Do any data protection requirements apply to the operation of an incentive plan?

Employee Incentives

United States Small Flag United States

There are no specific data protection issues which currently restrict the operation of incentive plans beyond general US and state privacy data transmission laws. That said, the State of California has recently adopted the California Consumer Privacy Act of 2018 which bears some resemblance to GDPR but will not take effect until 2020. It is recommended that the employee explicitly accept that his personal information can be used in accordance with the plan, and that any data transferred not include an employee’s Social Security number. Further, as a best practice, it would be advisable to follow the EU data privacy rules for US participants.

Vendor contracts for plan administration should be reviewed to assess the standard of care and remedies for breach of level of service including data protection.

Mexico Small Flag Mexico

The employer or the company sponsoring the incentive plan are obligated to comply with Mexico’s Federal Privacy Law, whereby the collection, storage, treatment and potential transfer of the participant’s personal data must comply with applicable regulation. Every participant should be granted with a privacy notice explaining the reason for collecting personal data, the purpose for handling the same and the protective measures to keep it safe.

Romania Small Flag Romania

As a rule, there are no data protection requirements specifically applicable to the operation of an incentive plan. However, the employer should consider the general applicable principles of the General Data Protection Regulation ("GDPR") - especially the integrity and confidentiality principle - with respect to the personal data of the employees benefiting from an incentive plan.

Denmark Small Flag Denmark

The European General Data Protection Regulation applies, if the employer processes personal data regarding the employee when processing the Incentive Plan.

Ecuador Small Flag Ecuador

The Ecuadorian Constitution foresees data protection in general terms. Currently, different bills related to specific data protection regulation are under discussion in the Congress. Companies should treat personal data on a confidential basis.

China Small Flag China

No specific data protection requirements apply to the operation of an incentive plan.

For listed companies, the details of the incentive plan, including the vestee, the amount of the incentive equity and the pricing should be disclosed to the public; while most unlisted companies shall keep the details of the incentive plans wholly or partly confidential.

The Netherlands Small Flag The Netherlands

Yes. The processing of the employee data for an incentive plan is considered a processing activity which is governed by both the General Data Protection Regulation (GDPR) and the Dutch GDPR Implementation Act (UAVG). Further thereto, the processing must comply with all requirements of GDPR, and must inter alia be based on a legal ground, be done for specific purposes and the personal data may not be retained longer than necessary. Additional requirements apply for the processing of sensitive data. Furthermore, a company is under the obligation to inform the employees regarding the processing of their personal data in the context of the incentive plan in accordance with the information obligation.

Brazil Small Flag Brazil

The Brazilian Data Protection Act (Law no. 13,709/2018 or “LGPD”) was approved in August 2018 and will come into force in February 2020. There is no specific provision regarding incentive plan or compensation requiring a special treatment in terms of data protection. Therefore, it is a professional personal data related to the employment contract conditions and the treatment of such information shall be made in accordance with the law. The company shall observe the following main rules, while processing individual’s personal data of individuals located in the Brazilian territory:

(i) Abide to the data protection principles imposed by the LGPD: purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, liability and accountability.

(ii) Define the lawful grounds for processing personal data: Company may rely on the employee’s consent to process his/her personal data. It must be a free, informed, and unambiguous expression through which the data subject agrees with the processing of personal data for a determined purpose.

(iii) Transparency: Company shall provide clear and complete information to the employee.

(iv) Data subject’s rights. The law grants several rights for data subjects including the right to obtain from the controller, at any time, and upon request: confirmation of the existence of the data processing; access to the data; rectification of incomplete, inaccurate, or outdated data; anonymization, blocking, or elimination of data that is unnecessary, excessive, or processed non-compliant with the provisions of the LGPD.

(v) Record keeping. Company shall have systems in place to record the data processing activities.

(vi) Sensitive Data. Under the LGPD, the cases for processing sensitive personal data are more restricted. Sensitive data includes information on employee’s health, for example. To the extent sensitive data is being processed, it should be justified under one or more lawful basis provided by the LGDP (e.g., consent or as necessary for the performance of a contract).

(vii) International data transfers. Company must make sure that international data transfers take place in compliance with the LGPD.

Japan Small Flag Japan

When an incentive plan takes into account personal data such as individual performance review, such data should be protected by law, the Personal Information Protection Law (“PIPL”), under which a company may not disclose such data without the consent of that person.

Due to the global movement of personal information protection, the Japanese PIPL has been changing in recent years. In particular, the implementation of the European General Data Protection Regulation (GDPR) in 2018 caused a significant impact on the law changing in this area. In fact, aiming the harmonization with the GDPR, the Japanese PIPL has changed and started requiring strict measures and requisites for protection of personal information. In the labor and employment area, all Japanese companies are required to update and establish their own privacy policy and information management policy even installation of data protection systems in order to share employees’ personal information among group companies.

Norway Small Flag Norway

Incentive plans will necessarily involve processing of the employees’ personal data. Data protection legislation, hereunder the GDPR, will therefore apply in full.

