The phenomenon of workation (work + vacation), which is becoming more and more popular in the IT industry poses new legal challenges for employers. However, allowing personnel to work from more or less exotic locations must remain in compliance with the law. This may seem difficult because the growing power of workers in the labor market forces concessions in their favor - but this cannot come at the cost of compliance with legal regulations. After all, every software house - with the prospect of a longer run in the industry - must take great care to determine and enforce the requirements that data protection regulations impose. In this article, we point out the fundamental aspects that need to be taken care of when organizing a workation in an enterprise.
Firstly, however, we need to take a look at personnel employed under a labor contract. In this case, current laws, including tax law and labor and social security law, prevent employees from working abroad, as we discussed in more detail in a separate article. Therefore, we dedicate this article strictly to the self-employed (on the so-called b2b), where there is more room for the workation model.
Entrustment of personal data processing
The first thing to remember is to conclude a data processing agreement (DPA) with the migrating personnel. As a general rule, self-employed people working on their principal's infrastructure as part of their duties process personal data under authorization. This is the case when a b2b personnel provide services on equipment entrusted to them by the principal and is located stationarily in the principal's office, or, while working remotely, connects to the principal's ICT systems via a VPN connection. However, the situation changes when the self-employed personnel go beyond the technological infrastructure of their principal, working on their own equipment. When this happens, regardless of whether they are at home or abroad, there will be a need for a personal data processing agreement to substitute the authorization.
That is because the principal then loses actual control over the personal data processing by personnel working outside the principal's infrastructure. On the other hand, the case of providing services within the infrastructure of the principal (for example, on its equipment), but from abroad, requires a more in-depth analysis of whether it will be acceptable to process data still based on authorization or will it be necessary to conclude a DPA. What will certainly be helpful here is a directive according to which the weaker the bond between the contractor and the principal, the more justified will be the option for the parties to conclude a data processing entrustment agreement.
The DPA is an agreement designed to ensure the control of the principal over the processing of personal data by the personnel. When this control results from other circumstances - whether of a legal nature (as in the case of an employment contract) or a factual nature (as in the case of personnel processing data as part of the administrator's infrastructure), then concluding a DPA is pointless. In the data processing agreement - once it is concluded - it is necessary to pay special attention to the measures ensuring the security of personal data processing and remember that it must meet all the requirements stipulated in Article 28 of the GDPR.
Workation outside the EEA
Daily experience shows that IT personnel are becoming more willing to provide services not only from outside Poland's borders but also from outside of the European Economic Area (which groups EU member countries, Iceland, Liechtenstein, and Norway). After all, who wouldn't want, if given the opportunity, to develop source code on a dreamy island? Such a country is called a "third country" in the General Data Protection Regulation (GDPR), and by agreeing to our contractor's processing of personal data in a third country, we are transferring data to such a country, with legal consequences.
When allowing a staff member to use workation outside the EEA, one should not only take care to conclude a DPA with the staff member but also determine in which country the staff member plans to provide services. An entity entrusting personal data to another entity is responsible for that entrustment and must have full control over the process, knowing to whom it transfers data and how and where it will be processed. It is well-known that different countries approach the issue of personal data protection differently, and a considerable part of them apply standards different from those stipulated by the GDPR.
There is a group of countries that, in the opinion of the European Commission, apply adequate data protection standards, which is reflected in the corresponding decisions of this organ. If our contractor chooses to work from one of these countries, there will be no need for additional legal protections beyond those required by the DPA. The list of so-called safe countries is worth familiarizing yourself with, and includes the following countries as of the date of this publication:
- Andorra;
- Argentina;
- Canada;
- Guernsey;
- Isle of Man;
- Israel;
- Japan;
- New Zeland;
- South Korea [since December 2021]
- Switzerland;
- The Faroe Islands;
- United Kingdom;
- Uruguay.
What is eye-catching is that this list is relatively short, and in particular there is no US or Australia on it, let alone more exotic destinations like the Dominican Republic or Zanzibar. When allowing contractors to provide services in countries outside of this list, additional protections should be taken care of, which in practice will most often be the Standard Contractual Clauses mentioned below. At this point, it should be noted that the state of personal data protection in a particular country is greatly influenced by the current political and social situation.
