Working remotely from or a business trip to a third country

Transfer of personal data?

As the hybrid working environment is becoming more widespread in many companies, employees may be more likely to work remotely from a third country. What is the impact of privacy and data protection legislation when an employee works remotely in, or goes on a business trip to a third country that does not provide an adequate level of data protection? Does access to the employer’s databases constitute a transfer in that case? How can the employer ensure the security of personal data being processed from a third country?

1. What are the general principles for transfers of personal data?

 The transfer of personal data to countries outside the European Economic Area (EEA), so called “third countries”, is only permitted in the cases provided for in Chapter V of the General Data Protection Regulation (GDPR). This concerns both an “active” transfer and a “passive” transfer in which the data are accessible from a third country.

The GDPR foresees in a toolkit of mechanisms to transfer data to third countries:

• an adequacy decision adopted for the third country by the European Commission, confirming that this country ensures an adequate level of data protection (equivalent to that of the EU);
• appropriate safeguards, such as standard contractual clauses, binding corporate rules, or codes of conducts and certification, or;
• specific occasional derogations applicable to the situation.

The controller or processor transferring data must, in accordance with the recommendations of the European Data Protection Board (EDPB), verify, in cooperation with the recipient in the third country, whether the third country can guarantee an adequate level of protection. If that is not the case, additional safeguards must be put in place.

2. Should the employer implement one of the above-mentioned transfer mechanisms in case an employer travels to or works remotely from a third country?

If an employee of an EU-based company travels to or works remotely from a third country and accesses from that third country personal data of, for example, colleagues, job applicants, (contacts of) customers or other persons, the question arises whether such access should be considered as a “transfer” of personal data under Chapter V of the GDPR with its obligations and limitations.

The recipient of the personal data is in this case an employee. An employee does in principle not have the capacity of a data controller nor data processor but is a person who is under the direct authority of the employer and, may only process personal data (for which the employer is the controller or processor) within the limits of the employer’s instructions, permissions and restrictions. Therefore, as in this case there is no transfer to a data controller or data processor with its own responsibility under the GDPR, the obligations on transfers of personal data to third countries do not seem to apply here.

The Belgian Data Protection Authority (DPA) has confirmed the above-mentioned reasoning. When an employee of an EU-based company travels for business to or works remotely from a third country, performs work from there and thereby accesses personal data of the company, this constitutes processing that does not fall under Chapter V of the GDPR on transfers of personal data to third countries. Indeed, in such situation, the employee is neither a controller nor a processor.

On the contrary, the processing carried out by the employee takes place within the context of the activities of the company, and under the authority of the company.

The employer will therefore not be obliged to implement one of the aforementioned transfer mechanisms, even if the third country does not guarantee an adequate level of data protection.

3. Nevertheless, the employer will still be obliged to ensure the security of employees’ personal data being processed from a third country.

This means that the employer must take technical or organizational measures to protect the security of the processing of personal data. In line with the recommendation of the EDPB, the employer could consider using encryption or pseudonymization as technical measures. An internal policy should be in place including a specific procedure to be followed in case of working remotely from or a business trip to a third country. It is crucial to make employees aware of the risks involved when processing data in a third country and to give them clear instructions (e.g. not to access the company network and the information in certain databases via unsecured public networks).

Julie Van Coillie (attorney Claeys & Engels)

Summary

The provisions on the transfer of personal data do not apply if an employee of an EU-based company is working remotely from or travelling for business to a country outside of the EU. However, the employer, as the data controller, must comply with the general principles of the General Data Protection Regulation (GDPR) and take appropriate technical and organizational security measures to cope with the risks of data being accessible from a third country.

More information