New Ways of Working

Explore and keep track of key legal and compliance considerations for multinational employers as new ways of working become increasingly embedded as the pandemic begins to recede. Learn more about the response taken in specific countries or build your own report to compare approaches taken around the world.

Choose countries

 

Choose questions

Choose the questions you would like answering, or choose all for the full picture.

01. Has the government introduced any laws and/or issued guidelines around remote-working arrangements? If so, what categories of worker do the laws and/or guidelines apply to – do they extend to “gig” workers and other independent contractors?

01. Has the government introduced any laws and/or issued guidelines around remote-working arrangements? If so, what categories of worker do the laws and/or guidelines apply to – do they extend to “gig” workers and other independent contractors?

Flag / Icon

Argentina

  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua

Yes, the government has introduced the home-office framework through Law No. 27,555 (the Law or home office framework regime), on 14 August 2020. The Law came into force on 1 April 2021.

The main objective of this Law is to determine the legal framework applicable to remote working. In this sense, specific regulations related to each activity will be determined by the particular Collective Bargaining Agreement (CBA) governing each industrial and commercial activity.

The home office framework will not be applicable when the labour relationship is performed:

  • as a result of national temporary regulations issued to prevent the spread of the covid-19 virus and specific measures taken by employers to avoid the spread of such virus and guarantee a safe work environment;
  • in the premises, dependencies or branches of clients to whom the employer provides regular services; and
  • in the employer's home, either at their request or due to some exceptional circumstance.

To make an effective home office framework, employers and employees must sign a written contract. In addition, the home office legal framework may apply to all categories of employees and “gig” employees, but not independent contractors.

Last updated on 21/09/2021

Flag / Icon

Australia

  • at People + Culture Strategies

The government has not introduced any specific laws to regulate remote-working arrangements and these arrangements are subject to the same laws that govern ordinary employment relationships and other types of working relationships (including independent contractor/principal relationships). These obligations do not cease merely because work is performed remotely in an environment that is not directly controlled by the employer.

Safe Work Australia, which is responsible for developing national policy relating to work health and safety, has published detailed guidelines for remote-working arrangements. These set out in detail what an employer’s duty of care for the health and safety of their workers means in the context of remote-working arrangements, including providing practical advice and guidance as to how employers can identify risks to the mental health of workers at home through to how employers can ensure workers are taking rest and meal break entitlements.

Last updated on 21/09/2021

Flag / Icon

Austria

  • at Littler
  • at Littler
  • at Littler

First, it should be noted that in the Austrian legal system a distinction must be made between remote working and working in a home office. While remote working regularly includes any work without a fixed workplace (eg, also in cafés and public premises) the work in a home office is limited to an employee's place of residence or at least that of one's partner. Only working in a home office is substantially regulated by law, while remote working can still be agreed largely without formalities and is "only" subject to general labour law norms.

The most important government measure in this sector is the Home Office Act, which came into force on 1 April 2021 in response to the covid-19 crisis and the corresponding working conditions. The Home Office Act adapts various existing laws and tightens the legal framework for home office employment. The relevant provisions include a legal definition of a home office, its direct tax implications, and fundamental legal requirements for working in a home office, such as the requirement of a written agreement between employer and employee. Therefore, a home office can neither be imposed unilaterally nor is there a legal entitlement at a statutory level for any worker to work from home.

The relevant legal provisions on home offices cover all genuine employment relationships that are based on a private law contract. Those are essentially characterised by the personal and economic dependence of the worker. It can be deduced from this definition that independent contractors are not covered by those provisions. They are essentially free to determine working hours and places and only owe their contractual partner the production of a result. Therefore, they can regularly decide independently where they choose to work.

From an Austrian point of view, "gig workers" are also ordinary employment relationships under social security law, which is why the above also applies to them.

Last updated on 21/09/2021

Flag / Icon

Belgium

  • at Van Olmen & Wynant

For several periods during the pandemic, the government strongly recommended remote work or even made it mandatory, except for where remote work was not possible. The requirement to perform remote work was lifted on 27 June 2021. However, a fourth wave of infection in November 2021, caused the government to introduce a new obligation for workers to perform remote work at least four days a week. From 19 December 2021, this will decrease to three days a week. Employers have to register who in their workforce is capable or not capable of doing remote work through an online social security platform (used by the social inspection to enforce the obligation).

Belgium already recognised three legal systems for remote work or “teleworking”. There is the system for homeworking (the oldest form of teleworking without the use of technology); since 2005, the system for structural teleworking (for more permanent forms of remote work) based on the European Framework Agreement on teleworking of 2002; and since 2017, the system for occasional teleworking (eg, for situations of force majeure). When the government made remote work mandatory during the pandemic, it was unclear which system would apply to this “corona-teleworking”.

Aiming to bring an end to the discussions and to provide a general framework, the national social partners concluded Collective Bargaining Agreement (CBA) No. 149 regarding recommended or compulsory teleworking caused by the coronavirus crisis on 26 January 2021, which applies to the private sector. However, this CBA did not bring any clarity on the discussion regarding the applicable teleworking system during the pandemic, given that it only applies to organisations that had not yet implemented one of the existing teleworking systems. The other systems for teleworking, therefore, still apply to this situation in some organisations. Independent contractors and gig workers (as far as they can be considered self-employed) do not fall under the scope of this CBA. However, self-employed workers are also forbidden from workplaces if they can work remotely (except for one day a week).

Last updated on 01/12/2021

Flag / Icon

Brazil

  • at Pinheiro Neto
  • at Pinheiro Neto Advogados

Remote-working has been formally incorporated into the Brazilian Consolidated Labour Statutes (CLT) after the enactment of the Labour Overhaul (in November 2017) – until then, the law was silent on the rules on and impacts of such an arrangement, and it was up to employers to set their own policies. In a nutshell, the law sets forth that (i) the employment contract (or amendment thereof) should govern the acquisition, provision and maintenance of technological equipment and infrastructure, and payment of any allowance or reimbursement of expenses; and (ii) employers must give express guidelines on ergonomics for employees to observe at home – and employees must sign a term acknowledging that they are aware of such guidelines. Because Brazilian labour legislation is silent on so many points regarding remote working, the Labour Public Prosecutor has set certain additional guidelines to help companies during the pandemic, as many of them have shifted to a remote model (eg, reinforcing digital ethics and highlighting that employees should receive proper technical support). All such laws and guidelines apply to employees only, meaning that independent contractors or other non-employment models are excluded.

Last updated on 21/09/2021

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

The first French law on teleworking was adopted on 22 March 2012. It was subsequently modified by an ordinance dated 22 September 2017. Today, three articles of the labour code cover the implementation and the functioning of teleworking (articles L. 1222-9 to L. 1222-11). In addition, two national collective agreements were concluded between employers' representatives and trade unions in 2005[1] and 2020.[2]

The definitions of teleworking given by article L. 1222-9 and by the agreement of 19 July 2005 provide that the rules on teleworking only apply to employees with an employment contract. These rules do not apply to self-employed workers.


[1] National collective agreement on Teleworking – July 19, 2005

[2] National collective agreement for a successful implementation of teleworking – November 26, 2020

Last updated on 21/09/2021

Flag / Icon

Germany

  • at CMS Hasche Sigle

There has been no change to the legal basis for mobile working in Germany as far as the employer-employee relationship is concerned. However, at the end of 2020, the Federal Ministry of Labour and Social Affairs (BMAS) proposed the draft Mobile Work Act. The intention was to give employees a right to request mobile working and discuss the issue so they can reach an agreement with their employer. For any employer that disregards its obligation to discuss an employee's request and fails to issue a refusal in due form and time, the draft law states that the employee's request for mobile work would become part of their contract for six months. However, the draft contains several ambiguities. After employers' associations and individual interest groups (eg, the German Lawyers' Association) expressed reservations, the draft law was not passed. It was not introduced into the legislative process and the German parliamentary elections in September 2021 have rendered it moot.

However, a temporary amendment to the Infection Protection Act entered into force on 24 November 2021. It will be applicable until 19 March 2022. It imposes an obligation on employers to offer remote working in place of office work or comparable activities unless any overriding operational reasons exist to the contrary. Employees must accept the offer provided there are no reasons to the contrary on their part. These may be, for example, a lack of space or technical conditions in the employee's home.

