The provisions on the transfer of personal data do not apply if an employee of an EU-based organisation is working remotely from or travelling for business to a country outside of the EU. However, the employer, as the data controller, must comply with the general principles of the General Data Protection Regulation (GDPR) and take into account the risks of data being accessible from a third country.
A transfer of personal data to countries outside the European Economic Area (EAA), so-called ‘third countries’, is only permitted in the cases provided for in Chapter V of the GDPR. This concerns both an ‘active’ transfer and a ‘passive’ transfer in which the data is accessible from a third country (e.g. access to an EU database by an American mother company).
More specifically, such a transfer is only permitted if one of the following transfer mechanisms is in place:
The controller or processor who is transferring data must, in accordance with the recommendations of the European Data Protection Board (EDPB), verify, in cooperation with the recipient in the third country, whether the third country can guarantee an adequate level of protection. If that is not the case, additional safeguards must be put in place. More information on the use of ‘standard contractual clauses’ and the implementation of additional safeguards can be found here.
If an employee of an EU-based organisation travels to or works remotely from a third country and accesses personal data of, for example, colleagues, job applicants, (contacts of) customers or other individuals from that third country, the question arises whether this access should be considered a ‘transfer’ of personal data under the GDPR with its obligations and limitations.
The recipient of the personal data in this case is an employee. An employee does not have the capacity of a controller or processor but is a person who is under the direct authority of the employer and, may only process personal data (for which the employer is not the controller or processor) within the limits of the employer’s instructions, permissions and restrictions. Therefore, as there is no transfer to a processor or data controller with its own responsibility under the GDPR, the obligations on transfers of personal data to third countries do not seem to apply here.
The Belgian Data Protection Authority (DPA) has confirmed this position. When an employee of an EU-based company travels for business to or works remotely from a third country, performs work and accesses personal data of the organisation from there, this constitutes processing that does not fall under Chapter V of the DPA on transfers of personal data to third countries. Indeed, in this situation, the employee is neither a controller nor a processor. On the contrary, the processing carried out by the employee takes place within the context of the activities of the company, and under the authority of the company.
The employer will therefore not be obliged to implement one of the transfer mechanisms described above, not even if an adequate level of protection cannot be guaranteed for that third country.
However, the employer, as a data controller (and possibly also as a processor), will obviously have to comply with the general principles of the GDPR.
This means the employer must take technical or organisational measures to protect the security of the processing of personal data. In line with the EDPB recommendations, the employer could consider using encryption or pseudonymisation as technical measures. An internal policy should be in place including a specific procedure to be followed in the event of employees working remotely from, or a business trip to, a third country. It is crucial to make employees aware of the risks involved when processing data in a third country and to give them clear instructions, such as instructing them not to access the company network and the information in certain databases via unsecured public networks.
It is important to keep a close eye at all times on where your employees are working remotely if they have access to company-sensitive information, especially if this information includes personal data. Make sure that your homeworking policy pays the necessary attention to working from third countries.
In addition, make sure that you take sufficient technical and organisational measures to guarantee the security of the processing of personal data by employees working from third countries.