Expert Advice Community

Guest

DPO, e-mail and transfer of data to third countries

  Quote
Guest
Guest user Created:   Aug 03, 2020 Last commented:   Aug 07, 2020

DPO, e-mail and transfer of data to third countries

We are a German technology startup company approaching 20 employees spread over the world (Europe, Asia, Australia).

Actually, I have three questions:
1) I hear that if you have 20 employees with regular data processing activities, in Germany you are obliged to have a data protection officer. Is that right?

2) To have an employee considered having regular data processing activities, it is sufficient to have access and work with MS Outlook, is that right?

3) Following the ruling regarding the invalidation of Decision 2016/1250, I am very much confused with the requirements. Reading some of the publication of the edpb, it seems to me hardly feasible anymore to manage GDPR across a small multinational company. Any suggestions?

0 0

Assign topic to the user

Assign

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Alessandra Nisticò Aug 04, 2020

We are a German technology startup company approaching 20 employees spread over the world (Europe, Asia, Australia).

Actually, I have three questions:

1) I hear that if you have 20 employees with regular data processing activities, in Germany you are obliged to have a data protection officer. Is that right?

Yes, Section 38 (I) of BDSG lowers the requirement of appointment of a DPO using the powers of Member States to raise the level of protection of individuals' rights. The controller and the processor who constantly employ 20 or more employees in the data processing need to appoint a DPO. Being an obligation of the data controller it does not matter where the employees are located.

2) To have an employee considered having regular data processing activities, it is sufficient to have access and work with MS Outlook, is that right?

Yes, the German Authority adopted an interpretation of data processing broader than the one adopted in GDPR and it considers as data processing almost everything connected with the use of a personal computer.

3) Following the ruling regarding the invalidation of Decision 2016/1250, I am very much confused with the requirements. Reading some of the publication of the edpb, it seems to me hardly feasible anymore to manage GDPR across a small multinational company. Any suggestions?

The EDPB in its FAQ on Shrems II decision suggests that if the controller and the processor cannot ensure the same level of protection required from GDPR with Standard contractual clauses or binding corporate rules, they should consider avoiding transfer of data in the US: https://edpb.europa.eu/news/news/2020/european-data-protection-board-publishes-faq-document-cjeu-judgment-c-31118-schrems_en

You can find more information here:

You can consider enrolling in our free EU GDPR Foundations Course
Quote
0 1
Guest
Guest user Aug 05, 2020

I struggle to understand how to treat remote employees in third countries:

If the company is, let’s say, registered in Germany, and has one employee located and working in a country outside of the EU.

There is no local affiliate or branch office, just this one employee working from home office.

Is this employee considered and treated as an EU-employee like any other employee of the German company?

If not, how is this managed versus GDPR? Any specific contract needed for this employee, …?

Quote
0 0
Expert
Alessandra Nisticò Aug 07, 2020

If your company is under German law, you will apply German law and GDPR towards all your data processing activities no matter where your employees are located.

From a GDPR point of view, data processed by employees must comply with GDPR requirements wherever your employees are located. Therefore, you should consider your employee as a German or EU employee and require following the same data policy of your organization. This happens because GDPR compliance is an obligation of the data controller who must assess that everyone in its organization complies with it.

There are other aspects of the employment agreement (wage, illness, social security) which may differ from country to country, and for those, you should check with a labor lawyer.

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Aug 03, 2020

Aug 07, 2020

Suggested Topics

Guest user Created:   Jul 15, 2021 EU GDPR
Replies: 1
0 0

Holding data

Guest user Created:   Jul 08, 2021 EU GDPR
Replies: 1
0 0

Transfer of pesonal data under GDPR

Guest user Created:   Jul 07, 2021 EU GDPR
Replies: 1
0 0

Transfer mechanisms