GDPR APPLICABILITY TO EXPATRIATE EMPLOYEES

Transcription

1 Aon Global Benefits GDPR APPLICABILITY TO EXPATRIATE EMPLOYEES EU General Data Protection Regulation for Expatriates. March 2018

2 Table of Contents Introduction GDPR Scope of Applicability... 4 a.. EU Company Sends Employees Overseas...4 b.. Non-EU Company Sends Employees to EU Select GDPR Requirements a. Employee Notices...6 b. Post-collection Employee Rights c. Cross-border Transfers d. Local Employment Laws Other Requirements... 7 a. Legal Basis for Processing...7 b. Breach Notification...7 c. Data Processing Vendors...7 d. Other Obligations Penalties Effective Date Conclusion... 8 Contacts... 9

3 Introduction The General Data Protection Regulation (GDPR) is a European Union (EU) and European Economic Area-wide (EEA) privacy regime that will take effect on 25 May Fines for noncompliance can reach up to 4% of a company s annual global revenues. The general purpose of the GDPR is to protect consumer privacy by prescribing standards for entities collection and use of data. The GDPR will affect nearly every aspect of a company s operations, including its treatment of employment data. For multinational companies, important questions arise with respect to the GDPR s application to data pertaining to expatriate employees. This memorandum reviews two scenarios: first, EU-resident employees working with affiliates based outside of the EU; and second, non-eu residents working in the EU. 3 GDPR APPLICABILITY TO EXPATRIATE EMPLOYEES

4 1. GDPR Scope of Applicability The GDPR text provides for two primary circumstances that trigger GDPR applicability. First, with respect to company establishments in the EU, the GDPR applies regardless of whether the processing takes place in the [EU] or not. 1 Guidance issued by the EU s association of data protection authorities, known as the Article 29 Working Party, explains the term establishment is intended to have an especially broad reach, such that any branch or... subsidiary, or even a oneperson office, would qualify as an establishment. 2 Further, an establishment need not have a legal personality (i.e., it need not be a legal entity). 3 Thus, the GDPR effectively applies to data that is processed by any entity with any operations in the EU, even if that entity is not legally organized under the laws of the EU or any member state. The Article 29 Working Party also clarified that the data protection requirements apply to the processing of personal data outside the EEA (where carried out in the context of activities of an establishment in the EEA). 4 Second, with respect to entities not established in the EU, the GDPR applies where the processing activities are related to either (i) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the [EU] ; or (ii) the monitoring of [EU data subjects ] behaviour as far as their behaviour takes place within the [EU]. 5 a. EU Company Sends Employees Overseas The GDPR has implications for EU companies and subsidiaries processing data related to expatriate employees. Although the data collected and processed by the overseas affiliate is likely not covered by the GDPR because it is neither carried out in the context of activities of an EU establishment nor the monitoring of behavior taking place within the EU, the EU company will still likely need to send data to the non-eu affiliate to facilitate the employee s transfer. Any such data would relate to a data subject within the EU at the time it was collected and may also be 1 Art. 3(1). 2 See Art. 29 Working Party Opinion 8/2010 on Applicable Law (WP 179), cf. Data Protection Directive, 95/46/EC, Recital 19, 3 Id. 4 Id. See page 14 for an explanation of the factors for determining whether processing qualifies as within the context of the activities of an EU establishment. Relevant factors include the degree of involvement of personnel located at the EU establishment in question, as well as the nature of the offsite processing activities. 5 Art. 3(2). 4 GDPR APPLICABILITY TO EXPATRIATE EMPLOYEES

5 carried out in the context of activities of an EU data controller or processor. Accordingly, the non-eu recipient affiliate would remain bound by the GDPR and should implement a transfer mechanism in order to comply with GDPR cross-border transfer provisions. Compliance is achieved by adopting a cross-border transfer mechanism such as the model contract clauses approved by the EU, certain binding corporate rules governing the treatment of personal data, or the EU- US Privacy Shield agreement administered by the U.S. Department of Commerce. As noted, any personal data generated during the course of the expatriate employee s work with the non-eu affiliate would likely not come within the scope of the GDPR; however, if any such data is subsequently transferred back to the EU company, that data will then come within the scope of the GDPR. b. Non-EU Company Sends Employees to EU When a non-eu company sends employees to an EU-based affiliate, any personal data generated during the course of the employee s work with the EU affiliate would likely come within the scope of the GDPR because such data relates to the employee s behavior within the EU. Similarly, any data sent from the non-eu company to the EU affiliate to facilitate the employee s work would likely come within the scope of the GDPR because such data, when processed by an EU company, is closely related to the activities of an EU controller or processor. For example, if the non-eu company offers services to employees in the EU, or otherwise monitors their behaviour, the provision of such services or monitoring would likely trigger the GDPR. 5 GDPR APPLICABILITY TO EXPATRIATE EMPLOYEES

