03 July 2018
There are many outsourced-HR companies, and so naturally, they hold personal data such as an individual’s Name, Address, DOB, NI, Bank Details, Salary etc. Some HR companies provide software or Apps to process payroll, pay invoices and employee expenses, bonuses etc.
Care needs to be takes as to whether the servers for these apps are based outside the EU or EEA, for example, the United States.
While legitimate interest may cover the retention of employee the use of US-based servers to store personally identifiable information goes against one of the core principles of the GDPR in terms of not transferring personal data outside the EEA without the consent of the Data Subject.
Further, the HR company must ensure it has appropriate security controls and/or contractual clauses in place with the data processor to ensure safeguarding the data they are processing. Privacy notifications and contractual terms would also need to be updated to reflect this.
Information from the ICO sets out the requirements of transferring data outside the EEA: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/
In respect of the US-based company providing servers, it would have to show that it is Privacy Shield compliant. If it is not then it would be considered a Third Country and would require investigation as to the risks with storing data in a non-adequate territory. Adequacy principles under Article 45 are of course determinable within the official journal of the EU.
To find how our friendly and knowledgeable solicitors can help you, contact us today.
Make a free enquiry - Call now - 0151 659 1070
