The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: Does the GDPR apply to the personal data of a European employee that works and resides in the United States?
If a company is subject to the general jurisdiction of the GDPR because it is processing personal data in the context of an establishment within the European Union, the GDPR purports to apply to all personal data processed by the company. This would include any personal data relating to a European citizen that currently works or resides in the United States under a United States work permit or visa. So, for example, the GDPR arguably would apply in the following situations:
(1) an individual is employed by a European based company (even if the individual works remotely from the united States),
(2) the HR department that is responsible for the individual is in Europe, or major employment related decisions concerning the individual are made from Europe, or
(3) the HR data of the individual is centralized in Europe.
If a company is not subject to the jurisdiction of the GDPR, or is subject to the extraterritorial jurisdiction of the GDPR because it is either offering goods or services to, or monitoring the behavior of, “data subjects in the Union” the GDPR would most likely not apply to the data of a European employee that is working and residing in the United States.
The net result is that whether the GDPR attaches does not depend as much on the citizenship of the employee as it does upon the activities of the employer.