Body leasing, also known as employee outsourcing, involves one company hiring specialists to work for another company. It has become an increasingly popular solution in the labor market. Like any activity involving the flow of personal data, it requires adherence to the principles set out in the GDPR. This article highlights the key aspects of personal data protection in the context of body leasing agreements.
Roles of the Data Controller and Processor
In body leasing, the most important aspect from the perspective of data protection laws is the proper identification of roles in the data processing chain, taking into account the provisions of data protection regulations, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or GDPR).
Roles in Personal Data Processing
In body leasing, it is crucial to clearly define who acts as the data controller and who serves as the data processor.
- Data Controller: The entity that independently determines the purposes and means of processing personal data.
- Data Processor: An entity that processes personal data on behalf of the controller in accordance with the controller’s instructions.
The purpose of processing personal data is decisive. If the company using the services (the recipient) defines separate purposes for processing (e.g., onboarding, participation in internal projects), it acts as an independent controller. However, there are exceptions to this rule in the context of employing specialists through employee outsourcing:
- The Leasing Company:
- Is the employer of the seconded employee and acts as the controller of their personal data, such as their name, surname, contact details, and other data required under labor laws or specific regulations.
- Bears labor law responsibilities, including ensuring GDPR compliance as an independent controller.
- The Service Recipient (Client):
- If it determines the purposes of processing the employee’s data (e.g., onboarding, participation in internal projects), it becomes an independent controller.
- Although the employee’s data is processed as part of arrangements with the leasing company, a data processing agreement is not required if the recipient independently determines the purposes of processing, as it acts as a separate controller.
When Is a Data Processing Agreement Necessary?
A data processing agreement is required if the seconded employee uses the leasing company’s infrastructure (e.g., equipment, IT systems, software) to perform services that involve processing personal data on behalf of the leasing company’s client.
This occurs when the employee, while providing services to an external company (the client), uses resources of the leasing company. Consequently, the leasing company may gain access to data controlled by the client (including personal data) through the employee’s use of the leasing company’s IT system or other resources linked to processing data as defined by the GDPR. In this case, a data processing agreement is necessary since access to personal data arises from the need to fulfill the client’s objectives (delivering the service or the specialist’s work results).
As for other aspects related to the processing of the specialists’ personal data (e.g., onboarding, ensuring occupational health and safety, or maintaining working hour records), the service recipient independently determines the purposes and means of processing, thus acting as an independent controller.
Key Considerations in Body Leasing
When entering into a body leasing agreement, ensure the following:
- Authorizations for Data Processing: The seconded employee should receive authorization from the entity whose infrastructure they will use for processing personal data (e.g., if using the leasing company’s infrastructure, it should grant the authorization).
- Transparency and Informational Obligations: The leasing company must inform the seconded employee about the processing of their data in the context of cooperation with the client.
- GDPR Documentation: A lack of clear internal regulations by the leasing company or the client using the specialist’s services can lead to non-compliance. Necessary documents include a data protection policy, authorization procedures, a record of processing activities, and information clauses.
Alternative Models of Using Employees in Business Relationships
Apart from body leasing, other models exist to acquire skilled personnel for projects without directly employing them under labor law regulations. One common alternative is engaging temporary employment agencies that delegate workers to the end user.
In such cases, there is no need for data processing agreements, as each party acts as an independent data controller. While there are similarities between these models, employees from temporary agencies may differ in specialization profiles compared to IT specialists, who are more often engaged through body leasing, as IT services can typically be provided remotely using electronic communication tools.
Summary
Body leasing offers a flexible way to quickly engage specialists. To ensure compliance with the law, it is essential to analyze the flow of personal data, clearly define the roles of the parties, and provide appropriate documentation. The purpose of processing data is key to determining who acts as the controller and who serves as the processor.
A well-prepared body leasing agreement and a proper approach to data protection minimize legal risks and enhance cooperation efficiency. In case of doubts, consult a data protection expert or legal professional.
