Frequently Asked Questions (FAQs)

FAQ 9 - Human Resources

1.Q. Is the transfer from the EU to the U.S. of personal information collected in the context of the employment relationship covered by the safe harbor?

1. A: Yes, where a company in the EU transfers personal information about its employees (past or present) collected in the context of the employment relationship, to a parent, affiliate, or unaffiliated service provider in the United States participating in the safe harbor, the transfer enjoys the benefits of the safe harbor. In such cases, the collection of the information and its processing prior to transfer will have been subject to the national laws of the EU country where it was collected,and any conditions for or restrictions on its transfer according to those laws will have to be respected.

The safe harbor principles are relevant only when individually identified records are transferred or accessed. Statistical reporting relying on aggregate employment data and/or the use of anonymized or pseudonymized data, does not raise privacy concerns.

2. Q: How do the notice and choice principles apply to such information?

2. A: A US organization that has received employee information from the EU under the safe harbor may disclose it to third parties and/or use it for different purposes only in accordance with the Notice and Choice principles. For example, where an organization intends to use personal information collected through the employment relationship for non-employment-related purposes, such as marketing communications, the US organization must provide the affected individuals with choice before doing so, unless they have already authorized the use of the information for such purposes. Moreover, such choices must not be used to restrict employment opportunities or take any punitive action against such employees.

It should be noted that certain generally applicable conditions for transfer from some Member States may preclude other uses of such information even after transfer outside the EU and such conditions will have to be respected.

In addition, employers should make reasonable efforts to accommodate employee privacy preferences. This could include, for example, restricting access to the data, anonymizing certain data, or assigning codes or pseudonyms when the actual names are not required for the management purpose at hand.

To the extent and for the period necessary to avoid prejudicing the legitimate interests of the organization in making promotions, appointments, or other similar employment decisions, an organization does not need to offer notice and choice.

Q3: How does the access principle apply?

A: The FAQs on access provide guidance on reasons that which may justify denying or limiting access on request in the human resources context. Of course, employers in Europe must comply with local regulations and ensure that European employees have access to such information as is required by law in their home countries, regardless of the location of data processing and storage. The safe harbor requires that an organization processing such data in the United States will cooperate in providing such access either directly or through the European employer.

Q4: How will enforcement be handled for employee data under the safe harbor

principles? 1

A: In so far as information is used only in the context of the employment relationship, primary responsibility for the data vis-à-vis the employee remains with the company in the EU. It follows that, where European employees make complaints about violations of their data protection rights and are not satisfied with the results of internal review, complaint, and appeal procedures (or any applicable grievance procedures under a contract with a trade union), they should be directed to the state or national data protection or labor authority in the jurisdiction where the employee works. This also includes cases where the alleged mishandling of their personal information has taken place in the U.S., is the responsibility of the U.S. organization that has received the information from the employer and not of the employer and thus involves an alleged breach of the safe harbor principles, rather than of national laws implementing the Directive.This will be the most efficient way to address the often overlapping rights and obligations imposed by local labor law and labor agreements as well as data protection law.

A U.S. organization participating in the safe harbor that handles European human resources data outside Europe should also commit to cooperate in investigations and to comply with the decisions of competent European authorities in such cases.

1. The text of this reply depends on the agreement of the DPAs. They are only prepared to take a definitive view safe harbor that uses European human resources data transferred from Europe in the context of the overall opinion which the Working Party will issue on the final package.employment relationship and that wishes such transfers to be covered by the safe harbor arrangement must therefore commit to cooperate in investigations by and to comply with the advice of competent European authorities in such cases. The DPAs that have agreed to cooperate in this way will notify the European Commission and the Department of Commerce . If a US organization participating in the safe harbor wishes to transfer human resources data from a Member State where the DPA has not so agreed, the provisions of FAQ 5 will apply.