6 2. Select GDPR Requirements. The GDPR imposes a wide range of obligations on every aspect of data collection and processing. Of particular note for companies considering sending employees abroad are the GDPR s provisions governing: (a) employee notices, (b) employee rights, (c) cross-border data transfers, and (d) local employment laws. a. Employee Notices With respect to employee notices, Articles 13 and 14 require companies to provide extensive information to data subjects about the processing of their data and their data protection rights. Unlike in the US where such notices are usually not required for employees, the GDPR requires companies to provide employees with the same notices as other consumers would receive. b. Post-collection Employee Rights Employees will also have extensive rights of access, correction, erasure, and objection to data processing. These rights, like the notice rights, will be much more comprehensive than the rights afforded to employees within the US. Companies that will be subject to the GDPR, including non-eu based companies sending employees to the EU, will need to begin reviewing their procedures to ensure that they are equipped to provide the rights guaranteed under the GDPR. c. Cross-border Transfers Additionally, the GDPR imposes stringent restrictions on cross-border data transfers, including mandating that companies have a valid transfer mechanism in place. Under the GDPR, it is extremely difficult, if not practically impossible, to obtain employee consent to such transfers, so consent may not be able to be relied upon as a basis for such transfers. Instead, companies must adopt a legal transfer mechanism like the model contract clauses approved by the EU, certain binding corporate rules governing the treatment of personal data, or the EU-US Privacy Shield agreement administered by the U.S. Department of Commerce. Certain other non-eu countries, such as Israel and Canada, have been deemed to have adequate data protection regimes by the EU, eliminating the need for an additional cross-border transfer mechanism. 6 d. Local Employment Laws While the GDPR seeks to harmonize data protection rules across the EU, it leaves many areas open for member state divergence. According to GDPR Recital 155: Member State law or collective agreements, including works agreements, may provide for specific rules on the processing of employees personal data in the employment context, in particular for the conditions under which personal data in the employment context may be processed on the basis of the consent of the employee, the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship. Thus, Member States are free to adopt more specific rules as to the processing of personal data in the employment context, and local data protection authorities retain supervisory authority over processing of HR data connected to local employment. 7 6 The full list of jurisdictions that have received adequacy decisions from the EU are: Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, and Uruguay. As noted, the United States has not received an adequacy decision, but the EU does allow companies certified to the EU-US Privacy Shield to transfer data to the United States as if it were an adequate jurisdiction. For further information, see Commission decisions on the adequacy of the protection of personal data in third countries, Europa.eu, 7 See Art. 88 and Recital GDPR APPLICABILITY TO EXPATRIATE EMPLOYEES

7 3. Other Requirements Some further points of note. a. Legal Basis for Processing The GDPR requires a legal basis for processing any personal data. While consent is sometimes used as such a basis, in the employment context, EU data protection authorities have been clear that consent is unlikely to be freely given, so employers may wish to consider options other than consent as a legal basis. Alternative legal bases to process personal data include processing necessary for (i) performance of a contract under employment law; (ii) compliance with a legal obligation; or (iii) facilitating the employer s legitimate interests. Where possible, employers should generally consider framing the purposes for any data collection or processing along these lines. b. Breach Notification The GDPR also imposes comprehensive data security standards and breach notification obligations including a 72-hour mandatory reporting requirement for breaches. 8 Companies should review their data security controls and practices to ensure that all systems subject to the GDPR comply with applicable standards prior to the 25 May 2018 effective date. Companies should also adopt standard operating procedures to ensure that breach discoveries are rapidly escalated and reported to the appropriate authorities within the 72-hour time frame. c. Data Processing Vendors The GDPR includes a number of requirements for the use of data processing vendors, including extensive due diligence obligations and a mandate that controllers adopt valid data processing agreements to ensure that processors are bound to comply with any legal standards applicable to the data. d. Other Obligations Other GDPR obligations include data protection impact assessments for new data processing operations, 9 the appointment of data protection officers, 10 and new record-keeping requirements. 8 The full list of jurisdictions that have received adequacy decisions from the EU are: Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, and Uruguay. As noted, the United States has not received an adequacy decision, but the EU does allow companies certified to the EU-US Privacy Shield to transfer data to the United States as if it were an adequate jurisdiction. For further information, see Commission decisions on the adequacy of the protection of personal data in third countries, Europa.eu, 9 See Art. 88 and Recital An organization must appoint a data protection officer where its core activities include processing sensitive categories of personal data or monitoring data subjects on a large scale. A corporate group may appoint a single data protection officer. See Art GDPR APPLICABILITY TO EXPATRIATE EMPLOYEES

8 4. Penalties Under Article 83, penalties for violations of many of the most onerous provisions, including those relating to obtaining consent for processing and transferring of data to third parties, can be as high as the greater of 20 million Euros or 4% of annual global revenue. Certain other violations can result in fines ranging up to the greater of 10 million Euros or 2% of annual global revenue, including for violations of the GDPR s transparency provisions. The fines are calculated based on a number of factors, including the intentional or negligent nature of the violation, any actions taken to remediate harm to data subjects, and any relevant previous enforcement actions against the violator. Ultimately, data protection authorities have considerable discretion to determine the level of fine appropriate to a particular case. 5. Effective Date The GDPR takes effect on 25 May Preparation for the GDPR should begin well before that date to ensure compliance by then. In particular, companies should review their notices and consents so that any data collected prior to the effective date may continue to be processed following the effective date in compliance with the GDPR. 6. Conclusion Companies should take steps to ensure that each component of GDPR compliance will be addressed by the effective date. Companies should also monitor the legislation in the particular countries in which they operate to ensure that they are in compliance with any additional legal requirements. Consultation with your legal and data privacy teams will be important in your review GDPR APPLICABILITY TO EXPATRIATE EMPLOYEES

9 Contacts Mary Jimenez Olariaga Senior Vice President Global Benefits Leader, Global Expat COE Linda Beavis Principal Global Benefits Leader, Expat COE UK/EU +44 (0) Aon Hewitt GDPR APPLICABILITY TO EXPATRIATE EMPLOYEES 9

10 About Aon Aon plc (NYSE:AON) is a leading global professional services firm providing a broad range of risk, retirement and health solutions. Our 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance. Aon plc All rights reserved. The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.