Insight · Employee data

Cross-Border HR Data Transfers

A U.S. company that acquires or builds a European team often consolidates HR onto a single system at headquarters. That routine act of centralisation is, under European law, an international transfer of personal data, and it needs its own lawful basis on top of everything else the company already does with employee records.

The problem

Why HR data is a transfer, not just processing

Under the GDPR, sending personal data outside the EEA to a country without an adequacy decision is a restricted transfer that requires a specific safeguard. Employee records are personal data, and often sensitive: payroll, performance, health-related absence, and in some cases special-category data. Moving them to a U.S. parent, or even granting U.S. staff access to a European HR system, engages the transfer rules in Chapter V of the GDPR.

Switzerland runs a parallel regime under the revised Federal Act on Data Protection (revFADP), with its own transfer requirements and its own list of countries it considers adequate. A company with both EU and Swiss employees is working under two frameworks at once, and the mechanisms have to satisfy each.

Who this affects

Any U.S. or international group with employees or contractors in the EEA or Switzerland. The exposure is easy to miss because HR consolidation feels internal. But a transfer between a European subsidiary and its U.S. parent is still a transfer between two separate controllers or between a controller and processor, and the law does not treat intra-group flows as exempt.

The lawful mechanisms

For transfers to the United States, companies generally rely on one of a small set of safeguards. The right choice depends on the corporate structure and the volume and sensitivity of the data.

  • The EU–U.S. Data Privacy Framework, where the U.S. importer is certified and the transfer falls within its scope
  • Standard Contractual Clauses, supported by a transfer impact assessment of U.S. law and practice
  • Binding Corporate Rules for larger groups moving data routinely across many entities
  • The Swiss addendum or Swiss-recognised clauses for revFADP transfers, handled alongside the EU mechanism
  • Supplementary technical and organisational measures where the assessment shows the baseline is not enough

Relying on employee consent is rarely a durable answer. Consent in an employment relationship is difficult to treat as freely given, so it tends not to hold up as the sole basis for an ongoing HR transfer.

How Privello approaches it

An HR transfer is not a single document. It is a data map, a chosen mechanism, a transfer impact assessment, updated employee notices, and an agreement between the entities that touch the data. Privello builds that package to match the actual flow, and connects it to the company's underlying GDPR and revFADP foundation rather than treating the transfer in isolation.

See the market-entry program

Scope. Privello LLC is a data-regulation consultancy and is not a law firm. This article is general information, not legal advice, and does not create an attorney–client relationship. Patrick Smith is a U.S.-licensed attorney (State of Texas); his bar admission is stated as a credential only. Where a matter requires formal legal advice, Privello coordinates qualified local counsel.

Begin

Build an HR data flow that holds up

If you are consolidating European employee data onto a U.S. system, tell us how the data moves. We will outline the mechanism that fits and what it takes to stand it up.