An amendment to the Works Constitution Act brought another change in June 2021, confirming the works council's comprehensive right of co-determination in the organisation of remote working. This very significant development means that a works council can stop measures through which mobile work will be introduced or changed through an interim injunction if it has not given its consent beforehand, or if the refusal has been replaced by an internal arbitration procedure within the company. Against this background, companies need to involve employee representatives in good time if new regulations for mobile work are to be introduced as part of the "new normal".

In principle, the provisions of German labour law only apply to employees. Employees are characterised by the fact that they are deployed within an operational organisation, performing work that is subject to instructions. However, there are two important points to note: platform workers may also be covered, as the German Federal Labour Court ruled in its judgment of 1 December 2020 (9 AZR 102/20); and wherever national law serves to implement EU law, an extension is necessary. Accordingly, managing directors and employees who are in an economically dependent working relationship with a principal (ie, they have a similar status to employees) can also be covered. This might also be relevant to mobile work if provisions to transpose Directive (EU) 2019/1158 on work-life balance for parents and carers into national law and repeal Council Directive 2010/18/EU are planned.

Last updated on 30/11/2021

Flag / Icon

Greece

  • at Kyriakides Georgopoulos Law Firm
  • at Kyriakides Georgopoulos Law Firm
  • at Kyriakides Georgopoulos Law Firm

Remote working in Greece may be agreed only with the employee’s written consent (ie, provided in the initial employment agreement or by the signing of an amendment to the employee’s employment agreement regarding the employee’s place of work). During the covid-19 pandemic, the law provided for the unilateral implementation of remote working by employers as an exceptional temporary measure to contain the spread of the virus. According to the relevant ministerial decisions issued at different times of the crisis, companies had to apply a remote working system for at least 50% or 60% (for companies engaged in the provisions of services) of employees whose work could be provided remotely (today the limit is 20%).

Please note that a new employment law was introduced in June 2021 in Greece (Law No 4808/2021), which also includes provisions regarding remote-working arrangements. Such law applies only to employees under a dependant employment relationship (ie, the law does not refer to gig workers or independent contractors).

Under the current legal framework, employers’ obligations continue even while their employees continue to work remotely. Such obligations include, among others, ensuring equal treatment of employees, providing equipment and covering the costs of damages that may occur, protecting employees’ health and safety, and monitoring of employees’ working hours and work behaviour daily.

Last updated on 21/09/2021

Flag / Icon

Hong Kong

  • at Lewis Silkin
  • at Lewis Silkin
  • at Lewis Silkin

The Hong Kong government has not implemented any specific laws or guidelines related to remote-working arrangements. However, the privacy commissioner for personal data has issued various guidelines concerning protecting personal data under work-from-home arrangements. It should be noted that these guidelines are not legally binding but rather recommendations from the privacy commissioner. They apply to organisations and employees, but there is no specific mention of the guidelines extending to gig workers or independent contractors.

The guidelines state that the same standard of security should be applied when employees are working from home as when they are working from the office. They list out various considerations for organisations, including:

  1. setting out clear policies on the handling of data during work-from-home arrangements;
  2. taking all reasonable steps to ensure the security of data, particularly when information and communications technology is used to facilitate this; and
  3. providing sufficient training and support to employees under work-from-home arrangements to ensure data security.
Last updated on 11/10/2021

Flag / Icon

India

  • at Nishith Desai
  • at Nishith Desai

The Indian government has not introduced any labour laws or guidelines around remote working.

However, India is in the process of codifying several of its national-level labour laws into four codes, and one of the labour codes in this regard is the Industrial Relations Code, 2020 (the provisions of which are yet to be made effective). The Industrial Relations Code, 2020 contains provisions relating to Standing Orders that mandate employers in certain establishments to adopt certain work rules for their employees. The draft model Standing Orders proposed by the federal government, as was published by the Ministry of Labour and Employment in December 2020[1] (but yet to be finalised and notified) contains a reference to “work-from-home” arrangements for employers in the services sector.

Additionally, the law on maternity benefits allows a female employee (who has returned from maternity, and whose nature of work is such that it may be performed remotely) to request permission from her employer to work remotely on mutually accepted terms and conditions.

Companies that are registered with the Department of Telecommunications (as Other Service Providers), Special Economic Zones and Software Technology Parks of India, are required to comply with certain conditions for their employees to work from home.


[1] https://labour.gov.in/sites/default/files/224080_compressed.pdf

Last updated on 18/11/2021

Flag / Icon
Ireland

Ireland

  • at Littler

The Irish government announced in March 2021, as part of its National Remote Work Strategy, that it plans to provide employees with the right to request remote working. This right is now likely to be introduced in mid 2022. In line with most Irish employment protections, it is anticipated that this right will be limited to employees only, and so will not extend to independent contractors or “gig” workers who are not employees.

This new right will likely limit when an employer can refuse a request to work remotely and may also give employees a right of action against their employer where such a request is unreasonably refused. Details of the grounds on which an employer may refuse a request for remote work have not yet been announced, nor have the potential consequences for refusing the request. However, it is expected that a similar approach will be taken to that in the UK, where the right to request flexible working – and the grounds on which such a request can be refused has been in place since 2003.

In the meantime, the government has introduced guidance for working remotely (see here) and a remote working checklist for employers (see here).

Last updated on 13/01/2022

Flag / Icon

Italy

  • at Toffoletto De Luca Tamajo

Italian employment law provides – within the framework of employment relationships – for two different ways of working outside the company premises: Teleworking (that is, “Telelavoro”) and Smart Working (that is, “Lavoro Agile”). Neither of them entails a new type of employment contract, but simply a different way of performing the work.

In particular, Teleworking is a way of regularly carrying out work outside the company premises but in a fixed workplace, which is normally at the employee’s home. In the private sector, it is regulated by: a) the European Framework Agreement on Telework dated 16 July 2002; b) the National Collective Bargaining Agreement dated 9 June 2004 for the transposition of the Framework Agreement (hereinafter “CBA 9 June 2004”) and c) the National collective bargaining agreements.

Instead, Smart Working is a way of carrying out work partly inside the company premises and partly outside, without any fixed location. It is regulated by articles 18 - 24 of the Law no. 81/2017.  Italian employment law defines Smart Working as an agreement between the parties without any constraint in terms of working hours or workplace, along with the possible use of technology to enable the work activity to be performed. Therefore, Smart Working, differently from Teleworking, is not constrained to any specific place and work can be performed both inside or outside company premises - with no fixed location.

During the Covid-19 pandemic the Italian Government chose Smart Working as the “main way of working” to fight the spread of the virus and, in some cases, recommended working remotely whenever possible. Considering, the ample diffusion of this way of working, any reference to remote working below shall be understood as Smart Working.

In particular, since March 2020 employers have been allowed to implement Smart Working unilaterally (i.e., without signing any agreement with the employee). Moreover, multiple provisions have been issued during this emergency period specifying the categories of workers that are entitled to work remotely (Smart Working) or have priority to access that way of working, should it be possible for the duties assigned to be performed remotely and depending on the company’s need. Indeed, those categories mainly refer to “vulnerable workers”, such as severely disabled workers and those in possession of specific certificates attesting a risk condition deriving from immunodepression, oncological pathologies or life-saving therapies and parents of disabled children.

Independent contractors or gig economy workers are not included in these specific provisions.

Finally, recently the Italian Government introduced a piece of legislation expressly providing for the right of remote workers to disconnect from IT tools and platforms, without prejudice to the agreements signed and “availability slots” agreed with the employer.

©Toffoletto De Luca Tamajo, ©Ius Laboris

Last updated on 21/09/2021

Flag / Icon

Mexico

  • at Marván, González Graf y González Larrazolo
  • at Marván, González Graf y González Larrazolo
  • at Marván, González Graf y González Larrazolo

Mexico passed a reform to the Federal Labor Law (FLL) concerning teleworking (remote working) in January 2021. According to the FLL, remote working applies under the following conditions: (i) employees’ services are not required in the employer's facilities; (ii) employees constantly provide their services outside of the employer's facilities; (iii) employees carry out more than 40% of their work outside of the office; and (iv) technology is used for the administration of the labour relationship and supervision of the performed services.

