European General Data Protection Regulation (GDPR) Updates: How would it affect you in APAC?

Data protection privacy concept. GDPR. EU. Cyber security network. Business man protecting data personal information on tablet and virtual interface. Padlock icon and internet technology networking connection on digital

How would the New European General Data Protection Regulation (GDPR) affect you as an employer in APAC?

By Carlos Estrada, General Counsel, Asia Pacific

Technological developments entail significant challenges for the protection of personal data. In a world which rapid digitization, data flow has also increased faster than ever before. It is therefore unsurprising to see a global trend for stricter and far-reaching regulations with a paramount goal to enhance individuals’ privacy protection.

What is GDPR?
A good example of the above trend is the relatively recent General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”) which, not only increases the threshold of protective measures, but is also directly effective in all EU Member States, as opposed to the current Directive 95/46/EC (which will be repealed by GDPR) (“Directive”) which required country transposition.
 
When is GDPR effective?
GDPR will take effect on 25 May 2018 so, although there is still enough time for companies to adapt their internal processes accordingly, it is highly recommended to create awareness among the relevant stakeholders and initiate actions as soon as practicable.
 
Why is it applicable to you as a Company outside of the EU?
A significant difference between the Directive and GDPR is indeed the broader territorial reach of the latter versus the former. Particularly, Article 3 states that GDPR “(…) applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (ii) the monitoring of their behaviour as far as their behaviour takes place within the Union.” Therefore, this Article expressly states that GDPR applies to data controllers or processors even if established outside the EU.
 
Do data subjects need to be European?
Article 3 above does not specify whether data subjects’ nationality is determining but rather whether they “are” in the EU, thus, it refers to EU residents regardless of their nationality.
 
What does “Offering of goods and services to data subjects in the Union” mean?
This means that, for instance, the website of an HR company based in APAC (“APAC Company”) could be subjected to GDPR if it targets EU residents as potential candidates; even of it does not charge them any fees for such job search services (as expressly mentioned in the Article). The Court of Justice of the European Union has also already provided certain guidelines on this point and the determining factor is the company’s intention to target EU citizens, e.g. if the foreign company website mentioned Euro currency (e.g. in the job postings), offered multilingual options (comprising EU languages) or contained any other aspect which was intended for the exclusive benefit of EU residents; it would then be deemed to target such population, hence, such company would fall under GDPR’s umbrella.
 
What does “Monitoring of data subjects’ behaviour which takes place in the Union” mean?
Such situation could arise when, hypothetically, an APAC Company provides certain services to clients in the EU which comprise the managing of personnel based in the EU. This can be the case when, for instance, such APAC Company provides on-site services to an EU client whereby the APAC Company’s employs certain individuals under its supervision to provide services in the clients’ workplace based in the EU.
 
What shall I do if my company falls under one of the above two scenarios?
In the event that an APAC Company’s operations fall under any of the two abovementioned scenarios (i.e. offering services to candidates in EU or monitoring personnel’s behaviours taking place in the EU), the APAC Company (pursuant to GDPR’s Article 27) shall designate in writing a Representative in the Union.
 
How and who shall I appoint as Representative?
In order to officialise such appointment and ensure proper traceability in the future, the issuance of a board resolution by the foreign company might be advisable. GDPR does not specify whether such representative needs to be an employee of the company so we would argue that having an external provider (e.g. law firm or agent) would suffice.
 
Where the Representative shall be based?
The representative shall be established in the Member State where the data subjects are. This requirement could be relatively easy to apply if the APAC Company’s EU target population is clearly specified or if it is monitoring individuals’ behaviour in a specific country. However, it would be challenging if the target were EU citizens in general or monitored individuals are based in different countries. In such case, having a single representative based in any EU Member State covering the entire EU region seems the most logical approach, unless, there is a significant volume of services in a specific country – in which case it might be advisable to have a representative in such country as well and regardless of other representatives in other Member States.
 
What is the Representative’s main purpose? 
The Representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with GDPR.
 
Again, and as mentioned above, it would be advisable that the foreign company issues a board resolution containing a complete and express mandate and/or empowerment to the EU Representative. Further, the foreign company shall make sure that it properly discloses the Representative’s contact details (e.g. in the company website, etc.) so that he or she can be easily reachable if necessary by authorities and other stakeholders. It is also important to note that the company would not be exempt from liability in case of the Representative’s breach of GDPR – despite the company might still have an action against the Representative depending on the contractual arrangements in place.
 
Are there any exemptions to the above requirement?
Yes, it is important to note that this requirement does not apply to data processing which: (i) is occasional; (ii) is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; and (iii) it does not include, on a large scale, processing special categories of data e.g. ethnic origin, sexual orientation, religious beliefs, etc., or processing of personal data relating to criminal convictions and offences. Nevertheless, some of the foregoing requirements are vague and difficult determine, which suggests appointing a Representative in any case in order to be on the safe side.
 
