GDPR: What to Know About Third-Party Employers
Companies doing business in the EU or who have vendor or employer relationships with EU-based individuals need to continue to evaluate their GDPR obligations.
June 24, 2019 at 12:12 PM
5 minute read
Just over a year has passed since the European Union's General Data Protection Regulation went into effect May 25, 2018. Companies doing business in the EU or who have vendor or employer relationships with EU-based individuals need to continue to evaluate their GDPR obligations.
GDPR replaced the EU's Privacy Directive, which had been in place since 1995. It also instituted several significant changes such the “right to be forgotten,” requiring data portability, enhancing data subject access rights, and creating dramatic fines for violations. Significantly, GDPR's extraterritorial scope means it reaches entities that were previously not necessarily bound by the Privacy Directive. Companies in the U.S. and elsewhere need to take note and evaluate whether, in their rush to comply with GDPR with respect to e-commerce and other consumer data, they haven't overlooked their human resources data as well.
It is critical to recognize that GDPR applies to any company that “monitors” the behavior of individuals located within the EU. The GDPR doesn't define “monitor,” but human resources functions such as tracking workers' activities in order to review their performance, reimbursing expense claims, tracking time (the European Court of Justice recently held that EU employers must track time for all employees) and administering leave programs require some degree of monitoring. Thus, a multinational that has contractors or employees in the EU has obligations under GDPR even if it doesn't have an EU presence or sell goods or services into the EU and even if its EU-based employees are not EU citizens.
Companies seeking to expand overseas increasingly use third-party employers or global professional employer organizations (PEOs) to help manage their global workforces. When using a PEO, it is critical to understand how data is being handled as part of that relationship. When a company entrusts its workforce to a PEO, it is also trusting the PEO to manage HR data properly.
When considering the data privacy implications of an engagement with a third-party employer, the following considerations may help:
|How does the PEO approach global data security requirements?
Global partners should be familiar with the laws governing data compliance in every territory in which a company will hire employees. These laws include more than just GDPR in the EU. There are robust data privacy laws in many other countries that are high priorities for expansion such as Singapore, Argentina, Korea, Hong Kong, Australia and Malaysia.
It is prudent to confirm the PEO is aware of and complies with the laws in each jurisdiction where an organization has targeted expansion.
|The Consent Dilemma
One of the most dramatic impacts that GDPR has had on employer data management is to largely disqualify employee consent as a means to authorize the employer's collection and processing of data. GDPR requires any consent to be freely given, specific, informed and revocable. Consent in the employment context is unlikely to qualify as freely given because the imbalance of power between an employer and employee means an employee is unlikely to refuse consent even if he or she has concerns. As an alternative to consent, a PEO should be able to articulate a legal basis for their data collection and processing practices.
|Does the PEO Comply with International Transfer Requirements?
A common feature of global data privacy laws is a restriction on the ability to transfer personal data outside of the country. Some countries require data subject consent prior to an international transfer, and in some cases valid consent requires the data subjects to have received explanatory material about what information will be transferred, how and where. GDPR and other global privacy laws require additional legal safeguards before data may be transferred across international lines.
Find out what safeguards the PEO uses and where. The EU/U.S. and Swiss/U.S. Privacy Shields are an example of a safeguard that ensures data from within the European Economic Area may be transferred to the U.S. safely.
|Is the PEO Privacy Shield certified for HR data?
It is important that the PEO is authorized to transfer the correct type of data across international lines. The Privacy Shield is one way a U.S.-based company can obtain authorization to transfer personal data out of the EEA. When a company certifies to the Privacy Shield, it commits to having a uniform methodology to approach, manage and protect data that originates in the EU and EEA. U.S. companies may certify under the Privacy Shield for Non-HR Data, and for HR Data. PEOs deal with human resources data, so they should certify their compliance with Privacy Shield for HR data. Evaluate whether the PEO's international transfer mechanism covers the correct type of data.
|Ask for Copies of Privacy Notices
GDPR and many other global privacy laws require the data subject to be informed of the manner in which personal data will be collected and processed. Privacy notices, made available to the data subject at the time of collection, are critical to recognizing the data subject's rights under these laws. Ask the PEO to provide their privacy notices for review and to explain their data collection practices.
Understanding an organization's data privacy obligations is critical to any compliance program. Further, when a growing company partners with a third-party employer or PEO for its workforce expansion, understanding how that PEO manages personal data and compliance with global employment laws should be an important consideration.
Adrienne Drew is associate general counsel for Globalization Partners. Drew has handled a wide variety of complex employment situations in a number of countries and holds a certification in European Privacy from the International Association of Privacy Professionals.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
New Federal Pregnancy Regulations: Five Key Takeaways and Five Key Action Steps for Employers
7 minute read
Legal Profession's Mental Health Woes Start to Take Root in Law School, Many Attorneys Say
6 minute read
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
