This piece is about processing employee data, for any reason. It is based on a report on data processing at work by the Article 29 Working Party (‘WP29’), an independent European advisory body on data protection and privacy.
To be clear, ‘processing’ in this context includes collecting, recording and storing data, whether on paper or electronically. If you’d like further explanation, we’d recommend the ICO’s webpage on ‘Key Definitions’.
Employers are increasingly using cloud-based applications and services, such as those designed for the handling of HR-data as well as online office applications. The use of most of these applications will often result in the international transfer of data from and concerning employees. Transfers of personal data to a country outside the EU can take place only where that country ensures an adequate level of protection (and it is very likely that this ruling will still apply post-BREXIT). Again, the ICO has some useful advice on assessing adequacy of protection of other countries and related considerations.
It should thus be ensured that these provisions concerning the international transfer of data, including employee data, are complied with. Where consent is relied on it must be specific, unambiguous and freely-given (although, as we covered in an earlier blog piece, consent is rarely the best justification when processing data in relation to your employees). However, it should also be ensured that the data shared outside the EU/EEA, and subsequent access by other entities within the group, remains limited to the minimum necessary for the intended purposes.
Do you know where your cloud-stored data really goes?