The Mexican legislation on remote working, however, does not exclude or limit the possibility of remote working for employees based on their position; this scheme may be negotiated by an employer with its employees through an agreement.

“Gig” workers and independent contractors are treated equally and not considered employees, so telework guidelines do not apply to their services. However, if the service provider files a lawsuit before the Labour Board claiming the existence of an employment relationship, the beneficiary of the services must prove that the service provider was not under his control, supervision, or exclusive dependence.

Last updated on 21/09/2021

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

The Portuguese Labour Code established the legal regime for remote working, in particular teleworking, in 2003. This provides employers with a general framework for this kind of arrangement. During the covid-19 pandemic and its successive lockdowns, a vast array of legislation on telework was issued, given the specificity of the situation.

Back in March 2020, the teleworking regime could be unilaterally imposed by an employer or requested by employees, without the need for an agreement of the parties, provided that it was compatible with the employees’ functions. Independent contractors were excluded from the scope of this regime.

Due to the evolution of the pandemic, it was then determined that teleworking should be mandatory, regardless of the employment relationship (including contractors), whenever employees’ functions allowed it. In this context, measures were also adopted to promote the compulsory implementation of teleworking within the scope of civil servants, whenever this was compatible with the functions being performed.

With the reduction in the number of covid-19 cases, in the summer of 2020 teleworking was no longer mandatory and the legal regime foreseen in the Portuguese Labor Code was solely applicable.

However, the increase of covid-19 infections led to the adoption of new measures in October 2020, which determined the promotion of teleworking whenever the nature of the activity allowed it. Considering the number of outbreaks, it quickly evolved to a point when teleworking became mandatory in the regions with a higher risk of infection.

It was only in November 2020 that teleworking was established as mandatory for companies that were the final users or beneficiaries of services provided by independent contractors, service providers and temporary employees.

After Christmas 2020 and with the new lockdown, teleworking once again became mandatory across the country. Despite a government announcement in March 2021 that teleworking would be mandatory until the end of the year, due to the success of the national vaccination programme teleworking ceased to be mandatory from 1 August 2021.

It is expected that by the end of summer 2021 amendments to the Portuguese Labor Code regime on teleworking are finally approved, which will address several issues regarding remote working and teleworking in particular.

Last updated on 21/09/2021

Flag / Icon

Qatar

  • at Clyde & Co
  • at Clyde & Co

Pre-covid, there was an assumption that employees would work from their employer's premises and remote working was not particularly prevalent. Immigration approvals are employer-specific and location-specific, in that the grant of a work permit authorises the individual to work from the employee's premises. Legislation has not, therefore, typically addressed the issue of home working or remote working. 

Due to covid-19, the government initially mandated that companies implement working from home for 80% of its workforce and that the remaining 20% of the workforce only work between the hours of 7am and 1pm. These restrictions have since been gradually lifted with employers now able to operate in the office with 80% capacity.

The Qatar Ministry of Administrative Development, Labour and Social Affairs (MADLSA) issued guidelines in April 2020 regarding remote working. The guidelines stated that:

  • teleworking conditions of employment should remain unchanged, there should be no change to salaries and benefits as a consequence of working from home;
  • working hours should not go beyond the hours that were being applied in the workplace;
  • employers should provide, where possible, the necessary equipment and supplies to ensure their employees can carry out their duties and enhance performance, including electronic equipment;
  • devise strategies to support safety and health of employees working remotely and mental health;
  • employees should maintain the same productivity as in the workplace and be available during working hours as agreed with their employer, and not undertake personal activities during working hours;
  • working from home does not replace regular annual leave;
  • a good work-life balance must be maintained.
Last updated on 08/11/2021

Flag / Icon

Saudi Arabia

  • at Clyde & Co
  • at Clyde & Co

Pre-covid, remote working was rare and not specifically addressed by legislation. In 2020, as a result of home-working requirements introduced due to the pandemic, the Ministry of Human Resources and Social Development (MHRSD) issued a Temporary Guiding Manual on Remote Working in the Private Sector (Remote Working Manual).

The Remote Working Manual provides that employers should have a technical system that meets, as a minimum, the following specifications:

  • enabling the employer to manage the worker's productivity remotely and supervise the tasks assigned thereto; and
  • granting the remote worker the powers enabling them to perform their work duties.

It also provides that “the Employer shall determine the management of the remote working method for its employees in terms of determining the working hours, whether they have specific times, or are flexible during the day, week, or month, provided that it shall determine mechanisms for monitoring its work and managing the worker's productivity”.

In relation to employees, it states that those working remotely should:

  • attend the workplace whenever necessary;
  • use, in the performance of their work, the devices designated for them by the employer, or the personal devices to which the workplace's cyber security controls apply;
  • keep the work information and documents in the technical tools of the employer;
  • abide by the policies and procedures related to cyber security and telecommunications stipulated by the employer;
  • preserve the tools and devices which are in their custody, take care thereof and request the necessary maintenance from the workplace whenever necessary; and
  • Return the tools and equipment provided thereto by the employer to carry out their work whenever requested.

Kingdom of Saudi Arabia (KSA) Ministerial Resolution No. 792 dated 22.02.1436 AH on Regulating Remote Work (MR 792) is also relevant as it provides eligible Saudi nationals with the right to apply for remote working. Although MR 792 only applies to Saudi nationals, it provides useful guidance as to what the authorities may deem appropriate in a remote-working arrangement.

MR 792 states that the contractual relationship of the remote worker should be regulated by a written employment contract expressly indicating that the employment with the employer is based on remote working and the contract shall determine the place(s) where the job tasks can be performed, the employee's tasks and job description, the number of working hours, the normal working hours, the wage and all other rights and benefits, in addition to any other rights provided for in the KSA Labour Law, Ministerial Resolutions and approved bylaws of the establishment.

MR 792 states that the employer shall:

  • provide the employee with all of the necessary tools and equipment to perform the work;
  • pay the cost of equipment maintenance to ensure the continuous functionality of the same;
  • pay the bills of telecommunications and IT provided to the employee to perform the tasks delegated to them; and
  • observe the general safety means – which should be available at the remote-working place –to maintain the safety of the employee.

MR 792 states that the employee shall:

  • maintain and take care of the tools and equipment – that are in their possession – and request the necessary maintenance of the same from the employer and the employee shall provide ordinary care and diligence;
  • return the tools and equipment provided to the employee by the employer – to carry out their work – whenever requested to do so, unless the parties agreed otherwise; and
  • not use the tools and equipment – in their possession – for any purpose other than required for the work, or in any illegal works.

It is worth noting that although MR 792 provides useful guidance for how to implement remote working for non-Saudi nationals (ie, its provisions are not mandatory to non-Saudi nationals) regarding Saudi nationals, any company that violates its provisions shall be subject to the following penalties:

  • a monetary fine of not less than 2,000 Saudi riyals and not more than 5,000 riyals pursuant to article 239 of the KSA Labour Law; and
  • all or some of the penalties stated under article 6 of Cabinet Resolution No. 50 dated 21.04.1415AH concerning Saudisation according to the procedures stated thereunder.

The above legislative provisions apply to employees and employers within the private sector operating within a traditional form of employer-employee employment relationships, and therefore do not apply to independent contractors.  

Last updated on 29/11/2021

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas

Yes. The Spanish government has passed new laws on remote working. First, on 22 September 2020, it approved Royal Law-Decree 28/2020 on remote working, followed by the Spanish parliament passing Law 10/2021 on remote working, superseding it but keeping most of its provisions.

This law applies to any kind of labour relationship in which at least 30% of a worker’s working hours are at their home or wherever they decide. Therefore, there is no specific regulation on “gig” workers or independent contractors.

Additionally, the Spanish government passed a specific regulation in article 5 of Royal Law-Decree 8/2020, through which companies should encourage and prioritise remote work among their staff because of the covid-19 pandemic, as long as this is feasible for their business.

