EU Data Protection Proposals: Outsourcing And Employee Data Issues
By Matthew Howse, partner and Celia Kendrick, associate at Morgan Lewis
Outsourcing arrangements often require the transfer of employees’ personal data from the customer to the supplier or vice versa. For example, an outsourcing of payroll functions will involve the transfer of employee data.
Particular issues arise if the data is to be transferred outside of the EU. In addition, notwithstanding that most data protection legislation within the EU derives from the EU Data Protection Directive, there are important differences between countries on how personal data can be processed. The UK rules are currently contained in the Data Protection Act 1998.
In January 2012, the European Commission published its proposal for a new General Data Protection Regulation. The extensive proposals would overhaul this area of law and significantly increase data protection across Europe.
The key proposals are:
- Harmonisation: A single set of rules will apply across Europe.
- Scope extends beyond Europe: The new rules will apply to EU businesses and businesses based outside the EU that process European citizens’ personal data for the sale of goods or services or the monitoring of behaviour.
- Fines: Penalties for non-compliance will be significant, with businesses facing proposed fines of up to €1 million or up to 2% of their annual worldwide turnover (depending on whether the organisation is an ‘enterprise’).
- Explicit consent: The new definition of “consent” will include a requirement that individuals’ consent must be explicitly obtained; it cannot be assumed.
- Notification requirements: Organisations will be required to notify their supervisory authority of a security breach without undue delay, meaning within 24 hours if that is feasible. If not, the notification must be accompanied by a reasoned justification.
- Right to be forgotten: Individuals will be able to ask to be forgotten and have... continued on page two >