Privacy & Security Team Bryan Cave LLP