Blindspots combined: US software stack GDPR collision, IT monitoring (works council consent required under Art. 27 WOR), Works council instemmingsrecht, Autoriteit Persoonsgegevens processing ban power
The Chain
US IT deploys endpoint monitoring on Dutch employee laptops without works council consent --> Dutch employee files complaint with Autoriteit Persoonsgegevens --> AP investigates, discovers employee data flowing to US-hosted HRIS without SCCs --> Discovers Slack and email data stored on US servers without Transfer Impact Assessments --> AP orders processing ban on employee data --> Company cannot run payroll until GDPR remediation is complete
The Scenario
A Chicago-based cybersecurity company has a 55-person Dutch office. After a security incident at headquarters, the US CISO rolls out CrowdStrike endpoint monitoring across all company devices globally. This includes the Dutch employees' laptops. The deployment happens overnight, pushed silently through the MDM system. No announcement. No consultation. The CISO sees it as a routine security measure -- the same deployment is happening simultaneously in Austin, London, and Singapore.
In the Netherlands, this is not routine. It is a legal violation on two separate tracks.
Track 1: The works council. Article 27(1)(l) of the WOR requires the employer to obtain the works council's prior consent before introducing any system that can be used to monitor or observe employees. The key word is "can" -- the system does not need to be actively used for surveillance. CrowdStrike endpoint detection records process execution, network connections, file access patterns, and user behavior analytics. It can monitor employees. That is enough to trigger the instemmingsrecht.
Article 27(1)(k) adds a second layer: any arrangement regarding the processing and protection of employees' personal data requires works council consent. Endpoint monitoring generates personal data -- which employee accessed which files, from which location, at which time.
The works council was not consulted. The deployment is void under Dutch law. The works council could demand immediate removal of the software, and the employer has no legal basis to refuse.
But the works council does not find out first. An employee does.
Track 2: The GDPR complaint. A Dutch developer notices the new CrowdStrike agent running on her laptop. She did not consent to monitoring. She files a complaint with the Autoriteit Persoonsgegevens -- the Dutch data protection authority. The AP has real teeth. In 2024, it fined Uber EUR 290 million for transferring European driver data to the US without adequate safeguards. Clearview AI received EUR 30.5 million.
The AP opens an investigation. The endpoint monitoring is the entry point, but the investigation does not stop there. AP investigators examine the company's entire data processing landscape for Dutch employee data. What they find is a cascade of GDPR failures that nobody in Chicago ever thought about.
Finding 1: The HRIS. The company uses BambooHR, hosted in the US. It contains Dutch employee names, addresses, salaries, BSN numbers, bank account details, and performance reviews. There are no Standard Contractual Clauses in place. The vendor's generic Data Processing Agreement references the old 2010 SCCs, which have been invalid since December 2022. There is no Transfer Impact Assessment. Employee data -- including BSN numbers, which Dutch law treats as highly sensitive -- is flowing to US servers without any valid legal mechanism under Chapter V of the GDPR.
Finding 2: Slack. All internal communication runs through Slack, hosted on US servers. Slack messages contain employee personal data -- names, discussions about performance, health-related mentions ("I'm working from home, feeling unwell"), salary discussions in management channels. No SCCs specific to Slack. No TIA assessing US surveillance law risks to this data.
Finding 3: The endpoint monitoring itself. CrowdStrike collects behavioral data on Dutch employees and transmits it to US-based infrastructure. No GDPR legal basis has been established for this processing. No Data Protection Impact Assessment has been conducted, despite Article 35 GDPR requiring one for systematic monitoring of employees. No works council consent.
The AP issues a verwerkingsverbod -- a processing ban. The company is ordered to cease processing Dutch employee personal data through BambooHR, Slack, and CrowdStrike until GDPR-compliant transfer mechanisms are in place.
While the AP would likely scope any processing ban narrowly to the non-compliant US data transfers rather than shutting down all employee data processing, even a partial ban creates operational chaos -- you'd need to immediately segregate Dutch employee data from US systems.
The operational impact is immediate and paralyzing. The company cannot access its HRIS. It cannot process payroll -- because the payroll data lives in BambooHR and the payroll provider needs employee data that is now under a processing ban. It cannot use Slack for internal communication with the Dutch team. The Dutch office is operationally severed from the rest of the company.
The remediation is not a quick fix. Implementing proper SCCs with each vendor requires legal review and execution -- 2 to 4 weeks per vendor at emergency pace. Conducting Transfer Impact Assessments for each data flow takes another 2 to 4 weeks. The endpoint monitoring requires works council consent, which means a formal instemmingsverzoek, consultation meetings, and a reasonable response period -- typically 4 to 8 weeks. The BambooHR system needs to be reconfigured to exclude BSN numbers from US-accessible data. If BambooHR cannot technically segregate Dutch data, the company may need to migrate to a EU-hosted HRIS entirely.
Total time from AP order to full remediation: 3 to 6 months. During that period, the Dutch office operates on emergency manual processes -- paper payroll, local email, no centralized HR system.
Total Damage
| Component | Cost |
|---|---|
| AP fine (Article 83 GDPR -- up to EUR 20M or 4% global turnover) | EUR 50,000-500,000+ |
| Emergency GDPR remediation (legal, technical) | EUR 75,000-150,000 |
| SCC implementation across all US vendors | EUR 15,000-30,000 |
| Transfer Impact Assessments (6-8 data flows) | EUR 20,000-40,000 |
| HRIS migration to EU-hosted solution (if required) | EUR 30,000-80,000 |
| Emergency manual payroll processing (3-6 months) | EUR 15,000-25,000 |
| Works council consultation process (legal support) | EUR 10,000-20,000 |
| Productivity loss (3-6 months of disruption) | EUR 100,000-200,000 |
| Total | EUR 315,000-1,045,000 |
How to Prevent This
- Never deploy monitoring software to Dutch employee devices without works council consent. Article 27(1)(k) and (l) of the WOR are absolute. It does not matter that the global CISO considers it a security necessity. In the Netherlands, the works council has a veto. Get consent first, deploy second. No exceptions.
- Audit every US-hosted tool that processes Dutch employee data before it goes live. For each tool: verify DPF certification or execute current SCCs, conduct a Transfer Impact Assessment, implement supplementary technical measures where needed, and document everything. Budget EUR 37,000 to EUR 113,000 and 6 to 12 months for the initial compliance program. That number looks large until you compare it to a processing ban that shuts down your Dutch operations.
- Keep BSN numbers out of US-accessible systems entirely. Dutch law treats BSN data as highly restricted. Store it in your Dutch payroll provider's system -- not in a US-hosted HRIS. This single measure eliminates your highest-risk data flow.