Last updated on 21/09/2021

Flag / Icon

Sweden

  • at DLA Piper
  • at DLA Piper
  • at DLA Piper

The Swedish government has not introduced any statutory laws regarding remote working, only recommendations. The Public Health Agency of Sweden’s previous recommendation to employers to allow employees to work from home ceased to apply on 30 September. Under the currently applicable recommendation, the Public Health Agency recommends that employers facilitate for employee's to work from home in case an employee has symptoms of covid-19.

Last updated on 06/12/2021

Flag / Icon

Switzerland

  • at Lenz & Staehelin

Swiss labour law, in particular the Swiss Code of Obligations, does not contain any specific rules regarding remote working. Remote working is governed by the general rules of labour law and, in particular, by the will of the parties to the employment contract (ie, employers and employees).

However, the Federal Act on the Statutory Principles for Federal Council Ordinances on combating the Covid-19 Epidemic (covid-19 Act) provided the Federal Council with a legal basis to implement remote working, should the need arise. The Federal Council made use of this provision and made remote working mandatory from 18 January 2021 to 26 June 2021 and again from 20 December 2021 onwards. In theory, mandatory remote working is set to end on 24 January 2022, but this measure could be extended if the Federal Council deems it necessary.

The remote-working obligation concerns all workers, provided that remote working was possible and did not lead to exorbitant costs. Employers are responsible for making sure that appropriate organisational and technical measures were in place.

Additionally, even between 26 June 2021 and 20 December 2021, when remote working was no longer obligatory, but rather merely recommended, an exception existed for employees at risk, including pregnant individuals and persons who cannot be vaccinated for medical reasons.

It also should be noted that on 10 June 2021, a motion was introduced in Parliament that would enact provisions covering remote working (eg, definitions, scope and issues related to health and safety and work and rest periods); this motion has been sent to committee for an initial review.

In conclusion, except for the Federal Council's decree requiring remote working between January and June 2021 and from 20 December 2021 onwards, no specific legal provisions govern remote working in Switzerland. 

Last updated on 20/01/2022

Flag / Icon

Turkey

  • at Gün + Partners
  • at Gün + Partners
  • at Gün + Partners

Article 14 of the Turkish Labour Act (TLA) defines remote working as a contractual employment relationship in which employees carry out their duties from home or other locations outside the workplace, sometimes through digital platforms. Based on the TLA, the Ministry of Labour and Social Security recently prepared a Regulation on Remote Working (Regulation), which came into force on 10 March 2021.

The Regulation covers all employees who work remotely under article 14 of the TLA. In this regard, the said rules shall apply to all categories of employees defined under the TLA, including but not limited to fixed-term workers, temporary workers, part-time workers and full-time workers. On the other hand, independent contractors would not qualify as workers under the TLA, as they would not be working in a way that is dependent on a specific employer.

In addition, the Ministry of Labour and Social Security has published the ”Guideline on Remote Working During covid-19” (the Guideline), to increase awareness and share with all employers and employees any information and advice about potential scenarios, problems and economic risks, especially under occupational health and safety. Since all information included in the Guideline qualifies as a recommendation, it may apply to anyone working remotely, even after covid-19.

Last updated on 21/09/2021

Flag / Icon

UAE

  • at Clyde & Co
  • at Clyde & Co

Pre-covid, there was an assumption that employees would work from their employer's premises and remote working was not particularly prevalent. Immigration approvals are employer-specific and also location-specific, in that the grant of a work permit and residency visa authorises the individual to work from the employer's premises. Legislation has not therefore typically addressed the issue of home working.

Several resolutions were, however, issued by the authorities during 2020 as a result of covid-19 that provide for remote working in light of reduced capacity in the workplace due to covid-19 restrictions (eg, physical distancing).

Ministerial Resolution No. 281/2020 enforced remote working for all employees whose job did not require their physical presence at the office to combat covid-19, and provided some guidelines for remote working in the private sector.  

The guidelines provide that employers should:

  • provide the technical equipment necessary to carry out remote working through the use of smart and electronic systems;
  • determine mechanisms, standards of efficiency and productivity, and time frames for all tasks assigned to the worker;
  • determine the mechanisms for the management of remote working, such as determining working hours, whether set at a specific time or a flexible time during the day, week, or month;
  • ensure the availability of a safe technological environment to carry out remote working, taking into account the controls related to maintaining the privacy and confidentiality of data and codifying the powers to access systems;
  • follow up with remote workers electronically to ensure their commitment to working hours remotely and the completion of the tasks assigned to them; and
  • facilitate remote workers' communication with their colleagues in management and leadership, as required to perform tasks and access the necessary information and systems to perform the work, and provide video chat applications.

It further provides that employees should do the following:

  • obtain their employer's approval for remote working;
  • report to the workplace when requested to do so;
  • perform the tasks according to the specified timeframes;
  • be available to answer all calls, e-mails and any available means of communication to ensure continuous communication according to the requirements of work;
  • maintain the confidentiality of information, documents and papers, and utilise the remote working hours to complete the required tasks;
  • provide supporting evidence required by the employer regarding his accomplishments and productivity;
  • preserve remote-working devices provided by the employer and return them whenever so required; and
  • read and comply with the Privacy Policy for remote workers.

The guidelines only applied to employees and employers within the private sector who fall under the jurisdiction of the Ministry of Human Resources and Emiratisation and only applies to traditional forms of employer-employee relationships, and therefore do not apply to independent contractors.    

Last updated on 08/11/2021

Flag / Icon

United Kingdom

  • at Littler

The UK has, for some years now, had in place a formal system by which certain employees can request their employers to implement flexible-working arrangements: see UK government guidance here.

A request can only be made by an employee with 26 weeks’ continuous service (which, in general, means an unbroken period of service with the employer or a related entity), and can only be made once a year. The right does not extend to non-employee workers.

There is a statutory format for making a formal request. This mechanism has not changed or been updated in response to the pandemic but continues to apply as it did previously. The rules differ slightly in Northern Ireland from the rest of the UK.

In addition to the formal, statutory flexible-work request process, many employers have been implementing more informal flexible work policies and arrangements. There is no bar on employers doing so outside the formal statutory mechanism, but any informal arrangements do not remove an employee’s separate right under the legislation to make a formal request. 

Employers must not unlawfully discriminate against their employees and workers when handling remote-working requests (whether they are formal or informal requests) or when making remote-working arrangements: see UK government guidance here and here (for the grounds upon which discrimination is unlawful). There is also a duty to make reasonable adjustments for disabled workers: see here.  Where remote-working requests or arrangements are not handled reasonably and consistently, this could also ultimately trigger an “ordinary” unfair dismissal claim.

In response to the increased interest in homeworking during the pandemic, some UK government agencies and quasi-government agencies have issued guidance relevant to their particular fields of interest.

From 13 December 2021, office workers in England able to work from home should do so, unless necessary to attend the workplace physically. Different government guidance applies to different sectors: see here. Different guidelines apply in England, Scotland, Wales, and Northern Ireland.

The Advisory, Conciliation and Arbitration Service (ACAS), a quasi-governmental service that issues guidance relating to workplace matters, has published some recommendations for successfully implementing homeworking: see here. This guidance is not legally binding but is often relied upon by employers, unions, employees and other stakeholders.

ACAS has also published guidance on dealing with Covid-19 in the workplace: see here.

In the UK, businesses have a common law obligation to take reasonable steps to protect the health and safety of employees and other types of workers, including those based at home. Under the UK’s health & safety legislation, the Health and Safety at Work etc. Act 1974, employers also have specific legislative duties concerning employees (including home-based employees).

Under the UK’s health and safety legislation, the relevant watchdog – the Health & Safety Executive (HSE) – has also issued some guidance on how to safely implement homeworking arrangements: see here. Specific HSE guidance on keeping workplaces safe during the pandemic in light of current restrictions can be found here.

There are separate regulations that deal specifically with employees who are computer users (and which regulate the usage of computers, screens, and relevant furniture such as desks/chairs), and these again also apply to home-based workers. More guidance can be found from the HSE here.

