Obtaining an employee's written consent for the processing and transfer of his or her personal data is the most common approach to comply with certain aspects of data protection requirements. The employer is also required to register any database that includes an employee's personal data with the Argentine privacy authorities.
Stock options
Data protection
Argentina
Australia
Obtaining an employee's written consent for the processing and transfer of their personal data is the most common approach to comply with certain aspects of data protection requirements. The employer is required to ensure that an employee's tax file number and other personal data are used only for the purpose agreed upon in writing by the employee.
Austria
All data protection requirements must be met. Strict rules apply to data transfer outside the EEA.
Belgium
Consent can be a lawful ground for the processing and transfer of personal data, but it may not always be deemed to be valid in an employee-employer relationship, as one of the core requirements is that it is "freely given"– which can be difficult to establish if given after an employee has entered into an organization’s employ. In this context, it is easier to obtain valid consent if the entity granting the benefits in question is a group entity other than the actual employer. For this reason, it may in certain circumstances be more appropriate to invoke another lawful basis for processing, such as the necessity of the processing and transfer for the performance of a contract with the employee (to the extent such is the case). In addition, the employer also is required to register any database that includes employee personal data with the Belgian privacy authorities. The transfer of personal data outside the EU thus requires prior notice and registration with the Belgian Privacy Commission, as well as a lawful basis for transfer (eg, explicit employee consent or necessity for performance of a contract with the employee), in addition to various other requirements related to the conditions of collection, use and transfer of such data.
Brazil
The Brazilian Data Protection Law (Federal Law No. 13,709/18), which entered into force on September 18, 2020, applies to the processing of personal data, including under a labor relationship.
In view of this, it is necessary to assess each case individually in order to confirm the proper legal basis for the processing of personal data for the purpose of granting stocks options to employees of Brazilian subsidiaries, in accordance with Article 7 of the Brazilian Data Protection Law.
In general, the employee consent is not a recommendable legal basis due to discussions about the validity of consent under an employment relationship, considering the existing subordination between parties, and/or given that the consent may be revoked at any time by means of an express request of the data subject. However, consent may be necessary for certain processing activities.
In relation to the international transfer of data outside Brazil, it should be also covered by one of the available legal basis of the Brazilian Data Protection Law, such as standard contractual clauses or binding corporate rules. Such grounds, however, will be regulated in the future by the national supervisory authority in Brazil.
Canada
Privacy legislation generally requires that an organization must obtain an individual's consent prior to the collection, use and disclosure of personal information, which is defined as any information about an identifiable individual. There are limited exclusions to this requirement. For example, some provincial legislation provides that certain types of employee personal information may be excluded from the consent requirement where used only for the purpose of establishing, managing or terminating the employment relationship, although requirements regarding notice, retention and data security measures still apply. Compliance with all applicable privacy legislation is necessary. As of early 2022 the Canadian government is considering revising federal privacy legislation through the Consumer Privacy Protection Act (CPPA). If enacted into law, the CPPA is expected to modernize Canadian private-sector privacy legislation applicable to the employees of businesses subject to federal privacy legislation (including with respect to enforcement).
Chile
Obtaining employee consent for the processing and transfer of personal data is recommended. Such consent should be in Spanish.
China
Obtaining employee consent for the processing and transfer of personal data is recommended.
Colombia
Data protection legislation generally requires the organization to obtain individual's written consent to the collection, use and disclosure of personal information, which is defined as any information about an identifiable individual. This consent shall be obtained prior to the collection of the personal data and shall cover the specific purposes for which the data will be processed (including granting stock options). Thus, it is mandatory for the employer to obtain consent from the employee for the processing of their personal data. For this purpose, keep a record of such consent and provide the employee with the employer´s data privacy policy and/or a privacy notice that informs which information is going to be collected, the purposes of the processing, the rights of the data subject (as provided by law), the complete information and contact details of the employer and the means to consult its data privacy policy.
