Cross-Border Employee Data Handling Compliance for Multinational Company

Question

Our company operates in Sweden, France and Poland. We send information about our employees from one country to another for things like payroll and job assignments. We're considering expansion to Ukraine and hire people locally there.

What are the main things we need to do to make sure we're handling our employees' personal information correctly across those countries?

Executive Summary

In facilitating employee data transfers across Sweden, France, Poland, and a potential expansion into Ukraine, it is vital to align with GDPR compliance obligations. Here’s what your company must focus on:

  • GDPR Compliance & International Data Transfers: Ensuring the correct handling of personnel information mandates strict adherence to GDPR, including setting up appropriate safeguards and informing employees of their rights.
  • Binding Corporate Rules (BCRs): Establish BCRs to allow for GDPR-compliant transfers outside the EU, particularly relevant for operations involving Ukraine.
  • Data Security Measures: Implement security practices such as pseudonymisation and encryption to protect personal information during transborder exchanges.
  • Documenting and DPIA: Maintain meticulous records of processing activities and conduct Data Protection Impact Assessments where necessary, especially when establishing new data-processing channels in non-EU countries.

Assumptions

  1. Intra-company Transfers: We will assume that the data transfers occur only within the company and not to third parties.
  2. General Employee Data: The transfers include general employee data necessary for payroll and job assignments but do not include special categories of data.
  3. Current Compliance: The company is currently compliant with GDPR for intra-EU transfers but has not yet put in place specific mechanisms for transfers to non-EU countries.
  4. DPA Engagement: We will assume that the company has not engaged with DPAs regarding their processing activities.

Legal trace

Understanding GDPR Definitions and the Scope of Personal Data Transfers

’personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Article 4(1)

The GDPR’s definition of personal data encompasses a wide range of information that could potentially identify individuals. The employee data that your company transfers for purposes like payroll and job assignments is likely to fall under this definition. It’s crucial to handle this data according to GDPR standards, regardless of its nature or the EU countries involved in the transfers.

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; Article 4(7)

Your company acts as the controller of the employee data, carrying the responsibility to define purposes and means of processing. Thus, you must ensure all data processing aligns with GDPR principles, especially when considering transferring data to a non-EU country like Ukraine.

Where two or more controllers jointly determine the purposes and means of processing, they shall in a transparent manner determine their respective responsibilities for compliance Article 26(1)

It’s essential for different branches within your company to have a transparent agreement about their shared responsibilities regarding data processing. This agreement must be communicated to data subjects – your employees.

The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law. Article 29

Any processing or access to personal data must occur strictly based on the instructions of the controller, your company. This measure reinforces control over data and helps maintain data integrity and security across your European operations.

Steps for GDPR Compliance in International Data Transfers and Ukrainian Expansion

In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Article 46(1)

Since Ukraine does not have an adequacy decision from the European Commission, your company must implement appropriate safeguards that protect data subjects’ rights for any data transfers there.

The competent supervisory authority shall approve binding corporate rules […] provided that they […] expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and fulfill the requirements laid down in paragraph 2. Article 47(1)

Considering the potential expansion into Ukraine, your company may implement Binding Corporate Rules (BCRs) to ensure GDPR-compliant data transfers. These rules must be legally binding on all group entities and upheld throughout the entire processing operation.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • (a) the pseudonymisation and encryption of personal data; Article 32(1)(a)

As you expand your operations, including into Ukraine, it’s recommended to secure personal data using methods like pseudonymisation and encryption to mitigate potential risks.

Informing Employees of Their Data Rights in the Context of Expansion

Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: Article 13(1)

For new employees in Ukraine, your company must inform them at the data collection point about their data protection rights under GDPR. This includes the right to erasure and data portability and information regarding data transfers.

Documenting Processing Activities and Engaging with Data Protection Authorities

Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. Article 30(1)

Your company is required to keep detailed records of data processing activities, including cross-border transfers within the EU and future operations involving Ukraine, formulating an essential component for GDPR compliance accountability.

The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. Article 36(1)

For high-risk processing activities, such as setting up new operations in Ukraine, your company may need to proactively engage with Data Protection Authorities, following a detailed Data Protection Impact Assessment and adhering to the procedures under Article 36.

In summary, to handle employee personal data correctly across Sweden, France, Poland, and potentially Ukraine, your company must ensure that it’s familiar with GDPR requirements for cross-border data transfers; establish appropriate legal mechanisms for international data transfer, such as BCRs; apply data security measures including pseudonymisation and encryption; adequately inform employees about their data protection rights, and maintain records to demonstrate GDPR compliance. The engagement with DPAs may be required, particularly with the expansion into the non-EU scenario concerning Ukraine.

