EOR and Data Privacy: GDPR, CCPA, and Employee Data Across Borders

Your EOR Has More Employee Data Than Your HRIS

An EOR provider holds passport copies, bank account details, tax identification numbers, salary information, health insurance enrollment data, and sometimes biometric data for local ID registrations. For employees in 20 countries, that data flows across jurisdictions with different privacy regimes — GDPR in Europe, CCPA/CPRA in California, PDPA in Singapore, LGPD in Brazil, PIPL in China.

If this post changes your vendor shortlist, validate it against head-to-head comparisons, implementation guidance, and country-level hiring demand.

If your EOR provider mishandles that data, the legal liability doesn’t disappear because you outsourced the employment relationship. Under GDPR alone, fines reach up to 4% of global annual turnover or €20 million, whichever is higher. The question isn’t whether your EOR handles data — it’s whether they handle it in a way that protects your company from regulatory exposure.

The Data Controller vs. Data Processor Question

Under GDPR, the distinction between data controller (who determines the purpose and means of processing) and data processor (who processes data on the controller’s behalf) determines legal responsibility.

In an EOR arrangement, the answer isn’t clean. The EOR is the legal employer — it determines how payroll is processed, which benefits providers receive employee data, and how tax filings are submitted. That makes the EOR a data controller for employment-related processing. But the client company decided to hire the employee, determines their compensation, and directs their work. That makes the client a controller too.

Most EOR providers correctly structure this as joint controllership or as independent controllers for different processing activities. Your EOR is an independent controller for payroll processing, tax compliance, and benefits administration. You’re an independent controller for work performance data, project assignments, and IP created by the employee. Some data (like salary, job title, and personal identifiers) sits in both controllers’ domains.

Why this matters: if your EOR provider experiences a data breach, the notification obligations, liability exposure, and remediation responsibilities depend on whether they were processing as your processor or as an independent controller. Get the classification right in your Data Processing Agreement (DPA) before the breach happens, not after.

Data Processing Agreements: What Must Be in Yours

A DPA between your company and the EOR provider isn’t optional under GDPR — it’s a legal requirement when personal data of EU-based employees is involved. Even outside the EU, a DPA is best practice and increasingly required under LGPD (Brazil), PDPA (Singapore), and PIPL (China).

Your DPA with the EOR provider must cover:

Scope and purpose of processing. Specify exactly what data the EOR processes and why — payroll, tax, benefits, immigration. Broad language like “for the purposes of the employment relationship” is insufficient. List the processing activities.

Sub-processors. Your EOR doesn’t process all data itself. It uses local payroll providers, benefits insurers, tax filing services, and banking partners. The DPA must list sub-processors or require advance notification before adding new ones. Under GDPR Article 28, the processor must obtain authorization from the controller before engaging sub-processors.

Cross-border transfer mechanisms. If employee data moves outside the EEA (which it will — the EOR’s global platform almost certainly processes data on servers outside Europe, and the client company accessing employee data from a US headquarters constitutes a transfer), the DPA must specify the legal mechanism: Standard Contractual Clauses (SCCs), adequacy decisions, or Binding Corporate Rules.

Breach notification timeline. GDPR requires controllers to notify the supervisory authority within 72 hours of becoming aware of a breach. Your DPA should require the EOR to notify you within 24–48 hours, giving you time to assess and comply with the 72-hour window.

Data retention and deletion. How long does the EOR keep employee data after the employment ends? Local law often requires retaining payroll and tax records for 5–10 years. The DPA should specify retention periods by data category and country, and confirm deletion procedures after the retention period expires.

Audit rights. You need the right to audit the EOR’s data processing practices, either directly or through a qualified third party. Enterprise clients should exercise this right annually.

Cross-Border Data Transfers: The SCCs Framework

The Schrems II decision (2020) invalidated the EU-US Privacy Shield, and while the EU-US Data Privacy Framework (DPF) replaced it in 2023, its long-term stability remains uncertain. For EOR providers that transfer EU employee data to the US (which is most of them — Deel, Remote, Multiplier, and Rippling all have US-based operations), the transfer mechanism matters.

EU-US Data Privacy Framework. If your EOR provider is DPF-certified, transfers from the EU to the US are permitted under the adequacy decision. Check the Data Privacy Framework list to verify certification. This is the simplest mechanism but depends on the DPF surviving legal challenges.

