There are many outsourced-HR companies, and so naturally, they hold personal data, such as an individual’s name, address, DOB, NI, bank details, salary, etc. Some HR companies provide software or apps to process payroll, pay invoices and employee expenses, bonuses, etc.
Care needs to be taken as to whether the servers for these apps are based outside the EU or EEA, for example, in the United States.
While legitimate interest may cover the retention of employee data, the use of US-based servers to store personally identifiable information goes against one of the core principles of the GDPR in terms of not transferring personal data outside the EEA without the consent of the data subject.
Further, the HR company must ensure it has appropriate security controls and/or contractual clauses in place with the data processor to ensure safeguarding the data they are processing. Privacy notifications and contractual terms would also need to be updated to reflect this.
Information from the ICO sets out the requirements of transferring data outside the EEA: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/
In respect of the US-based company providing servers, it would have to show that it is Privacy Shield compliant. If it is not then it would be considered a Third Country and would require investigation as to the risks with storing data in a non-adequate territory. Adequacy principles under Article 45 are of course determinable within the official journal of the EU.
Contact our Data Protection and GDPR Solicitors Liverpool, Wirral, Merseyside and Across England & Wales
There are many aspects of your business to consider when it comes to ensuring compliance with GDPR. Our specialist data protection solicitors provide comprehensive advice and services tailored to your business and its operations. For a free initial consultation, contact our specialist team on 0151 659 1070 or complete our online enquiry form.