Remote's role for data processing purposes is defined in accordance with Remote’s actual processing activities (Source - page 9, paragraph 12). In line with the WEC Guidelines on “Independent Controller” or “Processor” as HR-service provider and WEC-Europe’s response to the EDPB’s draft Guidelines, Remote factually acts as an independent controller.
In order to deliver its services, comply with applicable law, and assist the pursuit of Clients’ legitimate interests, Remote needs to engage in various types of personal data processing.
This article will cover:
Client Processing
Processing personal data of Client’s representatives for the purpose of, for example,
- Sales
- Entering into agreements with Clients
- Onboarding Clients,
- Client management
- Invoicing purposes
- Processing incoming payment
Remote acts as an independent controller for this activity which is governed by our privacy policy.
HR Processing
As the employer of record, we process personal data of employees hired through Remote for:
- internal HR purposes, such as entering into an employment agreement, managing payroll, personnel administration, and time-off management
- compliance with local tax and employment legislation
- the assignment of employees to Clients under our Global Employment service
Remote acts as an independent controller for this activity which is governed by our privacy policy, Remote's local entities' supplementary privacy notices, and regulated by Section 12 of the Master Service Agreement (MSA). In general, Remote has influence over the manner in which personal data is processed since Remote adheres to its own policies relating to data protection as established by Remote.
Remote can exercise its decision-making power in determining the means of the processing such as the period for which the personal data is retained, the IT systems to use (i.e. the Remote platform), and how to handle requests of the employees to exercise their rights under GDPR. Furthermore, the involvement of Remote is of such a level that its decisions are necessary for HR Processing to take place.
Engagement Processing
Processing personal data of contractors and employees hired through Remote for Global Contractor Management and Global Payroll Management. For example, the personal data of a Client’s contractor is processed within Remote to onboard a new contractor and to manage payments.
Remote acts as an independent controller for this activity which is governed by Remote’s privacy policy and is regulated by Section 12 of Remote's MSA. Even though Remote does not have a direct relationship with the Client’s assigned employees and contractors, we take the view that Remote does not qualify as a processor on behalf of the Client because Remote has too much influence over deciding the essential means of processing within the Remote Platform.
We acknowledge the European Commission and the EDPB have provided guidance on the qualification of payroll providers. However, according to that guidance, it is only where a (formal) employer (i.e. the Client) provides the exact details for the instruction of the salary payments and the payroll provider merely facilitates this through the use of the IT system on behalf of the (formal) employer, the payroll provider qualifies as a processor. We take the view that the processing within the Remote Platform goes beyond these limits.
Following Remote’s privacy statement, Remote can process personal data of the Client’s contractors and employees for the purpose of:
- payment and management of contractor invoices on behalf of the Client
- conducting integrity screenings
- assistance with the drafting, negotiating, and execution of the contract between the contractor and the Client
- contacting the contractor to improve Remote’s services.
Within these processing activities, Remote will have a form of autonomy on how to process the personal data. Furthermore, Remote processes personal data for its own purpose, i.e. the improvement of Remote’s services in general. Remote and the Client do not qualify as joint controllers since Remote and the Client do not jointly determine the purpose for processing.
Assignment Processing
The employees Remote assigns to Clients may process personal data of the Client’s customers, employees, or suppliers while being assigned to work for the Client. This is the case if an assigned employee has insight into the customer database of a Client.
The Client is the sole independent controller in respect of this activity. Remote is not involved in the processing. The contractor or employee does not have a role for data protection purposes, as they are under the "direct authority of the controller" that is the Client who is internally managing the relevant contractor or employee.
Processing within the Remote corporate group
The Remote entity the Client contracts with will most likely jointly control the personal data referred to above with other entities in the Remote corporate group. For example, Remote Technology Services Inc. and Remote Europe Holding are jointly responsible for any personal data processing happening on the Remote platform. Similarly, these two entities, together with any local Remote entity actually employing an assigned employee, act jointly in respect to HR and Engagement processing. However, in none of the aforementioned scenarios do Clients jointly control data with any Remote entity.
Comments
0 comments
Article is closed for comments.