PDF Repository

We have searched through the PDF repository of ECJ rulings, European Data Protection Board guidelines, and other documents to provide this supplemental answer.

Details

To enhance your understanding of the complexities surrounding the handling of your employees' personal data, we provide additional insights drawn from expert guidelines. This supplemental information delves into various scenarios and considerations for cross-border data transfers within the context of GDPR, particularly relevant to your company's current operations and potential expansion into Ukraine.

Legal trace

Clarifying Data Transfer Scenarios Under GDPR

Maria, living in Italy, books a room in a hotel in New York by means of an online EEA travel agency. Maria’s personal data, necessary for booking the hotel, are collected by the EEA online travel agency as a controller and sent to the hotel receiving the data as a separate controller. While passing the personal data to the third country hotel, the EEA travel agency carries out a transfer of personal data and Chapter V GDPR applies. Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, page 10

The quote illustrates a scenario in which personal data is transferred from the EEA to a third country, highlighting the fact that GDPR’s Chapter V applies to such transfers. This is directly relevant to your situation, as it underscores when your company, transferring employee data from Sweden, France, or Poland, must comply with the specific provisions of GDPR relating to cross-border data transfers.

Utilizing Binding Corporate Rules (BCRs) for Data Transfers

The competent supervisory authority shall approve binding corporate rules […] provided that they […] expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and fulfill the requirements laid down in paragraph 2. Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, page 10

This guidance reinforces the role of Binding Corporate Rules as a potential mechanism for your company to manage cross-border data transfers securely, especially in the absence of an adequacy decision for Ukraine. BCRs, once approved by the supervisory authority, offer a robust compliance framework that is particularly suited to multinational enterprises like yours, provided they confer enforceable rights to the affected data subjects.

Assessing Transfer Tools and Supplementary Measures

To know what may be required for you (the data exporter) to be able to continue with or to conduct new transfers of personal data,[^23] the first step is to ensure that you are fully aware of your transfers (know your transfers). Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, page 10

The initial step in ensuring compliance with GDPR during cross-border data transfers is for your company to possess a comprehensive understanding of such transfers. As you consider expanding into Ukraine, having detailed knowledge of the data transfers, you undertake is crucial for determining if additional measures are necessary to uphold the GDPR’s high standards of personal data protection.

You must first assess, where appropriate in collaboration with the importer, if there is anything in the law and/or practices in force in the third country that may impinge on the effectiveness of the appropriate safeguards of the Article 46 GDPR transfer tool you are relying on, in the context of your specific transfer. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, page 14

This quote is pertinent as it sets out the need for your company to evaluate the legal and practical environment in Ukraine or any other third country to which you are considering transferring personal data. Given the different legal landscape, such an assessment is vital to ensure the chosen transfer tools remain effective in safeguarding the data according to GDPR.

You should in any case pay specific attention to any relevant laws, in particular laws laying down requirements to disclose personal data to public authorities or granting such public authorities powers of access to personal data (for instance for criminal law enforcement, regulatory supervision or national security purposes). Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, page 15

This advice underscores the importance of considering third-country legislation that might allow public authorities to access the data you intend to transfer. It reflects the complexity of the legal framework that your company must navigate when expanding operations to Ukraine. As such, it is essential to be proactive in understanding and mitigating the risks this may pose to GDPR compliance.

Monitoring Developments in Data Protection Adequacy

However, you must still monitor if adequacy decisions relevant to your transfers are revoked or invalidated.[^33] Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, page 12

The suggestion here is to keep a close watch on any changes to the adequacy decisions made by the European Commission concerning third countries. The fluid nature of data protection laws means that what is adequate today may not be tomorrow, and this vigilance is key to maintaining legal compliance for your company, especially with respect to current or forthcoming data transfer arrangements involving Ukraine.

Conclusion

The insights provided extend your company’s understanding of the vital aspects of GDPR compliance in cross-border data transfers. GDPR’s applicability, BCRs for secure data transfers, awareness of your data transfer activities, assessing third-country legal environments, and monitoring data protection adequacy, all form part of the intricate tapestry of your compliance landscape. For tailored advice and adaptive strategies in line with these supplementary insights, it is advisable to seek specialized legal consultation as necessary, particularly in light of diverse international data protection norms.