Czech Republic
Data protection matters are regulated by the GDPR and the Czech Act No. 110/2019 Coll., on processing of personal data. Generally, employee consent is not required, subject to applicable exceptions.
Denmark
Obtaining employee consent for the processing and transfer of personal data is a means to comply with certain aspects of the Danish data protection requirements. A case-by-case analysis is recommended.
Ecuador
Obtaining employee consent is mandatory for the processing and transfer of personal data.
Egypt
Employers are advised to make disclosures to employees about processing personal data. Obtaining employee consent is required for the processing and transfer of personal data to 3rd parties. There is a general ambiguity in the Data Protection Law with regard to the extent of employee consent to the processing of personal data by the employer, but it is recommended to obtain explicit employee consent for the processing of personal data regardless of whether such processing is internal or shared to 3rd parties. More details on the employer-employee relationship are expected to be clarified in the near future upon the issuance of the executive regulations of the Data Protection Law and the establishment of the Personal Data Protection Center, which is the official government authority responsible for implementing Egypt’s data protection laws and regulations.
Finland
In order to comply with certain aspects of the data protection requirements, obtaining consent for the processing and transfer of personal data is recommended.
France
Obtaining employee consent for the processing and transfer of personal data is recommended. Employers are also advised to disclose data processing activities to employees. The Commission Nationale de L'lnformatique et des Libertés (CNIL) must be notified of any databases that include employees' personal information.
Tax and social regime applicable to non-qualifying plans
The gains realized upon vesting of stock options granted pursuant to non-qualifying plans are treated as salary for tax and social purposes.
As such, vesting gains are subject to the progressive scale of income tax (with a maximum rate of 45 percent) and to a special 3- to 4-percent surtax on high income. As from 2019, income tax on non-qualifying plans are withheld by employers, who are also in charge of withholding income tax on salaries.
From a social standpoint, employer social security charges are due at a maximum rate of approximately 45 percent and employee social security charges are due at a maximum rate of approximately 25 percent, including 22.1 percent deductible for income tax purposes. Both employer and employee social charges are withheld by the employing entity.
Germany
Obtaining employee consent for the processing and transfer of personal data is recommended. The consent must be easily discernible in appearance (eg, in an alternate font or typeface) if it is given in conjunction with other declarations. Employers are required to amend their internal records of data processing operations accordingly. Starting from May 25, 2018, a new data protection law applies (BDSG-new). Under the BDSG-new employee consent is only valid if given freely. Consent may be deemed to be given freely if it is associated with a legal or economic advantage for the employee, or if the employer and employee are pursuing the same interests. Processing in connection with restricted stock and RSUS entails such an economic advantage for the employee. Consent must be given in writing.
Greece
The Employer will keep a file of and process employees’ personal data necessary for the award of stock options. In this context, the Employer, in its capacity as the controller, shall ensure that such processing is carried out in compliance with applicable data protection and privacy laws, rules and regulations, and especially with the General Data Protection Regulation (EU) 2016/679 (GDPR) and Greek Law 4624/2019 including implementation measures of the GDPR in Greece. Appropriate data protection procedures shall be in place, especially regarding information obligations according to Articles 13 and 14 of the GDPR. A personal data protection notice shall be provided to employees prior to any data processing including all necessary information in a clear and plain language they understand and sufficiently capturing participation in the award plan that must be operated in accordance with the applicable personal data protection notice. The roles of the entities having access and processing employees’ personal data shall be distinguished and pre-determined. In case of transfers of employees’ personal data to recipients located outside of the European Economic Area (EEA), where the data protection laws may not provide a level of protection equivalent to the GDPR, employers shall enter into any appropriate data transfer agreements based on Standard Contractual Clauses (SCCs) issued by the European Commission with the Implementing Decision (EU) 2021/914, and shall implement any other necessary supplementary measures to ensure an adequate level of data protection in the 3rd country.