Processing personal data for the purposes of an incentive plan will entail recording, analysing and measuring the employees’ work performance, which is a form of processing typically considered more invasive. It is therefore important that the undertaking exert an appropriate amount of effort to ensure that it provides all the relevant information about the processing to its employees pursuant to articles 12-14 of the GDPR, and explains the parameters of the performance evaluation in a clear and concise language. This information should be available to the employees at all times.

Due to the invasive nature of the processing, extra care should be taken when evaluating the risks and implementing appropriate measures to ensure data protection related to the processing in accordance with article 32 of the GDPR. In particular, it is important to ensure that access to the incentive plan data is restricted on a strict need-to-know basis.

The conditions of the incentive plan should be included in the employment contracts’ salary terms, so that fulfilment of the employment contract may serve as the legal basis for the processing. Consent should not be relied upon as a legal basis, as it is doubtful whether this would be valid from privacy perspective in an employment context.

United Kingdom Small Flag United Kingdom

The operation of incentive plans involves the processing of personal data, therefore they must be compliant with data protection legislation. The General Data Protection Regulation, which came into effect in May 2018, set a higher standard for data protection compliance and tightened the control and limits on use of personal data.

Among other things, operators of incentive plans will need to ensure that their plan documentation provides a signpost to the company's data privacy notice which in turn should describe the purposes for which personal data will be used in the operation of the incentive plan and the legal basis for doing so. Where the plan involves the appointment of trustees and/or administrators, the company needs to ensure that appropriate safeguards are put in place when transferring personal data to them.

Germany Small Flag Germany

On May 25th, 2018 the new General Data Protection Regulation (2016/679) came into effect. At the same time the new German Federal Data Protection Act came into force. Ever since, any incentive plan must comply with the EU and German data protection law. Of importance are the provisions about processing data of the employee in respect of transparency, limitation of use to a specific purpose and for a specific time.

For the execution of an incentive plan, the company faces higher requirements on transmitting personal information to a third party or third country (outside the jurisdiction of GDPR). The employee must give his/her consent to the transfer of his/her data.

France Small Flag France

Implementation of an incentive plan generally involves the collection and processing of some personal data of the beneficiaries. As such, this requires compliance with the European General Data Protection Regulation (GDPR) and declaration requirements with the French Data Protection Authority.

Spain Small Flag Spain

There are no specific requirements regarding incentives plan neither in the EU Regulation 2016/679 (GDPR) nor in the Spanish Fundamental Law on Data Protection 3/2018 (NLOPD). Compliance with the general requirements contained within the strict framework provided by GDPR and NLOPD is, nevertheless, mandatory.

Colombia Small Flag Colombia

There is no specific or special data protection requirement applicable to incentive plans.

Portugal Small Flag Portugal

As the implementation of incentive plans may imply the processing of some personal data of the beneficiaries it is necessary to comply with the European General Data Protection Regulation (GDPR).

For instance, if the plan is based on the fulfilment of several goals and those goals are related with the employee, the analysis of their achievement shall imply the treatment of personal data. In this hypothesis, the treatment of such data may have to be notified to the Portuguese Data Protection Agency (“CNPD”). The necessity of the said notification shall depend on the type of data treated, since the treatment of some personal data by employers is exempted from the said notification.

In what concerns employees’ data, CNPD has issued general exemption decisions that cover the basic processing of employees’ data that is necessary in terms of staff management and also for payroll purposes. This exemption, however, does not seem to cover data processing for the purpose of management of a stock options plan. In consequence, notification of this data processing to CNPD might be advisable.

If the execution of the plan requires the transfer of personal data to other country (as it may happen with plans involving multinational companies), the transfer has to be notified to CNPD. Between EU member countries the transfer is free. When the transfer of data is made to a non-EU country, CNPD’s authorisation is required, unless it is a country listed by EU as guaranteeing an adequate level of protection.

Italy Small Flag Italy

Data processing related to incentive plans is governed by the GDPR and Italian data protection laws. In particular, the processing of the data of the involved employees is to be made in compliance with the principles of transparency, limitation of use for a specific purpose and for a determined and specified time period.

There may be further requirements regarding the transmission of employees’ data to third parties or third countries, outside the jurisdiction of GDPR, within the scope of the execution of an incentive plan. The consent to the transfer of each employee’s data is to be collected.

Turkey Small Flag Turkey

There are no specific data protection requirements to operation of an incentive plan however, since incentive plans are also considered as salary in broad sense the information regarding salary is also personal data of the employee and shall be subject to data protection under the relevant provisions.

Employers are under the obligation to process employee’s data lawfully and in good faith. Employer cannot disclose the personal data about their employees, which the employee has a valid interest to keep confidential and employers may use employee’s personal data as long as it is related to the employee’s aptitude to the work or to the extent that it is necessary for the execution of the service/employment contract.

Updated: May 30, 2019