EU Data Protection Requirements: An Overview for Employers
Extrait
EU Data Protection Requirements: An Overview for Employers
EXECUTIVE SUMMARY
Many foreign companies operating in the European Union (the "EU")1 are unaware that their traditional business practices may violate EU and Member State laws regarding personal data protection. The EU Data Protection Directive 95/46/EC (the "Directive") regulates the collection, use, and transfer of individually identifiable personal information about employees, such as name, address, telephone number, and marital status, as well as information such as salary, bonuses, terms of an employment contract, and performance appraisals. It also requires the Member States to adopt laws implementing the Directive requirements. In addition, the transfer of employee information to another entity, even a related corporate affiliate, without providing explicit notice to employees and in some cases obtaining consent from employees may be considered a violation of the Directive and Member State laws. Thus, for example, if a company with operations in England provides information regarding individual employees to the home office in the United States, that company must comply with the U.K. Data Protection law. The potential liability for employers failing to abide by these laws can be quite high. The Spanish Data Protective Authority, for example, recently fined an organization nearly 840,000 euros (approximately US$900,000) for sharing customer data with a subsidiary organization and fined another organization 1.08 million euros (approximately US$1.17 million) for disclosing protected personal information to the public. Companies with operations in the EU, especially those that centralize human resources information in databases located outside the EU or regularly transfer employee data among offices outside the EU, may have to change the way they collect and use employee data. Virtually every business with employees in a Member State in the EU must comply with the Directive and Member State laws implementing the Directive. These laws apply to the collection, processing, and transferring of employee personal data, online and offline and manual, as well as automatic. Employers must have appropriate legal grounds to collect and process personal employee information and transfer that data to another entity, even an affiliated organization such as a parent company or a subsidiary. In addition to specific regulations regarding the collection and use of personal data within the EU, the Directive also requires Member States to restrict the transfer of personal data to only those countri...Voir le contenu complet de ce document