Hong Kong, SAR
Notification for the collection, processing and transfer of personal data is required. There is no current requirement to register with the data protection authority. That said, the data protection authority is considering implementing the registration requirement in phases. To comply with certain aspects of existing data protection requirements, it is recommended that employee consent be obtained for the transfer of personal data outside of Hong Kong.
Hungary
Employee consent is generally required for the processing and transfer of personal data.
India
Obtaining employee consent for the processing and transfer of personal data is recommended.
Indonesia
Obtaining employee consent for the processing and transfer of personal data is mandatory.
Ireland
As of May 25, 2018, processing personal data, including employee, customer or vendor personal data, is subject to the GDPR and the Data Protection Act 2018. Organizations must ensure they have all relevant policies and procedures in place which will enable them to comply with the data protection principles, such as an Information Security Policy which includes an Incident Response Plan, a Data Protection Policy governing how employees must handle personal data they process during their employment, and an Employee Data Protection Notice explaining to employees how and why the company processes their personal data. Organizations must also ensure there is a lawful basis for processing any personal data, noting that in the context of employment, employee consent is often an inappropriate lawful basis due to the imbalance of power between the employee and the employer, meaning consent is not truly ‘freely given’, as required by the GDPR.
Written agreements must be in place with any vendors or customers where there is a controller to processor relationship in relation to personal data. Specific terms must be included in these agreements, as per the GDPR, to ensure the personal data are adequately safeguarded and the roles and responsibilities of the parties are clear, particularly if there is a data breach or a data subject access request. Importantly, any personal data which leaves the EEA, (either internally via an intragroup agreement, or externally via a customer or vendor contract), must now be risk assessed following the recent CJEU Schrems II decision, and must be subject to a mechanism allowing for lawful transfer to a 3rd country, (such as the standard contractual clauses, Binding Corporate Rules).
Israel
Employee consent for the processing and transfer of personal data is required. In certain situations, the employer may be required to register its database with the data protection authorities.
Italy
In order to comply with certain aspects of existing data privacy requirements, it is recommended that an employer obtain its employees' consent to the processing and transfer of their personal data. Typically, no employee's personal information can be processed or transferred until the employer registers with Italy's data protection authorities.
Japan
Obtaining employee consent for the processing and transfer of certain sensitive information is mandatory pursuant to the revised Act on Protection of Personal Information.
Malaysia
All personal data must be processed in compliance with the Malaysian Personal Data Protection Act 2010 (PDPA). Generally, the processing of personal data requires consent of the data subject unless one of the prescribed exceptions applies, eg, the processing is necessary for the performance of a contract to which the data subject is a party. However, it is a matter of best practice for written consent to be obtained by the data user prior to any processing of personal data.
The PDPA also requires the data user to give a written notice to the data subject of certain information and the written notice must be given in both Bahasa Malaysia, which is the national language of Malaysia and English.
Mexico
Mexico has enacted a comprehensive federal data protection law. Employee consent for the processing, disclosure and transfer of personal data is required.
Netherlands
In order to comply with certain aspects of existing data protection requirements, it is recommended that employee consent be obtained for the processing and transfer of personal data, and that the employees are properly informed about the data processing. The employer also is required to register all data processing activities and any database that includes an employee's personal data with the Dutch data protection authorities.
Personal data can only be transferred to a non-EU/EEA country if such country provides an adequate level of protection, or if additional safeguards have been implemented.
Personal data may not be further processed in a way incompatible with the purposes for which the data was collected. Personal data may only be processed where, given the purposes for which they are collected or subsequently processed, it is adequate, relevant and not excessive. Sensitive data may not be processed, unless an exception applies.
New Zealand
Obtaining employee consent for the processing and transfer of personal data is required before the transfer of personal data abroad.