Last updated on 13/01/2022

Flag / Icon

United States

  • at Littler
  • at Littler
  • at Littler

Yes, many states have passed laws that recognise remote-working arrangements. This includes laws concerning employee reimbursement of costs relating to remote work, workers’ compensation, tax, timekeeping and meal breaks, data privacy, and providing accommodation.  Because companies may be legally considered to be employers or “co-employers” of consultants and contractors, these rules may also apply to non-employees.

Up-to-date information on the USA’s response to the pandemic, including State-level news and developments, can be found at Littler’s covid hub here.

Last updated on 21/09/2021

02. Outline the key data protection risks associated with remote working in your jurisdiction.

02. Outline the key data protection risks associated with remote working in your jurisdiction.

Flag / Icon

Argentina

  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua

There is no specific statutory regulation on this matter related to employees under the home office framework. However, it is advisable to create a clear general policy on data protection or include in employment agreements provisions regarding data protection in order to clarify to employees the extent of their obligation. We recommend executing those documents in Spanish, due to the protective nature of local labour law; if there is a conflict with employees, a labour court is likely to dismiss all documents in a foreign language.

As a result, the Personal Data Protection Law (PDPL), Law No. 25,326, establishes the full protection of personal information recorded in personal files, registers, banks or other technical means of data storage and processing. Therefore, employers must comply with the PDPL and take steps to ensure that this law applies throughout their organisation.

The main aspects of the PDPL are:

  1. The purpose of collecting employee data must be communicated to employees and written consent needs to be obtained.
  2. However, consent is not required if the data has been obtained from a public source; collected for the performance of the state’s duties; consists of lists limited to name, ID number, tax or social security identification, occupation, date of birth, domicile and telephone number; or arises from a contractual relationship, either scientific or professional, of the data owner, and are necessary for its development or fulfilment.
  3. In addition, this Law establishes the employee’s right to access and modify any incorrect or false information. Furthermore, the collection of information related to an employee’s private life is permissible as long as the information collected complies with the following requirements: it is not used for discriminatory purposes; it does not violate the individual’s right to privacy; and it is reasonably used.
  4. When an employer requests personal data from an employee, they must be notified in advance and in an express and clear manner about: the purpose for which the data needs to be processed, and who can use such data; the existence of the relevant data file or register, whether electronic or otherwise, and the identity and domicile of the responsible person; the compulsory or discretionary character of the information requested; the consequences of providing the data, of refusing to provide such data or if it is inaccurate; and the data owner’s rights to data access, rectification and suppression.
  5. Indeed, the processing of personal data requires express consent from the data owner, which must be accompanied by appropriate information, prominently and expressly explaining the nature of consent sought. This can be achieved by the employee signing a general consent form on entering employment. However, consent may be withdrawn by an employee.
  6. Various restrictions apply to the disclosure of personal data to third parties. This is generally only allowed if it is in the legitimate interests of the database owner (eg, the employer) and the data owner (eg, the employee) has consented. This consent can be revoked at any time by the data owner.
  7. The transfer of personal data to another country – which does not guarantee a proper level of data protection – is forbidden. Nevertheless, such prohibition is not applied when the individuals, whose personal information is intended to be transferred, give their express written consent.

All data regarding employees’ health is sensitive information, so the employer must get the express authorisation of the employee for any transfer of such date, and employers should stop or restrict the transfer to other companies or its employees that lack sufficient clearance to deal with health information, including covid-19 information.

Last updated on 21/09/2021

Flag / Icon

Australia

  • at People + Culture Strategies

In the context of an employer-controlled workplace, it is generally much easier to control and mitigate risks to an organisation’s confidential and sensitive information. There are physical protections intrinsic to the workplace (including by generally being off-limits to non-staff) and cyber-networks often have institutional protections in place, such as virtual private networks, firewalls, anti-virus software and secure IP addresses.

Other data protections that normally exist in an employer-controlled workplace include:

  • the use of private meeting rooms to conduct meetings and discussions involving sensitive and confidential information;
  • the secure storage of private, confidential and sensitive information (both hardcopy and in electronic form) on employer-controlled premises;
  • restrictions on the use of personal electronic devices in the workplace; and
  • the content of phone calls or video calls, and even information simply displayed in the workplace (including on computer screens), being kept private under the confines of the physical workplace.

However, the risks to data protection can be much harder to mitigate in the remote-working environment. These risks are heightened for several reasons, including that an employer has much less “visibility” over how employees deal with the employer’s (and any client’s) information in the home environment and much less when it comes to others who may be sharing that space. In this context, one obvious risk is the inadvertent and even deliberate sharing of sensitive information with one’s housemates, family members or guests.

Last updated on 21/09/2021

Flag / Icon

Austria

  • at Littler
  • at Littler
  • at Littler

The potential data protection risks associated with remote working are largely equivalent to those associated with working in a regular workplace, but are arguably even more prevalent.

A significant potential risk factor is the transfer of personal data if it is no longer securely stored on a company's servers. In addition, employers thereby transfer responsibility for the safekeeping and use of sensitive data to the worker. In doing so, employers have a significantly reduced ability to exert any influence. Nevertheless, companies are still generally regarded as being responsible for data protection within the meaning of the General Data Protection Regulation (GDPR), which creates a certain amount of friction.

It is also questionable whether a so-called privacy impact assessment must be carried out when working in a home office.

In principle, such an assessment must be conducted if data processing – especially when using new technologies – is likely to result in a high risk to the rights and freedoms of natural persons due to the nature, scope, circumstances, and purposes of the processing.

At present, it cannot be assumed that the threshold for the use of new technologies has already been exceeded in the context of remote working. In individual cases, however, it could amount to an "organisational solution" within the meaning of the GDPR, which also triggers the obligation of a privacy impact assessment by the data controller.

Insecure data connections that might not be constantly checked and maintained should also be considered. Another potential risk arises from it being easier for third parties to obtain access to sensitive data, whether it be persons in the same household or others at public places of work.

From a legal perspective, compliance with data security can also be adequately ensured for remote work, considering the GDPR and the corresponding national legal basis (Austrian Data Protection Act).

In home-office agreements, however, it is advisable to make further reference to data protection aspects. Here, companies should refer to the secure and data protection-compliant transport of sensitive hardware. Additionally, companies should take technical and organisational measures to ensure data security (eg, use of VPN, two-factor authentication with mobile phones, encryption of USB sticks, provision of a LAN network, requirements for secure storage of access data).

Last updated on 21/09/2021

Flag / Icon

Belgium

  • at Van Olmen & Wynant

Employees who process data at home could create a data leak when they lose the data or improperly dispose of it after it is no longer useful for the company. It is also more difficult to protect digital data in a non-professional setting and a private network might be more vulnerable to breaches.

Article 9.3 of CBA No. 149 states that company data used and processed by teleworkers for professional purposes must be protected. Employers should inform teleworkers of the company's rules on data protection and, in particular, the restrictions and penalties for the misuse of IT equipment and tools. Considering this, it is strongly recommended for companies to draft and implement an IT policy.

Also, employees’ personal data could be at risk since teleworking often means a direct insight into the personal life of the employee, using remote-monitoring devices. Such devices or software could register data that is not purely linked to their work and might possibly breach several GDPR principles, such as data minimisation.

Last updated on 21/09/2021

Flag / Icon

Brazil

  • at Pinheiro Neto
  • at Pinheiro Neto Advogados

In a remote-working environment, employees are more likely to use their personal devices and Wi-Fi and might share their workspace with family members or roommates. In addition, employees are more prone to mix personal and work-related data. These may lead not only to potential issues involving one’s privacy but also cyber threats and data leakage. Therefore, employers are strongly advised to implement strict policies on remote working, use of personal devices and data storage, as well as to provide the appropriate training.  

Last updated on 21/09/2021

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

Employers must ensure the protection of their company’s data but also of employees’ data.

According to article L. 1222-10 of the French labour code, the employer must inform the teleworking employee of the company's rules regarding data protection and any restrictions on the use of computer equipment or tools. Once informed, the employee must respect these rules.

The collective national agreement of 26 November 2020, provides more details in article 3.1.4. It is the employer's responsibility to take necessary measures to protect the personal data of a teleworking employee and the data of anyone else the employee processes during their activity, in compliance with the GDPR of 27 April 2016 and the rulings of the National Commission for Technology and Civil Liberties (the CNIL).

