The provisions on the transfer of personal data do not apply if an employee of an EU-based company is working remotely from or travelling for business to a country outside of the EU. However, the employer, as the data controller, must comply with the general principles of the General Data Protection Regulation (GDPR) and take into account the risks of data being accessible from a third country.
A transfer of personal data to countries outside the European Economic Area (EAA), so-called “third countries”, is only permitted in the cases provided for in Chapter V of the GDPR. This concerns both an “active” transfer and a “passive” transfer in which the data are accessible from a third country (e.g., access to an EU database by an American mother company).
More specifically, such a transfer is only permitted if one of the following transfer mechanisms is in place:
- An adequacy decision has been made for the third country by the European Commission, confirming that this country ensures an adequate level of data protection (equivalent to that of the EU);
- Implementation of appropriate safeguards, such as standard contractual clauses, binding corporate rules, or codes of conduct and certification; or
- Specific occasional exemptions applicable to the situation.
The controller or processor who is transferring data must, in accordance with the recommendations of the European Data Protection Board, verify, in cooperation with the recipient in the third country, whether the third country can guarantee an adequate level of protection. If that is not the case, additional safeguards must be put in place. More information on the use of “standard contractual clauses” and the implementation of additional safeguards can be found here.
If an employee of an EU-based company travels to or works remotely from a third country and accesses from that third country personal data of, for example, colleagues, job applicants, (contacts of) customers or other persons, the question arises whether such access should be considered as a “transfer” of personal data under the GDPR with its obligations and limitations.
The recipient of the personal data is in this case an employee. An employee does not have the capacity of a controller or processor but is a person who is under the direct authority of the employer and, may only process personal data (for which the employer is not the controller or processor) within the limits of the employer’s instructions, permissions and restrictions. Therefore, as there is no transfer to a processor or data controller with its own responsibility under the GDPR, the obligations on transfers of personal data to third countries do not seem to apply here.
The Belgian Data Protection Authority (DPA) has confirmed the above. When an employee of an EU-based company travels for business to or works remotely from a third country, performs work from there and thereby accesses personal data of the company, this constitutes processing that does not fall under Chapter V of the DPA on transfers of personal data to third countries. Indeed, in such a situation the employee is neither a controller nor a processor. On the contrary, the processing carried out by the employee takes place within the context of the activities of the company, and under the authority of the company.
The employer will therefore not be obliged to implement one of the aforementioned transfer mechanisms, not even if an adequate level of protection cannot be guaranteed for that third country.
However, the employer, as a data controller (and possibly also as a processor), will obviously have to comply with the general principles of the GDPR.
This means the employer must take technical or organisational measures to protect the security of the processing of personal data. In line with the recommendations of the EDPB, the employer could consider using encryption or pseudonymisation as technical measures. An internal policy should be in place including a specific procedure to be followed in case of working remotely from or a business trip to a third country. It is crucial to make employees aware of the risks involved when processing data in a third country and to give them clear instructions (e.g., not to access the company network and the information in certain databases via unsecured public networks).
It is important to keep a close eye at all times on where your employees are working remotely or have access to company-sensitive information, especially if this information includes personal data. Make sure that your homeworking policy pays the necessary attention to working from third countries.
In addition, make sure that you take sufficient technical and organisational measures to guarantee the security of the processing of personal data by employees working from third countries.
The Claeys & Engels Global Mobility and Data Protection teams are ready to assist you with any further questions.