Nigeria
Under the extant regulations governing data privacy in Nigeria, employees are recognized as data subjects for the purpose of data protection and are entitled to a protection of rights accorded to data subjects, which includes the rights to object to the processing of their personal data and to be informed of the procedure for objecting to the processing. They are entitled to be informed on matters relating to their personal data, including any communications and actions to be taken by the employer and any appropriate data protection safeguards to be adopted in a foreign company, where the data is to be transferred to a foreign country.
Employees are also entitled to request for the deletion of their personal data without any delay. Employees of public institutions are not protected from the disclosure of certain information that may form a part of their personal information without any prior consent. The Nigerian constitution further guarantees the right of citizens to privacy of their homes, telephone conversations and telegraphic communications, and recourse should be made to the extant agreement between employers and employees for proper guidance.
Norway
The employer must have a sufficient legal basis for the processing of personal data under the plan. For example, such processing is necessary in order to administer obligations under the plan. Specific conditions must be met if personal data is to be transferred outside the EU/EEA.
Philippines
Employee consent for the processing and transfer of personal data should be obtained.
Poland
GDPR (Regulation EU 2016/679), which is applicable from May 25, 2018, changed the data protection regime. The transfer of personal data to third countries shall take place according to the GDPR regulations. Not all domestic provisions on the processing of employees' personal data have been set out. Some amendments will be implemented soon as they are still going through the legislative procedure. Categories of personal data of candidates and employees that can be processed by an employer and exceptions to general principles in this respect shall be regulated in the Polish Labor Code.
Portugal
In order to comply with certain aspects of data protection requirements and of the GDPR, it is essential to assess which is the legal basis for the collection and processing of personal data, having in mind the specific circumstances of the case (eg., execution of a labor agreement, employee consent). In case the processing of personal data is not necessary for the performance of a labor agreement, the employee consent for processing and transfer of personal data may be required, which should be assessed on a case-by-case basis. In case consent is the lawful basis for processing, it must be ensured that such consent is freely given in an employment context. Appropriate safeguards in accordance with the GDPR must be implemented where personal data are transferred to a country outside the EEA not ensuring an adequate level of protection. Since the implementation of the GDPR, employers are no longer required to register their employee database or request prior authorization from the Portuguese Data Protection Authority (CNPD) to process employees’ personal data. In any case, it is crucial that all mandatory information regarding the processing of such personal data, notably the data subjects’ rights ( eg., right of access, rectification) is provided to the employees.
Russia
Obtaining employee consent for processing and transferring personal data is required.
Saudi Arabia
Obtaining employee consent for the processing and transfer of personal data is recommended.
Singapore
Obtaining employee consent for the processing and transfer of personal data is required.
Slovak Republic
The Slovak Republic’s adoption of the General Data Protection Regulation (GDPR) is reflected in Act No. 18/2018 Coll. on the protection of personal data and on amending and supplementing of certain acts (Slovak Act). The Slovak Act became valid as of January 30, 2018 and effective as of May 25, 2018. It repealed the previous Act No. 122/2013 Coll. on the protection of personal data.
In general, the GDPR, alongside certain parts of the Slovak Act, applies to the processing of personal data. The Slovak Act regulates certain specific situations – for example:
If a controller is an employer of a data subject, it is entitled to provide or to publish the data subject's personal data in the extent of academic title, name, surname, position, personal employee's number, department, place of work performance, telephone number, fax number, work email address and the identification details of employer if it is necessary for the completion of the work tasks. However, the provision of such personal data shall not interfere with the reputability, honor and security of a data subject.
The processing of a national identification number (ie, birth number) is permitted only if its use is necessary to achieve the given purpose of processing and the special regulation shall not prohibit such processing. The consent to the processing of a national identification number must be explicit and must not be precluded by a specific regulation when it is processed on the legal basis of the data subject's consent. The publication of birth number is prohibited.
South Africa
Obtaining employee consent for the processing and transfer of personal data is recommended and there must be compliance with applicable data protection laws.