The CNIL said in its 12 November 2020 Q&A on teleworking that employers are responsible for the security of their company's personal data, including when they are stored on terminals over which they do not have physical or legal control (eg, employee's personal computer) but whose use they have authorised to access the company's IT resources.

The National Agreement of 26 November 2020 recommends three practices:

  • the establishment of minimum instructions to be respected in teleworking, and the communication of this document to all employees;
  • providing employees with a list of communication and collaborative work tools appropriate for teleworking, which guarantee the confidentiality of discussions and shared data; and
  • the possibility of setting up protocols that guarantee confidentiality and authentication of the recipient server for all communications.
Last updated on 21/09/2021

Flag / Icon

Germany

  • at CMS Hasche Sigle

As in other countries in Europe, the provisions of the EU General Data Protection Regulation (GDPR) and its German implementation in the shape of the German Federal Data Protection Act (BDSG) must be observed. Against this background, special measures must be taken to protect personal data in connection with remote work. This especially concerns third-party access to systems when computers and other portable devices are used in the home or on the go. To this end, employers often issue guidelines of standards with which employees must comply.

Also, remote working poses many data protection risks in terms of IT security and confidentiality. For example, cybercrime exploits the vulnerabilities inherent to remote working to infiltrate IT systems and steal confidential data, for instance through phishing attacks. At the same time, the confidentiality of a phone call, for example, is harder to protect while working in a co-working space, on a train or at home than in a typical workspace. Therefore, remote working may require different security measures and employers should inform their employees accordingly. In this regard, the European Union Agency for Cybersecurity last year published cybersecurity tips for remote working, both for employees (connecting to the internet via secure wi-fi networks, fully updating antivirus software and using a secure connection) and for employers (providing initial and regular feedback to employees on how to react if problems arise and restricting access to sensitive systems, etc.).

Last updated on 21/09/2021

Flag / Icon

Greece

  • at Kyriakides Georgopoulos Law Firm
  • at Kyriakides Georgopoulos Law Firm
  • at Kyriakides Georgopoulos Law Firm

Although necessitated by the circumstances, the transition of employees from corporate networks to largely unmonitored and vulnerable private networks outside the reach of perimeter-based security tools finds most employers unprepared and, thus, exposed to greater cyber threats and personal data breaches compared to on-site work. Employers are urged to take into consideration the increased risks a remote-working environment poses to their data, systems and networks and to invest heavily in IT security, while employees are encouraged to carefully follow all IT security guidelines, stay alert to security incidents and be vigilant with phishing attacks. Within this framework, the Hellenic Data Protection Authority (HDPA) issued “Guidelines for implementing safety measures in the context of teleworking” on 15 April 2020, including appropriate safety measures concerning network access, the use of e-mail or messaging applications, the use of terminal or storage media and how teleconferencing takes place to mitigate data protection risks associated with remote working.

On the other hand, many of these measures may result in more extensive collection and processing (recording, use, disclosure, etc) of employees’ personal data, including monitoring procedures. The key issue for most employers amid these circumstances is to find the right balance between protecting their IT systems and data, on the one hand, and safeguarding the data protection and privacy rights of their employees while working from home on the other.

Last updated on 21/09/2021

Flag / Icon

Hong Kong

  • at Lewis Silkin
  • at Lewis Silkin
  • at Lewis Silkin

As a result of the covid-19 pandemic, many companies in Hong Kong encouraged their staff to work remotely. This meant taking documents home from the office and using video conferencing, cloud computing and intranet platforms, where those software solutions were available, and also using personal devices to work more. As a result, confidentiality and security of data became more at risk.

Due to space constraints in Hong Kong, it is not practicable to expect employees to work or conduct confidential discussions in an isolated area away from others. Often employees are sharing workspace with family members and may also share a laptop or PC with them. If working from home is not an option for an employee, he or she may be working from cafes or public spaces. As a result, non-employees may overhear confidential discussions or see confidential documents. If these conversations and documents contain personal data (of employees, customers, clients, suppliers or other third parties), then the potential leakage of this data may constitute a breach of the Personal Data (Privacy) Ordinance (PDPO). There may also be contractual confidentiality breaches.

A typical home network is unlikely to have the same stringent security protections in place that an office network does. Attackers have seen an opportunity to steal user credentials from personal devices, which are now being used for work and likely do not have the same security protections as corporate devices. Using unsecured networks and devices may lead to data leakage or theft, which would be in breach of the PDPO.

If personal data is being processed by new third parties as a result of having to implement remote-working arrangements, an employer will need to notify its employees of this. This can be done by issuing employees with a revised or new Personal Information Collection Statement (PICS) setting out the change. The PDPO specifies that a data user, when collecting personal data directly from a data subject, must take all reasonably practicable steps to ensure that the data subject is informed of the intended use of their data and who will be handling such data. A PICS is therefore used to comply with these notification requirements and is a statement regarding a data user’s privacy policies and practices in relation to the personal data it handles. 

Last updated on 11/10/2021

Flag / Icon

India

  • at Nishith Desai
  • at Nishith Desai

An individual’s sensitive personal data or information (SPDI), which includes information on passwords; financial information such as a bank account, credit card or debit card or other payment instrument details; physical, physiological and mental health conditions; sexual orientation; medical records and history; or biometric information or other details related to such information provided to a body corporate for the provision of services or such information received for processing under a lawful contract or otherwise and its storage are protected under Indian data privacy rules. There are certain mandatory obligations for collectors of such SPDI in electronic forms, including obtaining the consent of the data provider, formulating, publishing and complying with a privacy policy for treatment of such data and adopting certain standards of security practices. However, these obligations are not specific to remote-working arrangements; they govern the terms of the data being collected by the employer.

With employees working remotely, employers are facing a challenge with protecting the security of client data and other confidential information, which may be duplicated or disclosed to third parties by employees working remotely on unsecured personal devices.

Last updated on 18/11/2021

Flag / Icon
Ireland

Ireland

  • at Littler

The Data Protection Commissioner has issued guidance on the protection of personal data when working remotely (see here).

The key risks identified relate to protecting and preventing access to laptops, USBs, phones, tablets and other devices; emails; using unsecured networks to transmit data or to access company networks; and ensuring the security and confidentiality of hard-copy documents.

Employers should update data protection policies to take account of remote working and should also consider any data protection issues that may arise from an employee moving to work outside of Ireland.

Last updated on 21/09/2021

Flag / Icon

Italy

  • at Toffoletto De Luca Tamajo

Data security requirements applicable to all employees working at the company premises continue to apply to employees working remotely. The main risks are linked to the transmission of company data outside the company premises, in places not necessarily identified. Therefore, additional data protection precautions should be taken to protect the confidentiality of transmitted data by drafting specific policies.

©Toffoletto De Luca Tamajo, ©Ius Laboris

Last updated on 21/09/2021

Flag / Icon

Mexico

  • at Marván, González Graf y González Larrazolo
  • at Marván, González Graf y González Larrazolo
  • at Marván, González Graf y González Larrazolo

Security controls

The common risks associated with remote working derive from the absence of security controls over equipment, software, and data, and not having any policies for remote-working schemes, leading to:

  • employees storing sensitive information in their local machines, without the control of employers over such tools;
  • compromised security controls; and
  • Wi-Fi networks and routers in homes are more easily compromised, increasing the risk of exposure.

Companies have the right to install security controls for the equipment and tools to be used by teleworkers to avoid any leaks of information and limit their use, because this hardware is the property of the employer. The common practice in Mexico is to implement a security data policy and a work tools policy.

Additionally, even though there are no specific legal provisions concerning the plausible risks associated with data protection in remote-working schemes, the Federal Law for the Protection of Personal Data in Possession of Private Individuals or Entities, the Federal Law for the Protection of Industrial Property, and their regulations and guidelines, establish provisions for the protection of rights concerning personal data, confidential information, and trade secrets, which also apply to remote-working schemes; therefore, all employees working remotely must comply with these laws and regulations. To prevent and avoid the disclosure of this information, the prevailing practice is to enter into agreements with employees establishing specific obligations in connection to confidentiality and data privacy. Such obligations usually refer to the policies and processes established by employers to ensure information security, and the corresponding penalties in the event of any breach.

