Article / Compliance

GDPR and Cross-Border Employment: A Compliance Guide for Employers

Juan Fernandez Updated 3 July 2026 8 min read
Learn the importance of GDPR compliance for non-EU countries and how to minimise the risks associated with cross-border employment.

If your organisation employs, contracts or even recruits people in the European Union, the General Data Protection Regulation (GDPR) almost certainly applies to you — wherever your company is based. Running payroll, holding contracts, storing CVs, tracking performance or managing benefits all involve processing the personal data of people in the EU, and that is exactly what GDPR governs. This guide explains what cross-border employers actually have to do: when the regulation reaches you, how to move employee data across borders lawfully, which legal basis to rely on, the rights your staff can exercise, the penalties for getting it wrong, and how an Employer of Record removes most of the burden.

What GDPR means for employers

GDPR (Regulation (EU) 2016/679, in force since 25 May 2018) sets the rules for how organisations collect, use, store and share the personal data of individuals in the EU. In an employment context, “personal data” is everything from names, addresses and bank details to salary, tax IDs, performance reviews, health records and location data. The employer is usually the data controller — the party that decides why and how that data is processed — and carries the legal responsibility for compliance. Since Brexit the UK runs its own near-identical “UK GDPR”, so a company with staff in both the EU and the UK is subject to both regimes.

Does GDPR apply to US (and other non-EU) companies?

Yes — and this is the point most foreign employers get wrong. Under Article 3, GDPR applies to organisations with no EU establishment whenever they process the data of people who are in the EU in connection with offering them goods or services, or monitoring their behaviour. Employing someone located in the EU squarely triggers it. A US, Indian or Australian company with a single remote employee in Germany or Spain is processing that person’s data and must comply.

Two nuances matter. First, it is about location, not citizenship: an American citizen working from Paris is protected, while a French citizen you employ in New York generally is not. Second, GDPR does not require you to have an office, servers or any physical presence in Europe — the obligation follows the data, not the entity.

What counts as a cross-border data transfer?

The moment employee data collected in the EU is sent to, stored in, or made accessible from a country outside the European Economic Area (EEA), you have made an international transfer. This happens constantly and often invisibly: pushing an EU hire’s details into a US-hosted HR platform, letting a head-office team in Mumbai view payroll reports, or backing data up to servers outside Europe. Chapter V of the GDPR restricts these transfers — you need a lawful transfer mechanism for each one.

Transfer mechanisms you can rely on

There are three main routes to move employee data out of the EEA lawfully:

  • Adequacy decision. The European Commission has ruled that certain countries (e.g. the UK, Switzerland, Canada, Japan) offer “adequate” protection, so transfers there need no extra safeguards. For the United States, the EU-US Data Privacy Framework (DPF), adopted in July 2023, provides adequacy — but only for US organisations that self-certify to it. If your US receiver is not DPF-certified, you cannot rely on adequacy.
  • Standard Contractual Clauses (SCCs). The default tool for most transfers: EU-approved model contract clauses (modernised in June 2021) signed between the EU exporter and the non-EEA importer. The UK uses its own International Data Transfer Agreement (IDTA) or an addendum to the EU SCCs.
  • Derogations. Narrow, exceptional grounds under Article 49 (such as explicit consent or necessity for a contract) — not a basis for routine, ongoing HR transfers.

Schrems II and transfer impact assessments

The Court of Justice’s 2020 “Schrems II” ruling struck down the old EU-US Privacy Shield and confirmed that SCCs alone are not always enough. Where you rely on SCCs, you must also run a transfer impact assessment (TIA) — evaluating whether the destination country’s laws (for example, government surveillance powers) undermine the protection, and adding “supplementary measures” such as encryption where they do. Even with the DPF now in place for the US, this assessment discipline remains the standard of care for transfers outside adequacy.

Every act of processing needs a lawful basis under Article 6. The instinct is to ask employees to “consent”, but for staff data that is the wrong choice. Because of the power imbalance between employer and employee, regulators (and the European Data Protection Board) treat consent as rarely “freely given” — and it can be withdrawn at any time, leaving you exposed. In practice, employers should rely on:

  • Performance of the contract (Article 6(1)(b)) — data you genuinely need to pay and manage the employee.
  • Legal obligation (Article 6(1)(c)) — tax, social security and employment-law reporting.
  • Legitimate interests (Article 6(1)(f)) — balanced against the employee’s rights, for things like IT security.

Special category data — health, biometric, trade-union membership and similar — is more tightly restricted under Article 9 and generally requires a specific condition, such as complying with employment-law obligations, rather than consent.