South Korea
Obtaining employee consent for the collection, processing and transfer of personal data is required. The Personal Information Protection Act (PIPA) was amended to require the important aspects of consent form for personal information collection be shown clearly. The amended PIPA, which became effective on October 19, 2017, requires such important aspects:
- To be shown at least 20 percent larger than the rest of the content of the consent form and, in any case, in a font size of at least 9 points, and
- To be clearly readable by using a different color, underline or bold typeface.
The amended PIPA defines the "important aspects" to include:
-
Specific data must be named. The fact that sensitive personal information or unique identification information (ie, passport number, driver's license number and foreigner registration number) will be processed must be separately highlighted
-
If the personal information will be provided to a 3rd party, the identity of the recipient and the recipient's purpose of using the personal information, and
- The retention and use period.
Spain
The GDPR (Regulation EU 2016/679) entered into force on May 25, 2018, substantially changing the data protection regulatory regime applicable in the EU, including Spain. While employee consent would in theory remain an option, in practice Spanish authorities refuse to accept it in most scenarios. Therefore¸ depending on the data processing to be carried out, employers may rather rely on other legitimating bases for the processing of employees' personal information (eg, fulfilment of a legal duty, of a contractual obligation, legitimate interest). Registration of an employee related database is no longer necessary as of that date. However, other control/data management and security requirements will need to be fulfilled. The GDPR allows member states to further regulate employment-related privacy issues and, therefore, by the end of 2018, Spain passed a new data protection act (Spanish Fundamental Act 3/2018) to supplement the data protection regime contained therein.
Sweden
The General Data Protection Regulation (EU) 2016/679 (GDPR) and other relevant local data protection laws will apply to the processing of personal data. This includes inter alia an obligation to notify employees (and other potential individuals) about the processing, identify a legal basis for which the processing is relied upon, take appropriate organizational and technical measures, as well as other steps required under the GDPR and other applicable data protection laws.
The appropriate legal basis for processing personal data in relation to option benefits agreed upon would normally be performance of a contract (Article 6.1 b) of the GDPR), or, if part of a non-contractual benefit, a legitimate interest (Article 6.1 f) of the GDPR).
Switzerland
Obtaining written consent from employees is recommended prior to transferring any personal information to the parent company or a third-party administrator.
Taiwan, China
Employees' consent must be obtained prior to the collection, processing and transfer of personal data.
Thailand
Obtaining employee consent for the collection, processing, disclosure and transfer of personal data is required. The purpose of such collection, processing, disclosure and transfer of personal data must also be acknowledged by the employee upon receiving the consent.
Turkey
Describing to the employee the purposes of processing his/her personal data and obtaining the employee's consent under certain circumstances, for processing and transfer of personal data is legally required.
Ukraine
Employee consent is generally required for the processing and transfer of personal data. In addition, it is necessary to provide an employee with a notification on personal data procession containing information on the data controller, the nature and scope of collected personal data, the purpose for which the data is collected, third parties (eg, processor) to which personal data will be transferred and the scope of the data subject’s rights as provided under the Ukrainian data protection legislation.
United Kingdom
Companies must consider on what basis and to what extent they are legally permitted to process and transfer participant data and should provide a notice to UK-based participants accordingly.
Venezuela
Obtaining employee consent for the processing and transfer of personal data is required.
Vietnam
The Implementing Entity must obtain consent from relevant employees prior to the processing and transfer of their personal data. The Implementing Entity is required to prepare and submit 1 original copy of the DPIA and 1 original copy of the OTIA to the DCHCP within 60 days from the commencement of personal data processing and keep a copy of the DPIA and the OTIA at its head office for inspection and evaluation by the MPS. Upon completion of transfer of personal data of Vietnamese citizen outside of Vietnam, the Implementing Entity must notify the MPS on such transfer and contact details of personnel in charge of such transfer. In addition, the Implementing Entity must appoint personnel in charge of personal date protection matters and have technical measure for data protection purposes.