DPO, e-mail and transfer of data to third countries

We are a German technology startup company approaching 20 employees spread over the world (Europe, Asia, Australia).

Actually, I have three questions:

1) I hear that if you have 20 employees with regular data processing activities, in Germany you are obliged to have a data protection officer. Is that right?

Yes, Section 38 (I) of BDSG lowers the requirement of appointment of a DPO using the powers of Member States to raise the level of protection of individuals' rights. The controller and the processor who constantly employ 20 or more employees in the data processing need to appoint a DPO. Being an obligation of the data controller it does not matter where the employees are located.

2) To have an employee considered having regular data processing activities, it is sufficient to have access and work with MS Outlook, is that right?

Yes, the German Authority adopted an interpretation of data processing broader than the one adopted in GDPR and it considers as data processing almost everything connected with the use of a personal computer.

3) Following the ruling regarding the invalidation of Decision 2016/1250, I am very much confused with the requirements. Reading some of the publication of the edpb, it seems to me hardly feasible anymore to manage GDPR across a small multinational company. Any suggestions?

The EDPB in its FAQ on Shrems II decision suggests that if the controller and the processor cannot ensure the same level of protection required from GDPR with Standard contractual clauses or binding corporate rules, they should consider avoiding transfer of data in the US: https://edpb.europa.eu/news/news/2020/european-data-protection-board-publishes-faq-document-cjeu-judgment-c-31118-schrems_en

You can find more information here:

• 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

You can consider enrolling in our free EU GDPR Foundations Course

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

I struggle to understand how to treat remote employees in third countries:

If the company is, let’s say, registered in Germany, and has one employee located and working in a country outside of the EU.

There is no local affiliate or branch office, just this one employee working from home office.

Is this employee considered and treated as an EU-employee like any other employee of the German company?

If not, how is this managed versus GDPR? Any specific contract needed for this employee, …?

If your company is under German law, you will apply German law and GDPR towards all your data processing activities no matter where your employees are located.

From a GDPR point of view, data processed by employees must comply with GDPR requirements wherever your employees are located. Therefore, you should consider your employee as a German or EU employee and require following the same data policy of your organization. This happens because GDPR compliance is an obligation of the data controller who must assess that everyone in its organization complies with it.

There are other aspects of the employment agreement (wage, illness, social security) which may differ from country to country, and for those, you should check with a labor lawyer.