European General Data Protection Regulation (GDPR) Updates: How would it affect you in APAC?

Data protection privacy concept. GDPR. EU. Cyber security network. Business man protecting data personal information on tablet and virtual interface. Padlock icon and internet technology networking connection on digital

How would the New European General Data Protection Regulation (GDPR) affect you as an employer in APAC?

By Carlos Estrada, General Counsel, Asia Pacific

Technological developments entail significant challenges for the protection of personal data. In a world which rapid digitization, data flow has also increased faster than ever before. It is therefore unsurprising to see a global trend for stricter and far-reaching regulations with a paramount goal to enhance individualsโ€™ privacy protection.

What is GDPR?
A good example of the above trend is the relatively recent General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (โ€œGDPRโ€) which, not only increases the threshold of protective measures, but is also directly effective in all EU Member States, as opposed to the current Directive 95/46/EC (which will be repealed by GDPR) (โ€œDirectiveโ€) which required country transposition.
 
When is GDPR effective?
GDPR will take effect on 25 May 2018 so, although there is still enough time for companies to adapt their internal processes accordingly, it is highly recommended to create awareness among the relevant stakeholders and initiate actions as soon as practicable.
 
Why is it applicable to you as a Company outside of the EU?
A significant difference between the Directive and GDPR is indeed the broader territorial reach of the latter versus the former. Particularly, Article 3 states that GDPR โ€œ(โ€ฆ) applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (ii) the monitoring of their behaviour as far as their behaviour takes place within the Union.โ€ Therefore, this Article expressly states that GDPR applies to data controllers or processors even if established outside the EU.
 
Do data subjects need to be European?
Article 3 above does not specify whether data subjectsโ€™ nationality is determining but rather whether they โ€œareโ€ in the EU, thus, it refers to EU residents regardless of their nationality.
 
What does โ€œOffering of goods and services to data subjects in the Unionโ€ mean?
This means that, for instance, the website of an HR company based in APAC (โ€œAPAC Companyโ€) could be subjected to GDPR if it targets EU residents as potential candidates; even of it does not charge them any fees for such job search services (as expressly mentioned in the Article). The Court of Justice of the European Union has also already provided certain guidelines on this point and the determining factor is the companyโ€™s intention to target EU citizens, e.g. if the foreign company website mentioned Euro currency (e.g. in the job postings), offered multilingual options (comprising EU languages) or contained any other aspect which was intended for the exclusive benefit of EU residents; it would then be deemed to target such population, hence, such company would fall under GDPRโ€™s umbrella.
 
What does โ€œMonitoring of data subjectsโ€™ behaviour which takes place in the Unionโ€ mean?
Such situation could arise when, hypothetically, an APAC Company provides certain services to clients in the EU which comprise the managing of personnel based in the EU. This can be the case when, for instance, such APAC Company provides on-site services to an EU client whereby the APAC Companyโ€™s employs certain individuals under its supervision to provide services in the clientsโ€™ workplace based in the EU.
 
What shall I do if my company falls under one of the above two scenarios?
In the event that an APAC Companyโ€™s operations fall under any of the two abovementioned scenarios (i.e. offering services to candidates in EU or monitoring personnelโ€™s behaviours taking place in the EU), the APAC Company (pursuant to GDPRโ€™s Article 27) shall designate in writing a Representative in the Union.
 
How and who shall I appoint as Representative?
In order to officialise such appointment and ensure proper traceability in the future, the issuance of a board resolution by the foreign company might be advisable. GDPR does not specify whether such representative needs to be an employee of the company so we would argue that having an external provider (e.g. law firm or agent) would suffice.
 
Where the Representative shall be based?
The representative shall be established in the Member State where the data subjects are. This requirement could be relatively easy to apply if the APAC Companyโ€™s EU target population is clearly specified or if it is monitoring individualsโ€™ behaviour in a specific country. However, it would be challenging if the target were EU citizens in general or monitored individuals are based in different countries. In such case, having a single representative based in any EU Member State covering the entire EU region seems the most logical approach, unless, there is a significant volume of services in a specific country – in which case it might be advisable to have a representative in such country as well and regardless of other representatives in other Member States.
 
What is the Representative’s main purpose? 
The Representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with GDPR.
 
Again, and as mentioned above, it would be advisable that the foreign company issues a board resolution containing a complete and express mandate and/or empowerment to the EU Representative. Further, the foreign company shall make sure that it properly discloses the Representativeโ€™s contact details (e.g. in the company website, etc.) so that he or she can be easily reachable if necessary by authorities and other stakeholders. It is also important to note that the company would not be exempt from liability in case of the Representativeโ€™s breach of GDPR – despite the company might still have an action against the Representative depending on the contractual arrangements in place.
 
Are there any exemptions to the above requirement?
Yes, it is important to note that this requirement does not apply to data processing which: (i) is occasional; (ii) is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; and (iii) it does not include, on a large scale, processing special categories of data e.g. ethnic origin, sexual orientation, religious beliefs, etc., or processing of personal data relating to criminal convictions and offences. Nevertheless, some of the foregoing requirements are vague and difficult determine, which suggests appointing a Representative in any case in order to be on the safe side.
 
What are the penalties for non-compliance? 
Administrative fines can reach, in the case of major breaches, up to 4% of the companyโ€™s global annual turnover or EUR 20 million. Further to imposing fines, EU authorities might opt to โ€œname and shameโ€ companies – just like UKโ€™s ICO is successfully doing – in order to achieve a more effective prevention by threatening infringing companiesโ€™ reputation.
 
