Get started

GDPR and Data Protection for Global Teams

Legal & Compliance · 6 min read

← Back to Knowledge Base

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law. It applies to any organization that processes personal data of individuals in the EU, regardless of where the organization is based. For companies hiring internationally through an EOR, understanding GDPR obligations is essential.

GDPR and International Employment

When you hire employees in the EU through an EOR like Flamingo, GDPR governs how their personal data must be handled. This creates a specific dynamic:

  • Your company — typically acts as the data controller, determining what data is collected and why
  • Flamingo (the EOR) — acts as either a data processor (processing data on your behalf) or a joint controller (for employment-related processing mandated by law)
  • The employee — is the data subject with specific rights over their personal data

Flamingo has Data Processing Agreements (DPAs) in place with all clients to formalize these roles and responsibilities.

Your Obligations as an Employer

Even when using an EOR, you retain certain data protection obligations:

  • Lawful basis — ensure you have a valid legal basis for processing employee data (typically contract performance or legitimate interest)
  • Data minimization — only collect and request employee data that is necessary for the employment relationship
  • Transparency — employees must be informed about what data you collect, why, and how it's processed. Flamingo provides standard employee privacy notices
  • Purpose limitation — data collected for employment purposes cannot be repurposed for unrelated activities without additional consent
  • Security — implement appropriate technical and organizational measures to protect employee data within your own systems

Types of Employee Data Under GDPR

Employee data under GDPR falls into several categories with increasing sensitivity:

  • Standard personal data — name, address, email, phone number, date of birth. Subject to standard GDPR protections
  • Financial data — salary, bank account details, tax identification numbers. Requires enhanced security measures
  • Special category data (Article 9) — health data (sick leave, medical certificates), trade union membership, biometric data. Requires explicit consent or a specific legal exemption
  • Criminal record data (Article 10) — background check results. Can only be processed under specific legal authorization

Cross-Border Data Transfers

When employee data flows between countries — which is inherent in international employment — GDPR Chapter V applies. Transfers outside the EEA require a valid transfer mechanism:

  • Adequacy decisions — the European Commission has recognized certain countries (Japan, South Korea, UK, Canada for commercial organizations, and others) as providing adequate data protection. Transfers to these countries can proceed freely
  • Standard Contractual Clauses (SCCs) — the most commonly used mechanism for transfers to countries without adequacy decisions, including the United States. Flamingo includes SCCs in all relevant data processing agreements
  • Supplementary measures — following the Schrems II ruling, organizations must also assess whether the destination country's laws provide adequate protection and implement additional safeguards (encryption, pseudonymization, access restrictions) if needed

Data Breach Response

GDPR mandates specific actions in the event of a personal data breach:

  1. Detect and assess — determine the scope, nature, and potential impact of the breach
  2. Notify the supervisory authority — within 72 hours of becoming aware of a breach that poses a risk to individuals' rights
  3. Notify affected individuals — without undue delay if the breach is likely to result in a high risk to their rights and freedoms
  4. Document and remediate — record all breaches (even those that don't require notification) and take steps to prevent recurrence

Flamingo maintains an incident response plan and will work with you to fulfill breach notification obligations.

Frequently Asked Questions

Does GDPR apply if my company is based in the US?

Yes. GDPR applies based on the location of the data subjects (your EU employees), not the location of your company. If you have employees in the EU, you must comply with GDPR for their personal data.

Can I use US-based tools to manage EU employee data?

Yes, provided you have appropriate transfer mechanisms in place (typically SCCs) and conduct a transfer impact assessment. The EU-US Data Privacy Framework also provides a valid transfer mechanism for certified US companies.