In our Worklife 2.0 series (see our previous blog posts here, here, here and here), we have discussed the increase in the number of companies who partner up with employers of record (EoRs). EoRs act as formal employers of individuals who are in practice supervised and managed by another end-user company. These employees are usually located in countries where the end-user company does not have a corporate presence itself. This set-up allows companies to access talent in different jurisdictions, while the administrative aspects are taken care of by the EoRs.
In this blog post, we will explore some key data protection points to be considered in the context of working with EoRs.
Applicable data protection laws
The first point to determine is what data protection laws will apply. This won’t necessarily be straightforward as the engagement of EoRs usually takes place in an international setting and so data protection laws of more than one country may be applicable.
In the EU, the EU General Data Protection Regulation (GDPR) will apply when an entity that is established in the EU processes personal data of employees. In the UK, the UK GDPR and the Data Protection Act of 2018 will apply to UK organisations. Even where an entity is not established in the EU or the UK, the (UK) GDPR may also apply if that entity processes personal data of employees who are based in the EU or in the UK.
In an EoR context, both the EoR and the end-user company will have certain obligations under the GDPR and both parties may be held responsible for any compliance issues. Potential sanctions for failure to comply with the GDPR can be severe – with two tiers of administrative fines depending on the gravity of the offence: up to 10,000,000 EUR (or 2% of the total worldwide annual turnover, if higher) for less serious infringements and up to 20,000,000 EUR (or 4% of the total worldwide annual turnover, if higher) for more serious infringements (eg a breach of the basic principles for processing personal data).
Role of the parties
The obligations of the EoR and end-user under data protection laws will differ according to their roles and responsibilities – and in particular, in the context of the GDPR, if they are a data controller or data processor.
Under the GDPR, the party who determines the purposes and the means of the processing of the employee’s personal data will be considered the data “controller”. If the EoR and end-user decide on the purpose and means of processing together, they will be considered joint controllers. A party that processes employee data solely on behalf of the controller will be considered a data “processor”.
In broad terms, the (joint) controller(s) will generally be responsible for ensuring that the data processing complies with the (UK) GDPR. The processor may also be held responsible for additional specific obligations allocated to it under the GDPR. The determination of whether a party is a data controller or data processor is fact-specific, but it is important to ensure that each party understands its respective obligations and that, where necessary, they document their compliance with their respective obligations appropriately.
Necessary agreements between the parties
Applicable data protection laws may require the parties to enter into specific data protection related agreements.
If the EoR and the end-user company are considered to be joint controllers under the GDPR, they will have to agree on their respective responsibilities under the GDPR, in particular with respect to any exercise of data subject rights by the employees.
If the EoR and the end-user company are considered to be controller and processor, they will have to enter into a data processing agreement which should contain certain minimum requirements.
If the EoR and the end-user company are considered to be separate controllers, they will not be required to enter into specific data protection related agreements under the GDPR.
Allocation of tasks
In addition to the mandatory minimum requirements stipulated by applicable data protection laws, the EoR and the end-user company may also wish to allocate certain “processing” obligations between each other.
For example, the parties may wish to be informed of any personal data breaches. They might also want to allocate the tasks amongst each other in relation to any exercise of data subject rights by the employees, such as access to information requests. Another issue to consider would be the allocation of the parties’ tasks in relation to the processing of special category data relating to employees (eg health data or trade union membership) and any specific restrictions in that respect under applicable data protection laws – these may vary depending on the jurisdiction.
International data transfers
Given the inherently international nature of the EoR construct, the processing of employee personal data in this context will often involve international data transfers. Applicable data protection laws may impose certain restrictions or requirements for such data transfers to take place.
Under the GDPR, such restrictions may be applicable if the EoR or the end-user company transfer personal data of the employees to any recipient (including to each other) located in a country that is not considered as “safe” from a data protection perspective. If the European Commission has adopted a so-called “adequacy decision” in which it confirms that the level of protection for personal data is adequate in that respective non-EEA country, no further restrictions will apply. If there is no such adequacy decision, either or both parties will have to implement specific transfer mechanisms, such as standard contractual clauses, binding corporate rules or applicable derogations. In such circumstances, the EoR or the end-user company may also have to undertake an assessment of the laws of the country to which the employee’s personal data is transferred and implement additional safeguards.
Conclusion
An EoR allows end-user companies to engage talented employees around the globe without the administrative burden that a traditional direct employment structure would generally entail, which can be very helpful when entering new markets for the first time. However, as discussed in this blog post, all parties involved should ensure that they comply with any applicable data protection laws. To ensure compliance with such applicable data protection laws, it will be essential to consider data protection at an early stage in the collaboration.