Q. I work for an international school in China and I want to recruit a teacher from the UK with British curriculum criteria, does the GDPR apply?
A. This is a great question and is relevant to so many overseas organisations that wish to recruit individuals from within the European Union (EU). The short answer is no. The GDPR does not apply to your school in these circumstances. Let me explain why...
The territorial reach of the GDPR is wide and it is common knowledge that it applies to data subjects who are within the EU. You could therefore be forgiven for assuming that any processing your school undertakes regarding EU data subjects will be subject to the terms of the GDPR. However, the European Data Protection Board has tried to make it clear that this alone would not be sufficient to trigger the application of the GDPR to this processing by your school.
Find out more about how 9ine is transforming data protection management and register for a free 30 day trial of the 9ine app.
In fact, the GDPR would only apply to processing carried out by your school if that processing was related to some goods or services it was offering EU data subjects (regardless of whether a payment is required) or if it was monitoring the behaviour of data subjects in the EU. In each of these cases your school would also be required to designate a representative in the EU to act on its behalf with regards to the obligations under the GDPR.
The fact that you are intending to recruit a teacher from within the EU because of their specialist experience means that your school may wind up processing the personal data of EU data subjects during that recruitment process and for the resultant appointment but, as this is not related to any goods or services being offered by your school nor the monitoring of anyone’s behaviour, the GDPR will not apply to you.
If you are employing a recruitment consultant / agency based in the EU as a processor to assist you with the selection of candidates then they will technically be processing information on your behalf and will therefore be subject to the processor provisions of the GDPR. This will not however make your school subject to the controller provisions of the GDPR.
That said, the GDPR is inspiring many data protection laws across the globe with many organisations voluntarily choosing to meet the standards set by the GDPR in order to demonstrate a gold standard of data protection. Your school may therefore choose to meet these standards in order to meet the expectations EU data subjects now have concerning their personal data (but it has no obligation to do so). You can ask 9ine to help guide you through this journey if you would like to explore what this might mean for your school.
Please note that the UK is currently in a transition period before leaving the EU. The GDPR will therefore continue to apply until 31 December 2020 after which time the UK is likely to become a third country.
About the Author:
Heidi-Anne O’Neill is 9ine’s in-house Data Protection Solicitor. She has been qualified for fourteen years and has spent the last eight years advising in the area of information law. As a result of many years spent in local government, she holds both a Data Protection Practitioner and a Freedom of Information Practitioner Certificate. She is pleased to be part of the team at 9ine and looks forward to assisting clients on their journey towards data privacy compliance.