It’s been three years since the GDPR entered into force and although it provided clarity in regards to handling personal data, some ambiguities still remain. In particular when it concerns employing EU employees as a non-EU organization.
Territorial applicability
The territorial applicability of the GDPR is outlined in Article 3 and is conditional on three criteria:
- the location of the controller/processor
- the offering of services to individuals in the EU/EEA (through targeting them)
- the monitoring of the behavior of data subjects in the EU.
Human Resources (HR) data also includes personal data (i.e name, email address, physical address, bank account, …) and hence the processing of these data falls under the scope of the GDPR.
According to GDPR Art. 3.1
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
When a company is located in the EU/EEA and its employees or contractors are also located in the EU/EEA, Art.3.1 of the GDPR applies. Therefore, any handling of employees personal data should be performed in a GDPR compliant manner. This can range from setting the legal bases for the processing to adhering to the data protection principles (GDPR Art. 5) and ensuring the exerceseability of the employees rights (Articles 15-21 GDPR).
The situation becomes less clear when the company is located outside of the EU/EEA but has employees located in the EU/EEA. GDPR Art. 3.2 regulates the extraterritorial effect of the GDPR and foresees that when a company is not established in the EU, it will fall under the GDPR only if:
- it offers services to data subjects based in the EU/EEA (through targeting them and not incidentally)
- it monitors EU-based data subjects behavior.
The EDPB has stressed in its 03/2018 Guidelines on the territorial scope of the GDPR that employment doesn’t constitute an offering of service. Indicatively, one can read from its example of a US company processing personal data of its employees while they were on a trip in the EU for human resources purposes:
“In this situation, while the processing activity is specifically connected to persons on the territory of the Union (i.e. employees who are temporarily in France, Belgium and the Netherlands) it does not relate to an offer of a service to those individuals, but rather is part of the processing necessary for the employer to fulfil its contractual obligation and human resources duties related to the individual’s employment. The processing activity does not relate to an offer of service and is therefore not subject to the provision of the GDPR as per Article 3(2)a.”
It is possible however that an employer monitors its employees. This could include, among others,
- Application usage monitoring,
- CCTV monitoring,
- email monitoring and,
- geolocation through company-issued equipment.
In this case, any personal data of employees located in the EU, collected through this monitoring activity, will fall under the GDPR even if the employer (controller) is located outside of the EU/EEA and has no subsidiary in the EU/EEA, under the GDPR Art. 3.2.
Concluding applicability of the GDPR for HR data for non EU companies
We can therefore conclude that if the company doesn’t monitor its employees based in the EU/EEA, then any processing of their personal data for HR related purposes (issuing of payroll, insurance, drafting of their employment contracts) will not fall under the scope of the GDPR. This seems also to be in line with the EDPB 3/2018 Guidelines on the extraterritorial effect of the GDPR.
If the company is located outside the EU/EEA and has no EU/EEA based employees or contractors then any employee personal data processing even through monitoring would fall outside the scope of the GDPR.