AI Summarize

Share

The General Data Protection Regulation (GDPR) imposes strict obligations on companies around the world when it comes to how they can process the personal data of EU residents.

U.S.-based companies that work with EU-based freelancers, contractors, or remote hires often aren't sure whether or not the GDPR applies to the handling of their employment-related data.

This article will explain why and how the GDPR applies to employee data in such scenarios, and what U.S. companies need to do to comply with the GDPR when they work with EU-based contractors.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



How Does the GDPR Apply to U.S.-Based Companies?

For U.S.-based companies, the GDPR's extraterritorial reach is what makes it potentially applicable. The GDPR applies not only to companies established within the EU, but also to those outside of it when specific conditions are met.

Article 3 (2) of the GDPR states that the GDPR will apply to companies located outside of the EU that process personal data of individuals in the EU in connection with either:

  1. Offering goods or services to individuals in the EU, or
  2. Monitoring the behavior of individuals in the EU, such as via tracking technologies

U.S.-based companies that hire EU-based freelancers, contractors, or remote workers will most likely regularly collect and process personal data from the EU-based individual.

Personal data is any information that relates to an identified individual, or can be used to identify someone. Examples include but are in no way limited to:

  • Full names
  • Email addresses
  • Mailing or home addresses
  • Government-issued ID numbers
  • IP addresses

Some of the personal data that a company frequently collects about its workers, whether employee or contractor, includes names, addresses, and financial account information to facilitate HR functions such as payroll, tax reporting, or managing contracts.

But is the collection of this data considered as "in connection with either offering goods or services to individuals in the EU, or monitoring the behavior of individuals in the EU, such as via tracking technologies"..?

Why Does the GDPR Apply to HR Data of EU Contractors Collected by U.S. Companies?

The GDPR doesn't have different requirements for when personal data is from actual employees, or from remote contractors. Instead, the GDPR applies to any personal data processing that meets Article 3 criteria.

Contractors, freelancers and remote hires are individuals whose personal data is being processed. And the processing more than likely meets Article 3 criteria.

To determine whether the GDPR applies to the HR data of EU contractors working for U.S. companies, you'll need to consider the nature of the relationship and the context of the data processing.

It's very likely that the relationship between a U.S. company and its EU-based contract employees will meet at least one and probably both of the requirements that the personal data is processed:

  • In connection with either offering goods or services to individuals in the EU, or
  • Monitoring the behavior of individuals in the EU, such as via tracking technologies.

Here's how a remote contractor scenario will likely satisfy at least one of these requirements.

Criteria 1: Offering Goods or Services to Individuals in the EU

A U.S.-based company that hires an EU-based contractor is arguably offering that contractor a service: a work contract or freelance agreement.

The European Data Protection Board (EDPB) has given guidance that "offering services" includes situations where a company targets individuals within the EU, including when the service is related to employment.

For example, consider a U.S.-based web design company that posts a job listing that's accessible to EU residents, or posts it specifically on an EU-based job board. This can be seen as targeting individuals within the EU and offering them a service of earning income.

Now consider that the U.S.-based web design company hires someone from Germany and collects information such as the designer's name, address, tax ID number and bank details for sending payments. This data processing is directly connected with the service offered to the individual located in Germany (the freelance contract).

This can make the GDPR applicable.

Criteria 2: Monitoring Behavior of Someone in the EU

If a U.S.-based company monitors the behavior of even one EU contractor, this could trigger the GDPR.

In an employer/freelancer relationship, "monitoring" could look like tracking work hours through mandatory time-tracking software, programs that log keystrokes, or employee surveillance systems that make sure your remote employees are working when they say they are.

This can make the GDPR applicable.

How Can U.S.-Based Companies with EU-Based Freelancers Stay GDPR-Compliant?

U.S. companies that hire any EU-based contractors or freelancers will need to comply with several GDPR requirements.

Have a Lawful Basis for Processing

Article 6 of the GDPR requires that all processing of personal data be done under one of its listed lawful bases. Make sure that any data you process about your EU-based contractor is done under one of the bases.

