GDPR: What to Know About Third-Party Employers

Companies doing business in the EU or who have vendor or employer relationships with EU-based individuals need to continue to evaluate their GDPR obligations.

The following article was originally published on

By Adrienne Drew | June 24, 2019

Just over a year has passed since the European Union’s General Data Protection Regulation went into effect May 25, 2018. Companies doing business in the EU or who have vendor or employer relationships with EU-based individuals need to continue to evaluate their GDPR obligations.

GDPR replaced the EU’s Privacy Directive, which had been in place since 1995. It also instituted several significant changes such the “right to be forgotten,” requiring data portability, enhancing data subject access rights, and creating dramatic fines for violations. Significantly, GDPR’s extraterritorial scope means it reaches entities that were previously not necessarily bound by the Privacy Directive. Companies in the U.S. and elsewhere need to take note and evaluate whether, in their rush to comply with GDPR with respect to e-commerce and other consumer data, they haven’t overlooked their human resources data as well.

It is critical to recognize that GDPR applies to any company that “monitors” the behavior of individuals located within the EU. The GDPR doesn’t define “monitor,” but human resources functions such as tracking workers’ activities in order to review their performance, reimbursing expense claims, tracking time (the European Court of Justice recently held that EU employers must track time for all employees) and administering leave programs require some degree of monitoring. Thus, a multinational that has contractors or employees in the EU has obligations under GDPR even if it doesn’t have an EU presence or sell goods or services into the EU and even if its EU-based employees are not EU citizens.

Companies seeking to expand overseas increasingly use third-party employers or global professional employer organizations (PEOs) to help manage their global workforces. When using a PEO, it is critical to understand how data is being handled as part of that relationship. When a company entrusts its workforce to a PEO, it is also trusting the PEO to manage HR data properly.

When considering the data privacy implications of an engagement with a third-party employer, the following considerations may help:

How does the PEO approach global data security requirements?

Global partners should be familiar with the laws governing data compliance in every territory in which a company will hire employees. These laws include more than just GDPR in the EU. There are robust data privacy laws in many other countries that are high priorities for expansion such as Singapore, Argentina, Korea, Hong Kong, Australia and Malaysia.

It is prudent to confirm the PEO is aware of and complies with the laws in each jurisdiction where an organization has targeted expansion.

The Consent Dilemma

One of the most dramatic impacts that GDPR has had on employer data management is to largely disqualify employee consent as a means to authorize the employer’s collection and processing of data. GDPR requires any consent to be freely given, specific, informed and revocable. Consent in the employment context is unlikely to qualify as freely given because the imbalance of power between an employer and employee means an employee is unlikely to refuse consent even if he or she has concerns. As an alternative to consent, a PEO should be able to articulate a legal basis for their data collection and processing practices.

Does the PEO Comply with International Transfer Requirements?

A common feature of global data privacy laws is a restriction on the ability to transfer personal data outside of the country. Some countries require data subject consent prior to an international transfer, and in some cases valid consent requires the data subjects to have received explanatory material about what information will be transferred, how and where. GDPR and other global privacy laws require additional legal safeguards before data may be transferred across international lines.

Find out what safeguards the PEO uses and where. The EU/U.S. and Swiss/U.S. Privacy Shields are an example of a safeguard that ensures data from within the European Economic Area may be transferred to the U.S. safely.

Is the PEO Privacy Shield certified for HR data?

It is important that the PEO is authorized to transfer the correct type of data across international lines. The Privacy Shield is one way a U.S.-based company can obtain authorization to transfer personal data out of the EEA. When a company certifies to the Privacy Shield, it commits to having a uniform methodology to approach, manage and protect data that originates in the EU and EEA. U.S. companies may certify under the Privacy Shield for Non-HR Data, and for HR Data. PEOs deal with human resources data, so they should certify their compliance with Privacy Shield for HR data. Evaluate whether the PEO’s international transfer mechanism covers the correct type of data.

Ask for Copies of Privacy Notices

GDPR and many other global privacy laws require the data subject to be informed of the manner in which personal data will be collected and processed. Privacy notices, made available to the data subject at the time of collection, are critical to recognizing the data subject’s rights under these laws. Ask the PEO to provide their privacy notices for review and to explain their data collection practices.

Understanding an organization’s data privacy obligations is critical to any compliance program. Further, when a growing company partners with a third-party employer or PEO for its workforce expansion, understanding how that PEO manages personal data and compliance with global employment laws should be an important consideration.

Adrienne Drew is associate general counsel for Globalization Partners. Drew has handled a wide variety of complex employment situations in a number of countries and holds a certification in European Privacy from the International Association of Privacy Professionals.