FAQ 9 - Human Resources Data

1. Q:  Is the transfer from the EU to the U.S. of human resources and employment data and other data collected through the employment relationship covered by the safe harbor?

1. A: Yes, where a EU company in Europe transfers its employees' employment data to a parent, affiliate, or unaffiliated service provider in the United States which has chosen to qualify for the safe harbor, the transfer would enjoy the benefits of the safe harbor. In such cases, the collection of the information will have been subject to the national laws of the EU country where it was collected.

The safe harbor principles are relevant only when individually identified records are transferred or accessed. Statistical reporting relying on aggregate employment data and/or the use of anonymized or pseudonymized data, do not raise privacy concerns.

2. Q: How do the notice and choice principles apply to human resources data?

2. A: Normally, human resources data subject to the safe harbor will be collected in Europe where the collection will be subject to the national laws of the EU country where it is collected. Notice and choice will be necessary where the US organization that has received employee information from the EU intends to use it or disclose it in ways incompatible with those purposes for which it was originally collected or with those disclosed to the individual in a notice. For example, where an organization intends to use personal data collected through the employment relationship for the marketing of goods and services to present or former employees and notice to that effect has not been provided by the European organization transferring the data, the US organization would need to provide notice and choice before using employee data for such purposes.

Similarly in other cases in which the requested information will be used for non-employment-related purposes, such as whether or not to list a home telephone number or spouse's name in a company directory, or to accept or decline non-employee-related marketing communications, US organizations handling employment data of European employees must give employees the opportunity to disallow use of such information. Moreover, such choices must not be used to restrict employment opportunities or take any punitive action against such employees.

In addition, employers should take reasonable efforts to accommodate employee privacy preferences. This could include, for example, restricting access to the data, anonymizing certain data, or assigning codes or pseudonyms when the actual names are not required for the management purpose at hand.  To the extent and for the period necessary to avoid prejudicing the legitimate interests of the organization in making promotions, appointments, or other similar employment decisions, an organization does not need to offer notice and choice.

3. Q: How does the access principle apply to human resources data?

3. A: The FAQs on access and investment bankers/headhunters provide guidance on reasons that may justify denying or limiting access in the human resources context. Of course, employers in Europe must comply with local regulations and ensure that European employees have access to such information as is required by law in their home countries, regardless of the location of data processing and storage. The safe harbor requires that an organization processing such data in the United States will cooperate in providing such access either directly or through the European employer.

4. Q: How will enforcement be handled for employee data under the safe harbor principles?

4. A: Where European employees are not satisfied with the results of internal review, complaint, and appeal procedures (or any applicable grievance procedures under a contract with a trade union), they should normally be directed to the state or national data protection or labor authority in the jurisdiction where the employee works. In most cases, this will be the most efficient way to address the often overlapping rights and obligations imposed by local labor law and labor agreements as well as data protection law. The US organization that handles European human resources data outside Europe should also commit to cooperate in investigations and to comply with the decisions of competent European authorities in such cases.