Does GDPR Apply to You?

A big thanks to Todd for stepping in last month and writing such a wonderful cat-themed post. His blog on global drug testing facts was very timely. We have received many requests this past year for international drug screening services; it seems to be a topic in the forefront of many employers’ minds.

So on to this month’s post. Grab yourself a comfy spot with my Boris and brush up on some of the latest draft guidance from the EDPB (European Data Protection Board). 

KGSTDecBlog Image Boris 1024x768 - Does GDPR Apply to You?
Boris in rapt attention of yet another lecture on GDPR.

The EDPB, a name that rolls off the tongue just as easily as the former Article 29 Working Party, which it replaced, is a legal body of the European Union. It was established by Section 3 of the GDPR (General Data Protection Regulation). It consists of a head of a supervisory authority of each Member State and the European Data Protection Supervisor, or their representatives. The European Commission may participate in the activities of the EDPB but has no voting rights.

The mission of the EDPB is to ensure the consistent application of the GDPR within the EU. One notable difference between the EDBP and the Article 29 Working Party, is the EDPB can make binding decisions, where the Article 29 Working Party could not. The EDPB provides guidance and opinions on GDPR and advises the European Commission on data protection issues and proposed legislation.

If the EDPB speaks, it is wise to listen.

The EDPB endorsed several of the Article 29 Working Party Guidelines. Many of these are important for employers and screeners to understand. The Guidelines are available here: https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en. Topics such as consent, breach notification, and records of processing activities are relevant to screening activities and provide clarification on how GDPR should be applied and interpreted.

In November, the EDPB published draft Guidelines on Article 3 of GDPR, which addresses the territorial scope of GDPR—specifically answering the question of whether you are or are not covered by GDPR. These Draft Guidelines are helpful in several ways. The document provides examples of situations when an organization not in the EU is or is not covered by GDPR. Example 13 on page 16 of the Draft goes as far as stating, “human resources management, including salary payment by a third-country company cannot be considered as an offer of service within the meaning of Art 3(2)a. The processing at stake does not relate to the offer of goods or services to data subjects in the Union (nor to the monitoring of behaviour) and, as a consequence, is not subject to the provisions of the GDPR, as per Article 3.” This example may help organizations understand if the screening they conduct (if they are an employer) or the services provided (if they are a screening provider) fall under GDPR. The Draft also discusses the designation of a Representative (required if the entity processing personal information is covered by GDPR but does not have an establishment in the EU, unless they meet the exemption requirements). There has been considerable discussion about the Representative requirement in the privacy community and clarity around the role of the Representative and requirements of having one is welcomed.

Keep the EDPB’s website easily accessible, as they are likely to be very active: https://edpb.europa.eu/edpb_en. And take a look at the Draft Guidelines on territorial scope. It’s not a difficult read. I also highly recommend following the web pages of your favorite Data Protection Authority. The UK’s Information Commissioner’s Office (https://ico.org.uk/) has a wealth of information in their site, as do many other Data Protection Authorities.

By the way, if your company is an NAPBS member, and you are interested in learning more about GDPR, consider joining the Task Force to provide a response to the recent EDPB Guidelines on Territorial Scope. Contact info@napbs.com for more information.

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN
team image1 - Does GDPR Apply to You?

Kerstin Bagus – Director, Global Initiatives
Kerstin Bagus supports ClearStar’s Global Screening Program as its Director of Global Initiatives. She has more than 30 years of background screening industry experience, working for a variety of firms, large and small. Kerstin is one of the few individuals in the industry who is privacy-certified through the International Association of Privacy Professionals (IAPP) for Canada, the EU, and the U.S. 
Kerstin is a passionate participant in the National Association of Professional Background Screeners (NAPBS) and is a current member of the Board, in addition to participating on several committees. She also participates on IFDAT’s Legal Committee, with a primary focus on global data privacy. 

At ClearStar, we are committed to your success. An important part of your employment screening program involves compliance with various laws and regulations, which is why we are providing information regarding screening requirements in certain countries, region, etc. While we are happy to provide you with this information, it is your responsibility to comply with applicable laws and to understand how such information pertains to your employment screening program. The foregoing information is not offered as legal advice but is instead offered for informational purposes. ClearStar is not a law firm and does not offer legal advice and this communication does not form an attorney client relationship. The foregoing information is therefore not intended as a substitute for the legal advice of a lawyer knowledgeable of the user’s individual circumstances or to provide legal advice. ClearStar makes no assurances regarding the accuracy, completeness, or utility of the information contained in this publication. Legislative, regulatory and case law developments regularly impact on general research and this area is evolving rapidly. ClearStar expressly disclaim any warranties or responsibility or damages associated with or arising out of the information provided herein.

Let’s start a conversation

contact Contact