Many of us have felt the need to take a work device with us when travelling abroad, either to avoid coming back from a holiday to an overflowing inbox or to make the most of that overseas business trip.
But to the extent accessing emails, working on documents and/or using work systems abroad involves processing personal data, does this constitute an international transfer of that data, to which the GDPR would impose various obligations on our employer?
The European Data Protection Board (EDPB) issued guidance back in 2021 to help businesses identify which activities constitute data transfers, a full copy of which can be found here. The guidance clarifies that where employees access personal data in other parts of the world this will not constitute an international data transfer.
This will be welcome news to businesses, which are required under UK data protection law to ensure that certain conditions are met whenever they transfer personal data outside the UK, in order for that transfer to be lawful (for example, by putting in place international data transfer agreements). Failure to do so would be a breach of the GDPR, which could open the business up to the risk of investigation by the regulatory authority, the imposition of significant fines and/or other enforcement action.
Criteria to be met for an international data transfer to occur
The EDPB’s guidance states that the following three criteria will need to be met for the GDPR’s international data transfer rules to apply in respect of a data processing activity:
- A controller or processor is subject to the GDPR.
- The controller or processor (exporter) discloses personal data (either by transmission or otherwise making such personal data available) to another controller, joint controller or processor (importer).
- The importer of the personal is in a third country or is an international organisation (the importer does not need to be subject to the GDPR).
Case Study: An employee of a controller in the UK travels to a third country on a business trip
The EDPB’s guidance contains a number of examples and case studies to illustrate the scenarios in which an international data transfer would occur.
The EDPB sets out the example of George, who travels from Poland to India for a meeting and accesses personal data on his company’s databases to finish a memo. The EDPB says that “this remote access of personal data from a third country does not qualify as transfer of personal data, since George is not another controller, but an employee”. George is not a separate entity from his employer, who is the controller/processor of the personal data. Without a second entity to transfer the personal data to, there cannot be an international data transfer, as all the processing is taking place within the same controller/processor.
However, it is important to note that this situation is different from one where an employee of a different company within the same corporate group accesses personal data. So, if George was employed by the Indian subsidiary of his employer’s corporate group and accessed the personal data of the Polish subsidiary of his employer’s corporate group, then this would be considered an international transfer of personal data for the purposes of GDPR.
What other circumstances would/would not constitute an international data transfer under the GDPR rules?
The EDPB further clarified that:
- Where a data controller in a third country collects personal data directly from a data subject in the EU, this does not constitute a data transfer, as the data subject cannot qualify as an exporter.
- Where an EU controller or processor outsources some or all of its processing activities to a sub-processor in a third country, this does constitute an international transfer for GDPR purposes.
- Where a non-EU company that is not subject to the GDPR transfers data to an EU-based processor that then sends the data back to that non-EU company, such transfer from the EU processor to the non-EU company does constitute an international transfer for GDPR purposes.
Is there still a risk if employees access personal data abroad?
Whilst the EDPB’s guidance might reassure businesses that if their employees access work emails abroad this will not constitute an international data transfer, the security risks of employees accessing personal data abroad can still be significant, depending on the country in question.
Many third countries do not afford data subjects the same level of rights as under the GDPR, whilst networks and systems in third countries may also not have the same layers of protection as in the UK/EU. Businesses should be mindful of their legal obligation to implement technical and organisational measures to ensure against unauthorised or unlawful processing and against accidental loss, destruction or damage of personal data. Each time an employee accesses personal data in a third country, the risk to a business in failing to meet this obligation potentially increases.
In order to mitigate/eliminate such risk, businesses may still consider it good practice to:
- ensure that any devices to be used abroad by its employees have sufficient layers of protection installed/deployed on them, in order to maintain the security of any personal data accessed through them; and/or
- take a lower risk approach and prohibit or severely limit the use of work phones and laptops abroad.
All in all, it is reassuring for businesses that the next time one of their employees processes personal data as part of a business meeting abroad or checks their inbox from their beach resort on holiday, they will not be deemed to have transferred that business’s personal data to an exotic location halfway across the world.
However, this should not detract from the fact that businesses should have clear rules about their employee’s use of work devices and accessing of work systems while abroad, with thought given to minimising security risks by training employees and implementing appropriate technical and organisational measures.
Furthermore, following the world’s move to a more hybrid way of working after the COVID-19 pandemic, it will be interesting to see if the EDPB chooses to revise its position in respect of employees of UK/EU businesses who work abroad in third countries on a permanent basis.
If your workforce, business and/or corporate group is spread across multiple jurisdictions and you have any questions about the measures you should be implementing in order to ensure you are transferring and processing personal data lawfully and securely, please contact me or another member of our commercial team.