Last updated on 21/09/2021

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

Until the pandemic, teleworking was used rather infrequently and most Portuguese employers were not prepared – namely in terms of technology and data storage – to suddenly have their workforce almost entirely and permanently working from home or remotely.

For those reasons, teleworking mainly raised – and continues to raise – concerns regarding the employer’s capacity to ensure that information is protected and that it stays confidential despite being remotely accessed and processed. Remote working enhances security vulnerabilities, which can lead to data breaches.

We would also like to highlight the use of technological solutions that, on one hand, allow employers to exercise their powers of management and control over work performance, but that, on the other, do not violate the general rule prohibiting the use of remote surveillance to control employees' professional performances, or that do not cause excessive restrictions on employees’ private lives.

Last updated on 21/09/2021

Flag / Icon

Qatar

  • at Clyde & Co
  • at Clyde & Co

Data loss, cyber security, privacy and maintaining confidentiality are the key data risks associated with working remotely.  Taking precautions against importing viruses, compromising system security, and maintaining confidentiality while working remotely are key considerations for employers. Internal policies and procedures should be put in place to ensure employees are aware of their obligations, and operating through virtual private networks could minimise potential risks. 

Last updated on 08/11/2021

Flag / Icon

Saudi Arabia

  • at Clyde & Co
  • at Clyde & Co

Data loss, cyber security, privacy and maintaining confidentiality are the key data risks associated with working remotely in most jurisdictions. These risks are heightened in Saudi Arabia as there are no specific data protection laws in place. Taking precautions against importing viruses, compromising system security, and maintaining confidentiality while working remotely are key considerations for employers. Internal policies and procedures should be put in place to ensure employees are aware of their obligations, and operating through virtual private networks could minimise potential risks.

Last updated on 29/11/2021

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas

Apart from the general personal data protection issues to be considered, there are two significant risks.

First, under article 17 of Law 10/2021, any digital program or software to monitor remote workers must grant employees privacy and protection of personal data according to the Organic Law on Personal Data Protection and Digital Rights Guarantees. In particular:

  • an employer’s access to the digital technology provided to the remote worker must be limited to checking compliance with labour obligations and to guaranteeing the integrity of the devices;
  • employers must establish the terms of use of the digital devices, and the workers’ representatives must participate in drafting them;
  • employers must inform remote workers about the terms of use of the digital devices; and
  • regardless of the terms of use, an employer’s access to the digital means must be necessary for the employer to achieve a legal purpose, appropriate for such legal purpose and proportional to achieve such legal purpose. Based on this, the employer should implement the least invasive way of monitoring remote workers’ activity to achieve the legal purpose the employer is pursuing.

Any measure to monitor employees’ activity should meet these requirements; otherwise, an employer’s decision arising from such monitoring could be deemed unfair, and there could be a breach of the employee’s privacy, which could lead to a damages claim and an administrative fine.

Second, employers must comply with the principles of personal data processing under article 5 of the GDPR, especially purpose limitation and data minimisation, which means that the personal data the employer can process should be only what is the minimum necessary data for the performance of the labour contract or compliance with their legal obligations. Therefore, employers are not entitled to, for instance, force remote workers to turn on their cameras during working hours.

Third, despite remote working, employers must comply with health and safety obligations, which could lead to the employer or its health and safety services provider visiting an employee’s home to evaluate its risks. In that case, employers should issue a report justifying the visit and provide it to the remote worker and the health and safety workers’ representatives in advance. Additionally, to access any remote worker’s home, the employer must first obtain their consent.

If they do not give their consent, measures on health and safety should be based only on the information provided by the remote workers.

Last updated on 21/09/2021

Flag / Icon

Sweden

  • at DLA Piper
  • at DLA Piper
  • at DLA Piper

Pursuant to the GDPR, personal data should, inter alia, be processed in a manner that ensures appropriate security and confidentiality for the processing of that data, including by preventing unauthorised access to or use of personal data. For natural reasons, there may be additional challenges associated with this obligation when employees are working remotely, including an increased risk of personal data breaches when employees are working from home. The Swedish Authority for Privacy Protection mentions in its Privacy Protection Report of 2020 the increase in employees working from home as a result of the covid-19 pandemic, and the increased use of cloud service providers. The Authority highlights that data in cloud services is often transferred to countries outside the EU/EEA, and especially to the US. As a result of the Schrems II ruling in 2020, the use of, eg, cloud service providers that transfer data to  such jurisdictions (eg, in connection with IT maintenance) is problematic and may need to be addressed in relation to remote working.   

In light of the above, it is important as an employer to consider what measures are necessary in terms of IT security when working from home (eg, instructions to employees).

Last updated on 21/09/2021

Flag / Icon

Switzerland

  • at Lenz & Staehelin

Employers are required to respect the general Swiss data protection principles and rules. In particular, the Swiss Code of Obligations (SCO) states that the Federal Act on Data Protection (FADP) applies to the handling of employer personal data. The term "personal data" is defined as any information relating to an identified or identifiable person (individuals and companies).

Employers must ensure the security of the data they process. They must take appropriate organisational and technical measures to protect personal data against unauthorised processing or access, such as accidental or unauthorised destruction, loss, technical errors, falsification, theft, unlawful use, alteration, copying or any other undue processing. Moreover, employers also must control access and operations undertaken by employees.

One particularity of remote working is that employees' workstation and business data are located off sites. Meaning that third parties potentially could access this data.

To prevent data protection breaches, employers must institute appropriate technical and organisational measures and raise employee's awareness of data protection risks. These measures may include securing information systems, setting up authorisations and limiting access to concerned employees, and using a VPN. In addition, employees also should be made aware of the risks and procedures through in-house training and user manuals for the IT and security systems.

Last updated on 30/09/2021

Flag / Icon

Turkey

  • at Gün + Partners
  • at Gün + Partners
  • at Gün + Partners

The key data protection risks associated with remote working are data security and the processing of additional personal data while working remotely.

Under article 12 of the Personal Data Protection Law numbered 6698 (the DPL), data controllers must take all administrative and technical measures necessary to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure the security of personal data.

The Regulation also stipulates that the employer must inform remote workers about workplace rules and applicable legislation concerning the protection and transfer of data related to the workplace and their assignments (which may include personal data). The Regulation also emphasises that employers must take all necessary measures for the security of data. Per the Regulation, in the remote-working agreement, the employer must determine the definition and scope of data that needs to be protected.

There is no guidance from the Turkish Data Protection Authority (DPA) concerning measures to be taken specifically for remote working. Its general Guideline for Personal Data Security (Data Security Guideline) and the principal decision of the Turkish Data Protection Board concerning measures required to be taken by data controllers for processing sensitive personal data (Board Resolution for Sensitive Personal Data Security) should be considered by  employers. The measures listed in the Data Security Guideline and the Board Resolution for Sensitive Personal Data Security are not exhaustive. Employers must consider all necessary measures for cyber security. International guidelines and IT sector developments should also be considered.

Employers who have failed to take appropriate measures to protect the unlawful processing of or access to personal data may be required to pay an administrative fine amounting to between 29,500 Turkish lira and 1,966,857[1] Turkish lira. Furthermore, additional technical measures taken for remote-working opportunities must also be communicated to the Data Controllers’ Registry if the employer is required to register data-processing activities (eg, employers located in Turkey that have more than 50 employees or have a balance sheet of more than 25 million lira fall under this obligation). Otherwise, although it may not be an imminent risk, an administrative sanction amounting to between 39,334 lira and 1,966,857 lira may be applied against the employer.

Lastly, if having remote-working employees requires an employer to process additional employee data, then the employer must inform their employees accordingly by providing an appropriate privacy notice under the DPL. Otherwise, they may be fined between 9,832 lira and 196,686 lira. The employer should determine what legal ground should be applied to the data processing due to remote working. If the applicable legal ground is consent but consent is not obtained lawfully from employees, then the employer may face an administrative fine of between 29,500 lira and 1,966,857 lira for unlawful processing. 


[1] All administrative fine amounts mentioned in this questionnaire will be updated for each year based on a re-evaluation determined annually.