Employee data rights you must be ready to handle

GDPR gives your EU staff enforceable rights over their data, and employers must be able to act on them — usually within one month. The most common in an employment context is the Data Subject Access Request (DSAR): an employee (often a disgruntled or departing one) can demand a copy of all personal data you hold about them. You also have to honour rights to rectification, erasure, restriction, portability and objection, and be transparent up front through an employee privacy notice. Failing to respond properly to a DSAR is one of the most frequent triggers for complaints to data-protection authorities.

Do you need a DPO or an EU representative?

Two structural obligations catch out cross-border employers:

  • Data Protection Officer (DPO). Required under Article 37 only if your core activities involve large-scale, regular and systematic monitoring, or large-scale processing of special category data. A company employing a handful of people in the EU usually does not need one — but should still assign clear accountability for compliance.
  • EU representative. This is the commonly missed one: under Article 27, a controller with no EU establishment that processes EU residents’ data on more than an occasional basis must appoint a representative located in the EU to act as a contact point for authorities and data subjects. A US company employing EU staff frequently falls into this requirement.

Penalties: what non-compliance actually costs

GDPR fines run to a maximum of €20 million or 4% of total worldwide annual turnover, whichever is higher, for the most serious breaches (a lower tier caps at €10 million or 2%). These are not theoretical. In 2023 Meta was fined €1.2 billion for unlawfully transferring EU user data to the United States, and in 2024 the Dutch regulator fined Uber €290 million for transferring European drivers’ personal data to the US without adequate safeguards — a cross-border HR-data case that maps directly onto the risks above. Beyond fines, non-compliance brings enforcement orders, reputational damage and the practical cost of unwinding non-compliant data flows.

GDPR compliance across the employee lifecycle

Compliance is not a one-off task; the obligations run from first contact to final offboarding:

  • Recruitment: lawful handling and retention of applicant CVs and interview notes.
  • Onboarding: collecting only necessary data, issuing a clear privacy notice, and securing the right legal basis.
  • Employment: payroll, benefits, performance and monitoring data — kept accurate, secure and access-controlled.
  • Offboarding: deleting or archiving data in line with a documented retention schedule, not holding it indefinitely.

For distributed teams the biggest risk is informal workarounds — HR data emailed around, copied into spreadsheets, or held on personal drives. Structured, in-region data flows are what keep a global workforce compliant.

How an Employer of Record removes most of the GDPR burden

The cleanest way to employ someone in the EU without building your own compliance function is an Employer of Record (EOR). The EOR becomes the legal, local employer of your worker in their country, which means the employment data — contracts, payroll, tax and benefits information — is collected and held within the EU by an entity already established there. That structurally shrinks your cross-border transfer exposure, because the sensitive HR data no longer has to flow out to your headquarters to run the employment.

A good EOR provides the local legal basis for processing, issues compliant privacy notices, manages retention and DSARs, and already has the EU presence and safeguards that a foreign company would otherwise have to build. You direct the employee’s day-to-day work; the EOR carries the employment and much of the data-protection compliance. It is why companies handling EU compensation and HR data cross-border increasingly use an EOR rather than shipping that data abroad. Talk to our team to map your EU hiring against your GDPR obligations and see where an EOR fits.

Yes. Under Article 3, GDPR applies to any organisation that processes the personal data of people located in the EU, regardless of where the company is based or whether it has an EU office. Employing, paying or even recruiting someone in the EU means you are processing their data and must comply.

Location. GDPR protects people who are physically in the EU, not EU citizens as such. An American citizen working remotely from Portugal is covered, whereas a Portuguese citizen you employ in the United States generally is not.

Usually no. Because of the power imbalance between employer and employee, regulators rarely accept consent as ‘freely given’, and it can be withdrawn at any time. Employers should instead rely on performance of the employment contract, legal obligation, or legitimate interests, with a specific Article 9 condition for special category data.

You need a valid transfer mechanism under Chapter V: rely on the EU-US Data Privacy Framework if the US recipient is certified to it, or use Standard Contractual Clauses backed by a transfer impact assessment and safeguards such as encryption. Without one of these, transferring EU staff data to the US is unlawful.

A Data Protection Officer is mandatory only for large-scale monitoring or large-scale special category processing, so most small EU teams do not need one. However, a company with no EU establishment that processes EU staff data on more than an occasional basis must appoint an EU representative under Article 27 — an obligation US employers frequently miss.

An Employer of Record becomes the legal employer in the worker’s country, so employment data is collected and held within the EU by an established local entity instead of being transferred abroad. The EOR provides the lawful basis, privacy notices, retention and DSAR handling, structurally reducing your cross-border transfer exposure.

Couldn’t find what you were looking for?