Standard Contractual Clauses (SCCs). The fallback mechanism. The European Commission’s 2021 SCCs (replacing the older versions) must be incorporated into contracts governing EU-to-third-country transfers. Your EOR should have SCCs in place as a belt-and-suspenders approach even if they rely primarily on the DPF.

Transfer Impact Assessments (TIAs). Under the SCC framework, both parties must assess whether the receiving country’s laws (particularly government surveillance laws) undermine the protection provided by the SCCs. Your EOR provider should have completed TIAs for each country where employee data is stored or accessed. Ask for them.

Binding Corporate Rules (BCRs). Some larger EOR providers have BCRs approved by EU supervisory authorities, permitting intra-group transfers globally. BCRs are the gold standard but take 1–2 years to obtain and are mainly held by enterprise-scale providers.

CCPA/CPRA: California’s Layer

If you have employees in California (including through an EOR), the California Consumer Privacy Act (as amended by CPRA) applies. The employee data exemption that initially shielded employment-related data expired, and employee personal information is now fully within CCPA/CPRA scope.

Your EOR provider must:

Provide a privacy notice to California employees at or before the point of data collection, disclosing categories of personal information collected and the purposes.
Honor employee rights to access, delete, and correct their personal information.
Implement reasonable security measures appropriate to the sensitivity of employee data.
Have a service provider or contractor agreement in place that restricts the EOR from using employee data for its own purposes beyond providing the contracted services.

The CPRA also imposes specific requirements for “sensitive personal information” — which includes Social Security numbers, financial account information, and precise geolocation. Employee data is dense with sensitive personal information.

Country-Specific Privacy Regimes That Affect EOR Operations

Brazil (LGPD). Similar to GDPR in structure, with a data protection authority (ANPD) that has enforcement power. Employee consent is one of several legal bases for processing — legitimate interest and legal obligation are more commonly relied upon for employment data. Cross-border transfers require adequacy determinations or contractual safeguards.

Singapore (PDPA). Consent is the primary basis for collecting employee data, though deemed consent and legitimate interest exceptions apply in employment contexts. The PDPC (Personal Data Protection Commission) enforces actively — fines can reach SGD 1 million or 10% of annual turnover.

China (PIPL). The strictest regime for cross-border transfers. Employee data generated in China must undergo a security assessment by the Cyberspace Administration of China (CAC) before being transferred abroad if the data processor handles personal information of more than 1 million individuals, or has transferred personal information of more than 100,000 individuals abroad. For most EOR-employed workers in China, the EOR provider must store data locally and may need CAC approval for transfers.

India (DPDPA). India’s Digital Personal Data Protection Act (2023) is being implemented in phases. It requires explicit consent for data processing, mandates data fiduciaries to implement reasonable security safeguards, and restricts cross-border transfers to countries notified by the government.

What to Verify With Your EOR Provider

A practical checklist for your privacy or legal team:

Certifications. Does the provider hold SOC 2 Type II, ISO 27001, or both? These demonstrate that data security controls have been independently audited.

Data residency options. Can you choose where employee data is stored? Some providers offer EU-only data hosting for GDPR-sensitive clients. Others store everything centrally in the US or Singapore.

Encryption standards. Data should be encrypted in transit (TLS 1.2+) and at rest (AES-256). Ask specifically about payroll data and identity documents.

Access controls. Who at the EOR provider can access your employees’ data? Role-based access with audit logging is the minimum standard. Ask whether your employees’ data is accessible to the provider’s staff in other countries.

Incident response plan. Request a copy of the provider’s data breach response plan. Verify it includes client notification timelines, forensic investigation procedures, and regulatory reporting workflows.

DPA template. Review the provider’s standard DPA before signing the service agreement. Deel and Remote publish their DPA templates online. Providers that resist sharing their DPA before contract signing are a red flag.

The intersection of employment law and data privacy law creates obligations that compound across jurisdictions. Your EOR provider sits at the center of that intersection. The question isn’t whether they can process employee data — that’s their core business. The question is whether their data governance is robust enough to protect your company when a regulator comes asking.

To move from strategy to execution, use remote jobs by country and benchmark provider options in EOR comparisons.