A: Yes, where a EU company in Europe transfers its employees' employment data to a parent, affiliate, or unaffiliated service provider in the United States which has chosen to qualify for the safe harbor, the transfer would enjoy the benefits of the safe harbor. In such cases, the collection of the information will have been subject to the national laws of the EU country where it was collected.
The safe harbor principles are relevant only when individually identified records are transferred or accessed. Statistical reporting relying on aggregate employment data and/or the use of anonymized or pseudonymized data, do not raise privacy concerns.
Q 2: How do the notice and choice principles apply to human resources data?
A: Normally, human resources data subject to the safe harbor will be collected in Euope where the collection will be subject to the national laws of the EU country where it is collected. Notice and choice will be necessary where the US organisation that has received employee information from the EU intends to use it or disclose it in ways incompatible with those purposes for which it was originally collected or with those disclosed to the individual in a notice. For example, where an organisation intends to use personal data collected through the employment relationship for the marketing of goods and services to present or former employees and notice to that effect has not been provided by the European organization transferring the data, the US organization would need to provide notice and choice before using employee data for such purposes.
Similarly in other cases in which the requested information will be used for non-employment-related purposes, such as whether or not to list a home telephone number or spouse's name in a company directory, or to accept or decline non-employee-related marketing communications, US organizations handling employment data of European employees must give employees the opportunity to disallow use of such information. Moreover, where to honor such choices, the employer records the names of employees who choose not to have personal data used for non employment-related purposes, this information must not be used to restrict employment opportunities or take any punitive action against such employees.
In addition, employers should take reasonable efforts to accommodate employee privacy preferences. This could include, for example, restricting access to the data, anonymizing certain data, or assigning codes or pseudonyms when the actual names are not required for the management purpose at hand.
Q3: How does the access principle apply to human resources data?
A: The FAQs on general access indicate exceptions to the general principle of furnishing access on request. In addition to those exceptions, the employment context requires additional exceptions. These include an organization's ability not to disclose information collected in the course of ongoing employee security investigations or grievance proceedings; and to consult and update personnel files confidentially for succession planning; or to prepare for a corporate reorganization where premature disclosure of those plans could, for example, infringe on the privacy of an officer or employee considering retirement or affect the company's share value. Only such compelling grounds justify a departure from the principle that employees have a right to access to information stored in their personnel files.
Of course, employers in Europe must comply with local regulations and ensure that European employees have access to such information as is required by law in their home countries, regardless of the location of data processing and storage. The safe harbor requires that an organization processing such data in the United States will cooperate in providing such access either directly or through the European employer.
Q4: How will enforcement be handled for employee data under the safe harbor principles?
A: Where European employees are not satisfied with the results
of internal review, complaint, and appeal procedures (or any applicable
grievance procedures under a contract with a trade union), they should
normally be directed to the state or national data protection or labor
authority in the jurisdiction where the employee works. In most cases,
this will be the most efficient way to address the often overlapping rights
and obligations imposed by local labor law and labor agreements as well
as data protection law. The US organization that handles European human
resources data outside Europe should also commit to cooperate in investigations
and to comply with the decisions of competent European authorities in such
cases.*
*The EC is consulting its data protection authorities about the feasibility
of enforcement by the data protection authorities in their individual countries.