RedlinedFAQ9HR300

DRAFT
Frequently Asked Questions (FAQs)

FAQ 9 - Human Resources ~~Data~~

1.Q. Is the transfer from the EU to the United States of ~~human resources and employment data and other data~~personal information collected ~~through~~in the context of the employment relationship covered by the safe harbor?

1. A: Yes, where a EU company in ~~Europe transfers its employees' employment data~~the EU transfers personal information about its employees (past or present) collected in the context of the employment relationship, to a parent, affiliate, or unaffiliated service provider in the United States ~~which has chosen to qualify for~~participating in the safe harbor, the transfer ~~would~~ enjoys the benefits of the safe harbor. In such cases, the collection of the information and its processing prior to transfer will have been subject to the national laws of the EU country where it was collected and any conditions for or restrictions on its transfer according to those laws will have to be respected.

The safe harbor principles are relevant only when individually identified records are transferred or accessed. Statistical reporting relying on aggregate employment data and/or the use of anonymized or pseudonymized data, does not raise privacy concerns.

2. Q: How do the notice and choice principles apply to ~~human resources data?~~

2. A: Normally, human resources data subject to the safe harbor will be collected in Europe where the collection will be subject to the national laws of the EU country where it is collected. Notice and choice will be necessary where the such information?

2. A: A US organization that has received employee information from the EU ~~intends to use it or disclose it in ways incompatible with those purposes for which it was originally collected or with those disclosed to the individual in a notice~~under the safe harbor may disclose it to third parties and/or use it for different purposes only in accordance with the Notice and Choice principles. For example, where an organization intends to use personal ~~data~~information collected through the employment relationship for the marketing of goods and services to present or former employees and notice to that effect has not been provided by the European organization transferring the data, the US organization would need to provide notice and choice before using employee data for such purposes.

~~Similarly in other cases in which the requested information will be used~~ for non-employment-related purposes, such as ~~whether or not to list a home telephone number or spouse's name in a company directory, or to accept or decline non-employee-related~~ marketing communications, the US organization ~~handling employment data of European employees must give employees the opportunity to disallow use of such information.~~must provide the affected individuals with choice before doing so, unless they have already authorized the use of the information for such purposes. Moreover, such choices must not be used to restrict employment opportunities or take any punitive action against such employees.

It should be noted that certain generally applicable conditions for transfer from some Member States may preclude other uses of such information even after transfer outside the EU and such conditions will have to be respected.

In addition, employers should ~~take~~make reasonable efforts to accommodate employee privacy preferences. This could include, for example, restricting access to the data, anonymizing certain data, or assigning codes or pseudonyms when the actual names are not required for the management purpose at hand.

To the extent and for the period necessary to avoid prejudicing the legitimate interests of the organization in making promotions, appointments, or other similar employment decisions, an organization does not need to offer notice and choice.

Q3: How does the access principle apply ~~to human resources data~~?

A: The FAQs on access ~~and investment bankers/headhunters~~provide guidance on reasons that may justify denying or limiting access on request in the human resources context. Of course, employers in Europe must comply with local regulations and ensure that European employees have access to such information as is required by law in their home countries, regardless of the location of data processing and storage. The safe harbor requires that an organization processing such data in the United States will cooperate in providing such access either directly or through the European employer.

Q4: How will enforcement be handled for employee data under the safe harbor

principles? 1

~~A: Where~~A: In so far as information is used only in the context of the employment relationship, primary responsibility for the data vis-à-vis the employee remains with the company in the EU. It follows that, where European employees make complaints about violations of their data protection rights and are not satisfied with the results of internal review, complaint, and appeal procedures (or any applicable grievance procedures under a contract with a trade union), they should ~~normally~~be directed to the state or national data protection or labor authority in the jurisdiction where the employee works. ~~In most cases, this~~This includes cases where the alleged mishandling of their personal information has taken place in the United States and thus involves an alleged breach of the safe harbor principles, rather than of national laws implementing the Directive. This will be the most efficient way to address the often overlapping rights and obligations imposed by local labor law and labor agreements as well as data protection law. The US organization participating in the safe harbor that handles European human resources data outside Europe should also commit to cooperate in investigations and to comply with the decisions of competent European authorities in such cases.

1. The text of this reply depends on the agreement of the DPAs. They are only prepared to take a definitive view in the context of the overall opinion which the Working Party will issue on the final package.