For HR data of EU-based contractors, the most relevant bases for U.S. companies are:

  • Necessity of contract performance: Even in an employer/contractor relationship, there will likely be some sort of contract to manage the contractor's deliverables, and the company's payments. Processing data like financial account details or tax ID numbers is often necessary to fulfill the contract.
  • Legitimate interests: A U.S.-based company may process the data of its EU-based contractors for things such as direct marketing or security system enhancement, as long as they don't infringe upon the contractor's rights or freedoms.

Have a GDPR-Compliant Privacy Policy

Make sure that your employee-facing Privacy Policy is GDPR-compliant by writing it in a clear and concise way, and disclosing appropriate information within it:

  • What personal data you collect/process, and why
  • Legal basis for processing data
  • GDPR-granted rights
  • Data retention periods
  • Data Sharing/International data transfers
  • Security measures
  • Your contact information

Here are more details and examples of these Privacy Policy clauses.

What Personal Data You Collect/Process, and For What Purpose

Disclose to your contractors what types of personal data you collect about them and why you do this.

Here's how Chubb's Employee Data Privacy Notice discloses the types of data it collects about individuals working for the company, including things like emergency contact information, professional qualifications and diversity data:

Chubb Employee Data Privacy Notice - Types of Personal Data Chubb Processes clause

Include a clause that states what your legal basis for processing personal data is, as discussed in the previous section.

Here's an example of a clause from the Medis Privacy Policy for HR Purposes that notes its legal bases, such laws that require employers to keep records of employee information, the employment contract, and the legitimate interest of maintaining a good working environment:

Medis HR Privacy Policy - Legal basis clause

Data Subject Rights

This clause must clearly explain what specific rights your EU-based contractor has, such as the right to access, change, erase, or restrict the processing of their data.

Here's an example of how you could create a simple clause that notes the GDPR, what rights your employees have, and how they can exercise the rights:

Generic GDPR rights clause in HR Privacy Policy screenshot

This example from Medis is far more detailed and specific, outlining exactly what the rights really mean. You don't need to get this specific, but it can help keep your contractors informed. It's best to balance being concise with being informative:

Medis HR Privacy Policy - GDPR rights clause

Data Retention

You have to let contractors and employees know how long you will be keeping their data. Here's how Chubb discloses that it will only retain employee personal data for as long as employment is in place, or a shorter period if the data is no longer necessary for the purpose for which it was collected:

Chubb Employee Data Privacy Notice - Data retention clause

Data Sharing/International Data Transfers

If applicable, include a clause that notes how you handle any data transfers, including international data transfers (like data from EU-based contractors to your U.S.-based company), and the safeguards you have in place.

Here's how Medis addresses this in its Privacy Policy for HR Purposes. It mentions third party service providers, as well as all the affiliated companies that may receive the contractors personal data:

Medis HR Privacy Policy - Data sharing clause

Here's another example from Chubb that addresses international transfers of employee data, such as an EU-based contractor's data being transferred outside of the EU.

The clause notes that steps will be taken to ensure that the personal data receives levels of protection such as data transfer agreements or by ensuring that third parties are certified under appropriate data protection schemes:

Chubb Employee Data Privacy Notice - Cross-border transfer clause

Security Measures

Include a clause that mentions your dedication to data security. You don't need to be specific about what measures you have in place, but at least note that you do in fact have them.

Here's an example of a very detailed security clause from Medis. It addresses physical and technical security measures, deletion of data, and data breach response plans:

Medis HR Privacy Policy - Security clause

Your Contact Information

Provide ways for users, contractors and anyone else to contact you easily with any questions. It's best to include at least 2 methods of contact, such as an email address and phone number.

Here's an example from Medis that includes an email address and phone number:

Medis HR Privacy Policy - Contact clause

Have a Process in Place for Handling GDPR Data Subject Rights

Even if you only have one EU-based contractor, that contractor has the ability to exercise any of the 8 GDPR-granted data subject rights.

