Insight · Employee data
Cross-Border HR Data Transfers
A U.S. company that acquires or builds a European team often consolidates HR onto a single system at headquarters. That routine act of centralisation is, under European law, an international transfer of personal data, and it needs its own lawful basis on top of everything else the company already does with employee records.
The problem
Why HR data is a transfer, not just processing
Under the GDPR, sending personal data outside the EEA to a country without an adequacy decision is a restricted transfer that requires a specific safeguard. Employee records are personal data, and often sensitive: payroll, performance, health-related absence, and in some cases special-category data. Moving them to a U.S. parent, or even granting U.S. staff access to a European HR system, engages the transfer rules in Chapter V of the GDPR.
Switzerland runs a parallel regime under the revised Federal Act on Data Protection (revFADP), with its own transfer requirements and its own list of countries it considers adequate. A company with both EU and Swiss employees is working under two frameworks at once, and the mechanisms have to satisfy each.
Who this affects
Any U.S. or international group with employees or contractors in the EEA or Switzerland. The exposure is easy to miss because HR consolidation feels internal. But a transfer between a European subsidiary and its U.S. parent is still a transfer between two separate controllers or between a controller and processor, and the law does not treat intra-group flows as exempt.
The lawful mechanisms
For transfers to the United States, companies generally rely on one of a small set of safeguards. The right choice depends on the corporate structure and the volume and sensitivity of the data.
- The EU–U.S. Data Privacy Framework, where the U.S. importer is certified and the transfer falls within its scope
- Standard Contractual Clauses, supported by a transfer impact assessment of U.S. law and practice
- Binding Corporate Rules for larger groups moving data routinely across many entities
- The Swiss addendum or Swiss-recognised clauses for revFADP transfers, handled alongside the EU mechanism
- Supplementary technical and organisational measures where the assessment shows the baseline is not enough
Relying on employee consent is rarely a durable answer. Consent in an employment relationship is difficult to treat as freely given, so it tends not to hold up as the sole basis for an ongoing HR transfer.
How Privello approaches it
An HR transfer is not a single document. It is a data map, a chosen mechanism, a transfer impact assessment, updated employee notices, and an agreement between the entities that touch the data. Privello builds that package to match the actual flow, and connects it to the company's underlying GDPR and revFADP foundation rather than treating the transfer in isolation.
Begin
Build an HR data flow that holds up
If you are consolidating European employee data onto a U.S. system, tell us how the data moves. We will outline the mechanism that fits and what it takes to stand it up.