To give an example, another phase of the Palestinian conflict may break out in Israel, a country that has been given the "green light" by the European Commission to transfer data. In this situation, that country is no longer safe and we should prohibit staff from processing personal data held in our resources. As of today, there is no sign of expansion of the above-mentioned list. On June 16, 2021, The European Commission has initiated a procedure to pass a decision on the adequacy of personal data protection in South Korea, and this country is the only one most likely to join the aforementioned list in the near future [update 2022: South Korea has been included as a "safe country"]. When considering the level of data protection standards, it is worth using the tool provided by CNIL (the French supervisory authority) at: https://www.cnil.fr/en/data-protection-around-the-world. It can be useful in determining the destinations that can be considered when implementing workation in an enterprise.
Standard Contractual Clauses
As mentioned above the safety measure for the transfer of personal data to a third country when it is not on the list established by the European Commission will be Standard Contractual Clauses (SCC). They are often the only way to make such a transfer legally. By decision No. (EU) 2021/914 of June 4, 2021 (entered into force on June 27), the European Commission adopted long-awaited new standard contractual clauses for the transfer of personal data to third countries.
This decision has been long anticipated by the IT sector, as the standard contractual clauses, in their previous form, did not allow for the transfer of data outside the EEA in the relationship between a processor and a further processor - that is, when a software house (which is often the processor of data entrusted by a client) was going to subcontract the processing of that data to its subcontractor. This restriction became especially noticeable after the collapse of the so-called Privacy Shield, a program that provided legal data transfer to US entities. There was also a lack of regulation for the situation in which it is the processor who transfers personal data from the European Union to a Third Country data controller (rarer in practice, but can also occur and apply to, for example, Polish entrepreneurs recruiting IT specialists for foreign clients).
The new SCC is divided into 4 modules:
- Module I: transfer of data between data controllers (horizontal relationship);
- Module II: transfer of data from the data controller to the processing entity (downward vertical relationship: data controller → data processor);
- Module III: transfer of data between processing entities - this module is an eagerly anticipated novelty that significantly simplifies the use of subcontractors and providers from outside the EEA (vertical relationship data processor → further data processor);
- Module IV: transfer of data from the data processor to thedata controller (reverse vertical relationship: data controller ← data processor).
Risk analysis in terms of data processing location choice
Regardless of the DPA and SCC, it is important to note that these are not lifelines that always guarantee the secure processing of personal data. Allowing contractors to process data within the workation should be preceded by a two-phase risk analysis (carried out firstly by a consultant who is an entrepreneur, and therefore a professional, and then by a software house), from which it will be evident that the country in question is actually safe, not affected by armed conflict, a state of emergency, an epidemic, or any other situation that could put into question that country's care for individual privacy. The more "tense" the situation in a country, the greater the authority of its government and the greater the risk of not respecting data protection standards. Appropriate provisions on this subject should be included in the DPA, as well as in the cooperation agreement.
Tax residency
The issue of data protection is not the only legal issue associated with workation. Migrating personnel rarely pays attention to tax issues when choosing a place to provide services, treating their stay abroad as a touristic experience. And as long as this stay is not especially long (counted in days, weeks at most), as a rule, there will be no need to worry about the tax consequences of such a trip. However, in the case of a longer stay abroad (especially in one country), there will be a need to consider tax and insurance consequences. From the perspective of the software house's interests, it is important to have provisions in the contract with the contractor that will protect the principal from the consequences of a change in the contractor's tax residency. The contractor should be required to provide the original Tax Residency Certificate in such a case. Workation may involve the necessity for the software house to calculate and pay the withholding tax, hence the consequences of any negligence in failing to provide the aforementioned certificate will burden the contractor - it is advisable for the contract to specify this issue.
Related articles:
Remote work in IT
IT services outsourcing
Outsourcing of IT personnel
Confidentiality protection in IT
Employment of foreigners in IT
Nearshoring vs offshoring in IT
Legal services in IT - tasks
Recruitment in IT - personal data
Publication date: 13.09.2021.