Thanks, Claire. Circulating your comment below to the wider list.

 

In the absence of having to avoid the need to get consent, I am happy to add necessary for performance of a contract to my defence to a regulator investigation!

 

R

 

 

Renzo,

 

Could you not argue that the processing is necessary for the performance of a contract (employment contract), insofar as the contract of employment could not be performed adequately if the email was not sent because the employee would not be following reasonable instructions required in return for their salary and the employment relationship would break down? A very tenuous argument, admittedly, but the situation you describe below can’t be the intended outcome, even if it’s only arrived at when sticking to the strict letter of the law.  

 

Regards,

 

Claire

 

 

 

Thank you, Claire. 

 

I agree with your answers. Or at least agree that that is a “purist” approach to the issue.  But was hoping for a contrary view to avoid the following:

 

A consequence then is that any EU company needs to put in place “model clauses” with all non-EU companies with whom it deals (except those in “white listed” adequate countries).

 

I accept that regulators would take a “pragmatic” view of this, but was hoping that there was a clear way out of that conclusion ... but I can’t see it.

 

Best

 

Renzo  

 

 

 

An employee of an EU company sends an email (on behalf of the employer) to an address of an individual at a US company.  

 

1.     Is this a transfer of “personal data” for the purposes of the eight principle?   (The content of email is not personal data.  But the email heading will contain, as usual, the email address “From: [log in to unmask]”.)

 

I think it must be – it identifies the individual and tells you that they work for the organisation.

 

2.     If so, can the EU company rely on “consent” of the employee to avoid having to comply with the eighth principle?

 

Is the employee really consenting if they are told by their employer to email someone and it is part of their role? Is it a request or an order? Is it reasonable/acceptable for them to say no? If not, it’s not really consent.

 

3.     If so, does it make any difference if the employee does not know that the nationality of the recipient entity (ie does not know that the company at which the recipient works is a US company)?

 

If the employee can consent freely to sending the email, it must make a difference whether or not they know that the recipient works for a US company, otherwise it’s not informed consent – they can’t consent to sending the email (and their personal data) to the US if they don’t know that that’s what they’re doing.