The GDPR rights are as follows:

  1. To be informed
  2. To access
  3. To rectification
  4. To erasure*
  5. To restrict processing
  6. To portability
  7. To object
  8. To opt out of automated decision-making and profiling

*Note: This is not an absolute right, and in the case of an employer/contractor relationship, the employee's data could not be deleted. For example, the contractor's financial data could not be deleted while still a contractor because of accounting requirements.

You must make sure that the contractor is able to do so, and that you have appropriate mechanisms in place to quickly honor any rights requests made.

Minimize the Data You Collect

Identify what personal data you collect from EU contractors, where it is stored, how it is processed, and who has access to it. This helps ensure compliance with data minimization and security requirements.

The GDPR requires that data collection be limited to only what is truly necessary for whatever the stated purpose of collection is.

Because of this, U.S.-based companies should avoid collecting excessive data from any EU-based contractors and make sure that all collected data is only used only for its intended purpose, such as managing payroll or contracts.

While you may collect some irrelevant personal information from your regular employees and U.S.-based contractors, make sure to limit what you collect from any EU-based ones.

Keep All Data Secure

While you likely already have robust data security measures in place, you'll need to make sure you do this if you have any EU-based contractors on your team.

This is because the GDPR requires that appropriate technical and organizational measures are in place to protect and secure personal data.

Data security measures could include encryption, strict access controls, and conducting regular security audits.

Be aware that a data breach that involves any personal data of an EU-based contractor will trigger GDPR requirements around data breaches.

Correctly Handle Data Transfers From the EU to the U.S.

When you collect HR-related personal data from EU-based contractors, you're technically transferring data from the EU to the United States. This is because the data goes from the EU to either to your own U.S.-based servers, or to a third-party HR platform (like Gusto) that's headquartered within the United States.

You will need to ensure that you are in compliance with the GDPR, that any HR-related software you use includes one of the required safeguards, such as:

  • Standard Contractual Clauses (SCCs): These are pre-approved contractual terms that help make sure the transfer is compliant with the GDPR.
  • Binding Corporate Rules (BCRs): Suitable for intra-group transfers within multinational companies, such as if you have an EU-based branch of your company that collects data and transfers it to the U.S.-based headquarters.
  • Data Processing Agreements (DPAs): Contracts with third-party processors (such as an HR platform) that ensures both parties are operating in a GDPR-compliant way.

Review Your Third-Party Platforms' Compliance

Many U.S.-based companies use third-party HR or payroll platforms that are headquartered outside of the EU. If you work with any of these types of third parties for your EU-based contractors, you need to take steps to make sure that they are operating in a GDPR-compliant way.

You can check their legal agreements, such as a Privacy Policy, to see if they have GDPR-compliant content and processes in place.

Train Your HR Team on GDPR Principles

If your U.S.-based HR staff is going to be handling contractor data from EU-based contractors, make sure they're trained and educated on GDPR principles like data minimization and the rights granted.

This will help make it less likely that they'll accidentally violate the contractor's GDPR-granted rights.

Have a Data Protection Officer (DPO), if Applicable

This will become relevant if your U.S.-based company starts doing "large-scale" processing of personal data from EU-based contractors. If you only have a few on your team, this won't be so relevant. But if you start growing and hiring most of your freelancers from the EU, you'll need to see if you need a DPO.

Summary

If your U.S.-based company works with EU-based freelancers, contractors, or remote hires, the GDPR likely applies to the processing of their HR data. This is because the GDPR's extraterritorial scope makes it apply to things like offering work opportunities and contracts, and monitoring contractor performance.

U.S.-based companies with EU-based contractors will need to comply with the GDPR by establishing lawful bases for processing data, respecting data subject rights, engaging in secure data transfers, implementing adequate security measures and having a compliant Privacy Policy.

Make sure to train any HR staff on GDPR requirements to help prevent non-compliant handling of the EU-based contractor's personal data.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy