Data Protection in the Context of Working Abroad: Key Considerations

Working abroad, particularly in the context of remote work and assignments outside the EU/EEA, requires careful attention to data protection. Cross-border data transfers and the use of mobile devices, such as laptops and phones, or other technologies, require special precautions.

Below are key issues related to data protection in this context.

1. Data Protection Principles. When working abroad, the following data protection principles in accordance with GDPR must be observed:
   
   
   • Lawfulness and Transparency: A remote employee outside the EEA must have a clear legal basis (e.g., a contract) for processing the personal data of EU clients and ensure that the processing is transparent (understandable) to clients, including fulfilling information obligations.
   • Purpose Limitation: Personal data should be used only for the purposes specified in the contract, such as fulfilling orders, and not for any other unagreed purposes.
   • Data Minimization: Access to personal data should be limited to what is necessary for the job, such as only email addresses or phone numbers if needed.
   • Accuracy: Data must be kept up to date, errors should be reported, and remote work tools should allow for data updates or reporting to the company.
   • Storage Limitation: After the end of cooperation with an EU client, data should be deleted, anonymized, or stored according to the company’s data retention policies.
   • Integrity and Confidentiality: Security measures such as encryption must be applied to protect data from unauthorized access and loss, considering the risks associated with remote work.
   • Accountability: The company must document compliance with GDPR principles, including in contracts and data protection policies.

   Ensuring these principles is essential for data protection in international remote work. The employer has the obligation to ensure that these principles are respected before allowing the employee to perform remote work.

2. Technical Data Security. In the context of remote work, it is crucial to apply appropriate technical safeguards when working with computers or phones. Security measures should be adapted to the type of threats (identified risks) related to remote work. There is no universal list of security measures that guarantee compliance with GDPR, as this stems from the risk-based approach.The implementation of appropriate and effective measures should be preceded by a risk analysis, taking into account specific cases of work within the company. It is necessary, depending on the destination country where the employee will work remotely (e.g., during a “workation”), to adjust the implemented safeguards to the threats that the employee may face in that country. For example, when ensuring data integrity, additional techniques should be considered to protect against data loss or unauthorized modification. In the face of risks from unreliable network providers or telecommunications services, the employer may issue appropriate recommendations on the safe use of Internet access points abroad, considering password quality and types of network connections.

   Standard methods for enhancing the security of remote work include:

   • Encrypted connections (SSL/TLS): To secure data transmitted over the Internet.
   • VPN: Providing secure connections to the company’s network.
   • Two-Factor Authentication (2FA): Additional protection during login.
   • Device encryption and password management: To prevent unauthorized access to devices.

   The above measures are merely examples, and during a risk analysis related to working abroad, one should also consider whether the legal system of the destination country ensures telecommunications secrecy, the boundaries of privacy protection, and the level of personal data protection (for example, whether the third country has been issued an adequacy decision by the European Commission, confirming adequate data protection).

3. Remote Employees or Employees on Assignment and Data Transfers. Not only in the case of remote work abroad must GDPR be considered, but also in the case of employee assignments outside the EEA. Since a company employee working remotely acts on the basis of authorization, there will not always be a transfer of personal data outside the EEA. However, if such a transfer occurs (e.g., by sharing some of the employee’s personal data outside the EEA with a company’s contractor in connection with a business trip, such as vaccination data if required by third-country law), appropriate legal grounds must be applied, such as:
   
   
   • Adequacy Decision: Issued by the European Commission, confirming that the third country receiving the data ensures an adequate level of data protection.
   • Standard Contractual Clauses (SCC): Which safeguard the transfer through contractual agreements based on templates approved by the European Commission.
   • Under Article 49 of the GDPR, the personal data of an employee sent on assignment outside the EEA can also be processed in third countries under exceptional circumstances if specific conditions are met. Processing may occur based on the explicit consent of the individual or in connection with the performance of a contract to which they are a party, such as employment terms or the provision of services. These exceptions allow data transfers even if the destination country does not ensure an adequate level of data protection.

   In exceptional situations, data transfers may be based on the employee’s consent. However, relying on consent can complicate the employer’s objectives, particularly regarding assignments. Business trips to countries outside the EEA are often an integral part of an employee’s duties, as they are carried out “on the employer’s order.” Therefore, where possible, it is recommended to avoid collecting consent for such data transfers and instead rely on the legal basis of contract performance with the delegated employee.

4. Data Transfers within Corporate Groups. According to Recital 48 of the GDPR, controllers that are part of a group of undertakings may process data within the group for administrative purposes. The transfer of employee data between companies within a corporate group can be based on the legitimate interest of the employer, such as the pursuit of business objectives, including informing about employees. However, data transfers to third countries (outside the EU/EEA) still require adherence to the general data transfer rules outside the EEA, which may include using standard contractual clauses or other mechanisms provided for by the GDPR between companies within the corporate group.
5. Other Remote Work Requirements in the Labour Code / GDPR. The Labour Code in Poland obliges employers to implement data protection procedures during remote work or update work regulations to reflect personal data protection rules. The employer must ensure technical and organizational measures protecting data during remote work, such as encryption, VPNs, or password management.

   It is also important to conduct a risk analysis related to remote work and implement appropriate security measures in accordance with the Privacy by Design / Privacy by Default approach.

6. Conclusion. It should be noted that an employee working remotely outside the EEA is not considered a recipient of personal data under GDPR – the recipient may be, for example, an entity with whom we have signed a data processing agreement or a separate data controller (e.g., our client outside the EEA) or a subcontractor. The recipient of the data will not be the entity acting on behalf of the controller, such as an employee acting within the organizational structure.

   Therefore, there is no need to legalize data transfers outside the EEA in these cases based on instruments provided in Chapter V of the GDPR, but rather to focus on risk analysis related to data transfers and the implementation of appropriate technical security measures. It is also crucial to consider the destination country to which the employee is traveling, as there is no obligation to accept all countries, especially those that do not provide an adequate level of data protection. Unfortunately, not all information security risks (including trade secret espionage or surveillance by local authorities) can be avoided, and the third country’s legal system may not adequately protect telecommunications secrecy, privacy rights, or trade secrets.

   In the case of employee assignments to exotic locations, it should also be remembered that the employee must be informed in accordance with Articles 12 and 13 of the GDPR about the legal basis for processing their data, as well as the planned data transfer outside the EEA and the recipients of such data outside the EEA or at least their categories (including any contractors outside the EEA that our employee will visit during business trips).