What are the penalties for non-compliance? 
Administrative fines can reach, in the case of major breaches, up to 4% of the company’s global annual turnover or EUR 20 million. Further to imposing fines, EU authorities might opt to “name and shame” companies – just like UK’s ICO is successfully doing – in order to achieve a more effective prevention by threatening infringing companies’ reputation.
 
How enforceable is this regulation?
As we have seen, GDPR seems certainly determined to protect EU individuals beyond EU borders, but, does it really grant them a real protection mechanism?
Indeed, in case individuals feel that the non-EU data processor has breached GDPR, they have the choice to bring an action before the relevant supervisory authority or the courts of the EU Member State where the controller or processor has an establishment (e.g. where the representative is based) or where the data subject resides. This would practically mean that the infringing company’s EU representative will be served notice and represent the company in court.
 
Regarding the enforcement by regulatory authorities, the matter is less clear and still to be further specified probably when the implementation phase is approaching. However, I believe it would be challenging for EU authorities to sanction non-EU companies without proper facilitation through ad hoc bilateral or international agreements.
 
Conclusion
GDPR sets an unprecedented compliance threshold, to the extent that even non-EU companies are subjected to certain data protection compliance requirements.
 
Considering the incessant advancement of technology, data protection regulations will certainly remain and even be further enhanced. This means that companies must be aware of significant new regulatory developments occurring at a global scale and adjust their practices accordingly, not only to be compliant but also to stay competitive.
 
 

Related News

Employer Article

Future of Work: Thriving in a Multi-Generational Workforce

In today’s diverse workplace, collaborating across multiple generations is becoming increasingly common. Diversity and Inclusion (D&I) extends beyond gender, disability, and culture—it also encompasses age. As different generations work together, organizations are bound to face certain challenges. It is vital for companies to proactively address and bridge generational gaps to create a cohesive and collaborative…

Read More
Industry News

Your Safety is Our Priority. Beware of Fake Job Scams

Dear all, We have observed a growing number of individuals impersonating Adecco employees or approaching others as scammers, soliciting participation in surveys or sign-ups for products and services, often in connection with fraudulent job opportunities. These job scams involve unsolicited messages via WhatsApp, Telegram or the use of fake Adecco email extensions, requesting individuals to…

Read More
Jobseeker Article

An accelerated way to the top

Many of us hope to accelerate our careers, but what does it take for us to do so? According to a 10 year study analyzing over 17,000 C-suite executives, it reveals that those who reach a C-suite position in a shorter time compared to the average 24 years have three traits in common. Firstly, they…

Read More
Jobseeker Article

Crafting a Standout Resume: Making a Strong First Impression

Need help landing your dream job? A well-crafted resume is the key to unlocking this opportunity. However, submitting a mundane and generic resume significantly diminishes your chances of standing out among the multitude of applicants. Here are some tips to help you create an eye-catching resume that will capture the attention of hiring managers: 1….

Read More
Jobseeker Article

Trusting the process: Prioritising progress over perfection

Life is frequently filled with unexpected surprises, providing us with numerous opportunities for growth. Although unexpected twists and turns can arise, they give us the chance to learn and develop. Whether we are embarking on a new career path or taking on a different role at work, venturing into the unknown can be an exciting…

Read More
Jobseeker Article

Coping with workplace stress and burnout

For many of us, our jobs can be highly stressful due to the amount of work we must complete. The key here is to ensure that we have effective coping mechanisms in place to deal with the stress we face. Adopting healthy, simple coping strategies will help free up much of the mental space we…

Read More
Employer Article

Deepfakes Scam Alert

What are deepfakes ? Deepfake technology uses artificial intelligence to create realistic images, audio, and video hoaxes. These manipulated videos and images can be incredibly convincing, often indistinguishable from genuine content, spreading false information that seems to originate from trusted sources. To observe this technology in action, click here. 📰Check out a real case in…

Read More
Employer Article

Building Relationships : The Key to Success in Your Career and Life

In our interconnected world, strong relationships are crucial for forming the foundations of trust and respect. Here are a few tips for fostering strong relationships in both personal and professional contexts: Don’t neglect personal conversations. Focusing solely on professional interactions hinders the building of deep connections. In today’s digital age, building surface-level relationships through social…

Read More
Employer Article

Mastering time management: Strategies for boosting productivity and finding balance

Often, we are presented with a wealth of opportunities to challenge ourselves and achieve our goals, leaving our to-do lists brimming with items. It is crucial to understand that the key is not to do more, but rather to do more of the right things. This is where time management comes into play; by working…

Read More
Employer Article

The Adecco x Singapore Polytechnic Partnership

  Adecco is the anchor partner for Singapore Polytechnic’s School of Life Skills and Communication (SP-LSC). Since 2014, Adecco has shared its employability best practices with SP staff. This has led to curation of workshops and modules which encourages interdisciplinary learning, aligning with the SkillsFuture Framework to prepare students for their future career.    …

Read More