Project Description

Data protection for international assignments and business travel

What companies should know

Datenschutz bei Auslandsendung

The accumulation of cyber incidents is leading to a tightening and internationalization of data protection law worldwide, which above all puts companies under the obligation. This also has an impact on the global mobility practice of German companies.

The economic damage is increasing:

More and more economic damage worldwide is caused by so-called cyber incidents. In simple terms, these are attacks on a company’s digital infrastructure with the aim of disrupting it and, for example, obtaining business secrets and personal data.

Indeed, according to the latest Allianz Risk Barometer, cyber threats are currently ranked 3rd in the top ten global business risks in 2017. By comparison, just four years ago, this risk was only 15th. Business concerns are also growing because of this type of threat is still a “black box” and is not limited to a particular industry or company size – it can basically hit anyone.

Pay attention to the privacy

After professional hacker attacks, the main cause of a cyberattack in a company is a data or security breach (see chart). Therefore, the protection of data within companies and institutions is gaining rapidly in importance.

An important step in the direction of cyber security is the new EU data protection basic regulation (DS-GVO), which is to standardize the data protection right within the European union (EU) starting from 25 May 2018, but also to tighten.

Essentially, the new regulation ensures that the place of data processing no longer plays a role.

Usachen für Cybervorfälle in Unternehmen

The European data protection law applies

Whoever directs his offer or service to EU citizens must submit to European data protection law – this also applies, for example, to Facebook and Google. Infringements of data by employees or other parties, regardless of their whereabouts, must be reported to the relevant regulatory authority within 72 hours.

International companies and organizations then report incidents only to the “lead regulatory authority” responsible for their headquarters.

Significant increase in financial sanctions

The Commission has also drastically increased fines for data breaches. For example, fines may amount to up to € 20 million, or four percent of the total global annual turnover. For corporations, this can potentially be billions. Europe is not alone in this because governments are tightening their data protection regulations worldwide.

Particularly strict laws already exist in the USA, the Middle East, Australia and Singapore. In the United States, the highest penalty ever paid for breach of privacy to a customer was a whopping $ 100 million. In the Arab countries, even with minor violations, there is a rapid threat

What does this mean for companies that send employees abroad? In their own interest and to protect against loss of money and reputation, Global Mobility officers should provide comprehensive information to expats and business travelers about security measures and security risks, and especially about appropriate measures. Ideally, travel managers and HR professionals should integrate the privacy issue into the posting and business travel policy.

Hundreds of thousands of laptops disappear on airports

Already the “human factor” causes problems, because at the eight largest airports in Europe alone, 175,000 laptops with valuable data disappear every year (see chart). More than the loss of hardware weighs the often sensitive data. Not included in the statistics are lost USB sticks, company phones or tablets.

It therefore makes sense to protect the now networked devices not only by appropriate programs, but as possible to cut off connections to other in-house PCs and technical equipment before a trip. It is also advisable to carry and store only the most necessary data relevant for the posting or business trip

But beware of encrypted devices and data: Many countries, and not just autocratic regimes, often require passwords. In France and the UK, for example, the authorities are even allowed to do so by law. Anyone who refuses to give the password during a check at the airport may be taken into custody. At all countries are listed, which can claim this right for themselves.


Beware of apps and Co.

Another huge uncertainty factor is smartphone apps on employees’ mobile devices. Many of these allow direct access to sensitive company data, for example on the mobile phone.

According to the business travel association VDR, 65 percent of the companies have not given their employees appropriate guidelines for their use. This is extremely negligent and data security breaches are likely to hold companies accountable. Another underestimated risk are the executives on
To travel.

It is not uncommon for them to make loud calls, for example in the business lounge at the airport, or to have a clear view of the company on their laptop or tablet, thus literally serving secret data to spies on a silver platter. Here it is important not only to clarify in advance, but also to determine possible sanctions.

Another, not less up-to-date data protection problem arises in particular with foreign assignments in crisis regions. More and more travel service providers are offering traveler tracking tools. With this software, the whereabouts of employees can be determined at the click of a button to organize help immediately in the event of an emergency. For example, if the expatriate goes for a life-threatening medication, his company could ensure that the service provider brings the remedy to the employee on site within a few hours. The question of where the employee currently resides, is part of the crisis management of companies. The basis of such tracking systems are the travel and booking data of the respective posted employees. For example, the so-called PNR data (Passenger Name Record) are imported into the tracking software via interfaces from the various booking systems during flight booking. If there is a crisis situation (for example, terrorist attacks, political unrest or natural disasters), the service provider checks within a few minutes, where the employee is at the appropriate moment and can evacuate him.

However, it is questionable to what extent this is compatible with the new data protection rules, because ultimately it is easy to create a comprehensive personality profile on the basis of this data, which the employee does not want it to fall into the wrong hands.

Tips for data protection when traveling abroad:

  • Take only the most necessary devices and relevant data carriers, always put them in the same place; Never leave media unattended

  • Keep backup and security software up to date

  • No public Wi-Fi networks use “hotspots” for example at airports (better UMTS sticks)

  • Do without travel apps

  • Use of privacy films on laptop or tablets

  • Glue cameras to laptops, tablets and smartphones

  • Encrypt data, but beware: In many countries (eg US, China, Arab states), customs requires data to be disclosed (entry ban and even imminent looting)

  • Hide secret data: for example, by stenography behind a picture (special programs)

  • Disable Networking with other data carriers and PCs in the enterprise

  • Secondary devices for frequent travelers: often cheaper than special security precautions and no networking / synchronization (eg VPN) with other devices available

Verlorene Gepäckstücke pro Jahr

Transparent health status of the employee

And yet another, largely unknown privacy problem affects especially employees of companies that are abroad:

While HR professionals may never be able to gain insight into the health records of their remaining employees in Germany, they may know, involuntarily, what illnesses and complaints they are experiencing among expats and foreign travelers.

The reason: According to paragraph 17 of the fifth Social Code (SGB V) receives the legally or voluntarily insured employees in the GKV – and its co-insured relatives – the costs incurred during the stay abroad, replaced by the employer. To these health costs, however, reimbursed he has to submit the invoice given by the medical service provider to the employer, who thus knows exactly which serious or unpleasant (one might think of communicable diseases) health problems plague the employee.

Legislators have not yet created a data protection solution – the gap remains.


In order to reduce the potential for conflict, it is advisable to take out a residual cost insurance, which carries out the reimbursement process directly with the funds, without allowing travel managers or HR experts to view the invoices of employees abroad.

A contribution with kind permission of the BDAE group

© kras99 –