How enforceable is this regulation?
As we have seen, GDPR seems certainly determined to protect EU individuals beyond EU borders, but, does it really grant them a real protection mechanism?
Indeed, in case individuals feel that the non-EU data processor has breached GDPR, they have the choice to bring an action before the relevant supervisory authority or the courts of the EU Member State where the controller or processor has an establishment (e.g. where the representative is based) or where the data subject resides. This would practically mean that the infringing companyโ€™s EU representative will be served notice and represent the company in court.
 
Regarding the enforcement by regulatory authorities, the matter is less clear and still to be further specified probably when the implementation phase is approaching. However, I believe it would be challenging for EU authorities to sanction non-EU companies without proper facilitation through ad hoc bilateral or international agreements.
 
Conclusion
GDPR sets an unprecedented compliance threshold, to the extent that even non-EU companies are subjected to certain data protection compliance requirements.
 
Considering the incessant advancement of technology, data protection regulations will certainly remain and even be further enhanced. This means that companies must be aware of significant new regulatory developments occurring at a global scale and adjust their practices accordingly, not only to be compliant but also to stay competitive.
 
 

Related News

Jobseeker Article

Coping with workplace stress and burnout

For many of us, our jobs can be highly stressful due to the amount of work we must complete. The key here is to ensure that we have effective coping mechanisms in place to deal with the stress we face. Adopting healthy, simple coping strategies will help free up much of the mental space we…

Read More
Employer Article

Deepfakes Scam Alert

What are deepfakes ? Deepfake technology uses artificial intelligence to create realistic images, audio, and video hoaxes. These manipulated videos and images can be incredibly convincing, often indistinguishable from genuine content, spreading false information that seems to originate from trusted sources. To observe this technology in action, click here. ๐Ÿ“ฐCheck out a real case in…

Read More
Employer Article

Building Relationships : The Key to Success in Your Career and Life

In our interconnected world, strong relationships are crucial for forming the foundations of trust and respect. Here are a few tips for fostering strong relationships in both personal and professional contexts: Don’t neglect personal conversations. Focusing solely on professional interactions hinders the building of deep connections. In today’s digital age, building surface-level relationships through social…

Read More
Employer Article

Mastering time management: Strategies for boosting productivity and finding balance

Often, we are presented with a wealth of opportunities to challenge ourselves and achieve our goals, leaving our to-do lists brimming with items. It is crucial to understand that the key is not to do more, but rather to do more of the right things. This is where time management comes into play; by working…

Read More
Employer Article

The Adecco x Singapore Polytechnic Partnership

  Adecco is the anchor partner for Singapore Polytechnicโ€™s School of Life Skills and Communication (SP-LSC). Since 2014, Adecco has shared its employability best practices with SP staff. This has led to curation of workshops and modules which encourages interdisciplinary learning, aligning with the SkillsFuture Framework to prepare students for their future career.    …

Read More
Employer Article

Learning beyond the classroom: Singapore Polytechnic

โ€œI am looking forward to learning more from Adecco!โ€ โ€œWill there be another webinar in November, like the one in September?โ€ โ€œLooking forward to an even more exciting webinar with Adecco!โ€ These were the few messages received from full-time students at the end of the workshops conducted by Adecco for Singapore Polytechnic (SP) students.  …

Read More
Employer Article

Paul’s Industry Attachment (IA) at Adecco

  My Industry Attachment at the worldโ€™s leading HR solutions firm, Adecco Singapore, provided me with an invaluable opportunity to co-develop Singapore Polytechnic Life Skills and Communicationโ€™s (SP- LSC) new Personal Branding and Career Agility (PBCA) module. By drawing on to Adecco’s expertise in career coaching and leveraging on their labour market insights, we managed…

Read More
Jobseeker Article

Fake Job Ads Alert

It has come to our notice that Adecco Singapore’s job ads are posted on unauthorised platforms. Do note that we only post ads on official platforms. If you are unsure of the ad’s validity, kindly contact your dedicated account servicing manager / consultant immediately. #๐™Ž๐™ฉ๐™–๐™ฎ๐˜ผ๐™ก๐™š๐™ง๐™ฉ, ๐™ฌ๐™–๐™ฉ๐™˜๐™ ๐™ค๐™ช๐™ฉ ๐™ค๐™ฃ ๐™ฌ๐™๐™š๐™ง๐™š ๐™ฎ๐™ค๐™ช ๐™–๐™ฅ๐™ฅ๐™ก๐™ฎ ๐™ฎ๐™ค๐™ช๐™ง ๐™Ÿ๐™ค๐™—๐™จ #AdeccoCaresย #ScammersAlertย #SpotTheDifferenceStayAlert

Read More
Industry News

4 Ways to Prepare Your Supply Chain for a Crisis

From the global pandemic to inflation, unprecedented, unpredictable crises can significantly impact your companyโ€™s supply chain. In fact, in Singapore, such supply chain disruptions are setting the economy back by $2.6 billion per year. Although companies arenโ€™t able to foresee what will occur or when they can mitigate risks, they can take these four steps…

Read More
Industry News

COMPASS Framework

What is COMPASS? COMPASS is a points-based framework that evaluates Employment Pass (“EP”) applicants on a holistic set of individual and firm-related attributes. COMPASS aims to provide companies with clarity and predictability for human resource planning, and recognises the effort to develop a strong Singaporean core with international diversity. Where does it apply? How COMPASS…

Read More