In last week’s post, we discussed the US trade controls’ restrictions on access to controlled technical information. As a consequence of these restrictions, European employers may be required to communicate the names, nationality and potentially other information on their employees who will have access to such technical information.
By Marga Caprioni, Stéphanie De Smedt and Bert Gevers, 20 September 2016
The collection and communication of such information will be considered a processing / transfer of “personal data” in accordance with the European Privacy Directive 95/46/EC (to be replaced in May 2018 by the EU General Data Protection Regulation or “GDPR” in short). This Directive (and the national laws of the EU Member States implementing the provisions hereof in their national legal order) applies to any operation or set of operations which is performed upon any information relating to an identified or identifiable natural person (“personal data”), whether or not by automatic means, including the collection, recording, organization, storage, consultation, use, disclosure by transmission, dissemination or otherwise making available hereof. It becomes applicable as soon as the entity controlling the data processing activities (the “data controller”) has an establishment on the territory of one of the EU Member States. EU-based employers collecting and transferring employee data in order to comply with US trade controls legislation therefore typically fall within the scope of application of this legislation.
This week’s post will examine the legitimacy of the processing of such employee data, while the cross-border transfer of data will be discussed next week.
The processing of employee data is restricted under European law: such processing is only allowed on limited grounds. The necessity to process data for the execution of the employment contract could be such ground, but a restrictive interpretation applies. An actual necessity for the execution of the contract will be required, so US trade controls’ restrictions will not be considered sufficient in this regard.
The unambiguous consent of the data subject may also serve as grounds to process data, but there is discussion to what extent the consent of an employee, who works in a subordinate relationship, may actually be considered as freely (and thus validly) given. In any case, a refusal from an employee to provide consent cannot be sanctioned by the employer, and the employee should be allowed to withdraw his or her consent at any moment, without having to justify this change of heart.
Another legal ground, is the necessity for compliance with a legal obligation imposed upon the data controller. EU data protection authorities, including the Belgian Privacy Commission, are however very reluctant to accept a foreign law as a binding legal obligation for this purpose. The GDPR goes even further, and provides explicitly that the basis for the processing has to be laid down by Union law or by EU Member State law. Foreign law will thus in principle only be recognized if the foreign law obligation for EU data controllers is expressly confirmed by EU law.
Finally, the processing will also be allowed if it is necessary for the purposes of the legitimate interests pursued by the employer or a third party, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject. Compliance with US trade controls’ restrictions may be argued to constitute a legitimate interest for the employer. Provided that the impact on the employee remains limited – requiring for example that data which are communicated are limited to what is strictly essential – the processing may be justified on these grounds.
A last word in this respect on background checks. Information on an employee’s criminal record is considered to be so-called “sensitive” data. For this type of data, even stricter rules apply. In Belgium for example, the processing of judicial data will only be allowed if imposed by law. Only the national laws of Belgium are allowed in this respect, an obligation imposed by US laws would not suffice. Employers should thus be extra careful when they are invited to communicate these data.
Once the relevant employee data has been collected by the employer in a legally compliant manner, additional safeguards should be implemented to allow the onward transfer hereof to the United States. The possible legal grounds for such transfer will be discussed in our next post.
Authors of this post are:
- EU to control export of COVID-19 vaccines amid supply crisis - February 1, 2021
- Belgium (finally) implements sanctions for violation of the EU Blocking Regulation - June 3, 2019
- Meet OFAC in Brussels and discuss the disruption of export control & sanction regimes by new technologies on 11 June 2018 - May 4, 2018