Last updated on 21/09/2021

Flag / Icon

UAE

  • at Clyde & Co
  • at Clyde & Co

Data loss, cyber security, privacy and maintaining confidentiality are the key data risks associated with working remotely in most jurisdictions. These risks are heightened in the UAE as there are currently no specific data protection laws in place (other than in the financial free zones). Taking precautions against importing viruses, compromising system security and maintaining confidentiality while working remotely are key considerations for employers. Internal policies and procedures should be put in place to ensure employees are aware of their obligations, and operating through virtual private networks could minimise potential risks. 

Last updated on 08/11/2021

Flag / Icon

United Kingdom

  • at Littler

The key data protection risk associated with home working is data security.

In response to this, the UK’s data protection regulator – the Information Commissioner’s Office (ICO) – has issued guidance on the protection of personal data when working from home, using bring-your-own-device (BYOD) and working remotely (see: here).

The specific issues addressed include implementing appropriate workplace policies, IT security (including cloud-based storage security), the risk of theft and confidentiality.

Employers should update data protection policies to take account of remote working, in light of the ICO’s recommendations, and should also consider any data protection issues that may arise from an employee moving to work outside of the UK.

Last updated on 21/09/2021

Flag / Icon

United States

  • at Littler
  • at Littler
  • at Littler

Data privacy rules vary from state to state. Remote work, in particular, raises issues where employers have less control over the working environment and employees are potentially accessing sensitive information in their home that they share with others.  Employers should ensure that employees working remotely can demonstrate that their location provides sufficient privacy, security, and safety to secure the confidentiality of the employee’s work, company information and materials.  Additionally, health-related data must be protected and employers should be required to protect trade secrets and other confidential data. Employers must also maintain reasonable security measures to protect sensitive personally identifying information. 

Up-to-date information on the USA’s response to the pandemic, including State-level news and developments, can be found at Littler’s covid hub here.

Last updated on 21/09/2021

03. What are the limits on employer monitoring of worker activity in the context of a remote-working arrangement and what other factors should employers bear in mind when monitoring worker activity remotely?

03. What are the limits on employer monitoring of worker activity in the context of a remote-working arrangement and what other factors should employers bear in mind when monitoring worker activity remotely?

Flag / Icon

Argentina

  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua

Regarding any monitoring system designed to protect an employer’s goods and data, the home office framework states that union participation is required to protect employees’ right to privacy.

Such union participation will be guaranteed through joint audits that include professionals selected by the union and the company. The confidentiality of the data processing of the employees involved must be guaranteed. Union participation will be limited to preserving employees’ rights under the home office framework.

Employer must take corresponding measures, especially regarding the software used, to protect any data used and processed by employees who are under the home office framework. In addition, it is forbidden to use surveillance software that violates employee privacy.

Last updated on 21/09/2021

Flag / Icon

Australia

  • at People + Culture Strategies

As a starting point, it is lawful for Australian employers to monitor staff who are working from home and there are no strict limits prescribed by law on the monitoring of worker activity in the context of remote-working arrangements.

However, this does not mean that employers can monitor employee activity as they please. The mutual duty of trust and confidence that underpins the employment relationship could be breached by inappropriate or overly intrusive monitoring activities.

Employers contemplating carrying out monitoring activities should first review the employee’s individual employment contracts and identify any monitoring or surveillance clause and consider what contractual obligations the employer may have concerning monitoring in the remote-working context, and consult any relevant company policies which might also apply.

Generally speaking, employers should be up-front about how and why they will be monitoring employee activity and any employee information that may be collected by that process. For example, employers should make it clear to employees that monitoring of their work devices, emails and message applications will continue when they are working from home and that the information obtained by the monitoring process could be used in a disciplinary context.

Last updated on 21/09/2021

Flag / Icon

Austria

  • at Littler
  • at Littler
  • at Littler

Relevant here are first the restrictions on the employer's control of working time. Both the Working Time Act and the Rest Periods Act also apply to remote work and to work in a home office. However, section 26 paragraph 3 of the Working Time Act provides that in the case of work that is predominantly carried out in the home, only records of the duration (not the specific beginning and end) of the working time are to be kept. If the working hours are fixed, only deviations must be recorded.

The practical possibilities of monitoring work performance are manifold due to the IT tools that are now available (eg, log files, webcam). In contrast, in Austrian labour law, the employer's ability to control is subject to important restrictions. Control measures that affect human dignity require either the consent of the works council or – if such a council does not exist – the consent of the respective worker. Both attendance and performance or productivity controls can be relevant here. According to case law, the question of whether human dignity is affected must be assessed on a case-by-case basis. In addition to the employer's interest in monitoring, the way the monitoring is carried out is also decisive, so that the possibility of constant electronic monitoring (for example, by controlling keystrokes or screen duplication) certainly affects human dignity[1].

However, it is of course lawful to check the availability of employees during working hours.


[1] Huger in Huger (Hrsg), Home Office und mobiles Arbeiten [2021] Rechtliche Rahmenbedingungen.

Last updated on 21/09/2021

Flag / Icon

Belgium

  • at Van Olmen & Wynant

Articles 9.1 and 9.2 of CBA No. 149 state that employers may monitor the results or performance of employees appropriately and proportionately. Teleworkers must be informed of how such monitoring is carried out. If employers want to monitor the e-mail or internet activity of employees, they will have to follow the specific procedure laid down in CBA No. 81 for the protection of the privacy of employees, concerning the monitoring of electronic online communication data.

In addition, CBA No. 68 regulates the use of cameras in the workplace. Under this CBA, it is only permissible to use cameras to pursue a limited amount of objectives, including the control of the employee’s work. Yet, for this objective, only temporary monitoring activities are permitted. In any case, a proportionality test is necessary. It will never be proportionate to request that remote workers be permanently recorded by a camera in their homes. However, simply asking them to turn their webcam on during a meeting is not covered by CBA No. 68 and should be possible.

It is also possible to make arrangements with employees regarding the periods during which they need, and do not need, to be contactable by the employer (article 11.3 CBA No. 149).

Last updated on 21/09/2021

Flag / Icon

Brazil

  • at Pinheiro Neto
  • at Pinheiro Neto Advogados

Rules on employers’ ability to monitor employees’ activity tend not to vary from a regular to a remote-working arrangement – but rather depend on “who owns the device”. As a general rule, whenever companies grant electronic devices to employees for work purposes, the content and all data stored in such equipment belong to the company, as they are considered “work tools”. This means that there is no expectation of privacy – provided that employees are informed on such monitoring in advance. In the case of personal devices, it may ultimately lead to certain ambiguity as to employers’ right to have access or monitor activity because of the existence of both professional and personal information. If that is the case, monitoring should be limited to work-related information, apps and files, ensuring, as much as possible, that personal data is preserved and there is no violation of privacy.

Last updated on 21/09/2021

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

The rules for monitoring employees do not differ between teleworkers and office workers. Thus, like any employee, teleworkers must be informed in advance of the methods and techniques used to monitor his or her activity (article L. 1222-3 of the labour code).

The implementation of a device allowing the control of the employee's working time must be justified by the nature of the task to be performed and proportionate to the purpose (National Agreement of 26 November 2020).

The CNIL said in a Q/A on 12 November 2020 that the devices used to monitor employees’ activity must not be aimed at trapping employees and cannot lead to permanent surveillance of employees. Thus, audio or video devices, permanent screen-sharing or keyloggers must not be implemented.

If the employer exercises excessive surveillance on his employee, it may receive a financial penalty.

Finally, the CNIL advises employers to prioritise monitoring the completion of missions by setting objectives rather than monitoring the working time or the daily activity of employees.

Last updated on 21/09/2021

Flag / Icon

Germany

  • at CMS Hasche Sigle

Employers may have various legitimate reasons to scrutinise and monitor employees' performance or conduct during remote work (eg, productivity, to enforce company policies, protect business secrets, health and safety obligations). However, monitoring worker activity is only permitted in any given case if the employee's privacy interest does not outweigh the employer's legitimate interests. Therefore, employers must justify employee monitoring on a case-by-case basis.

As a result, while monitoring employees via webcam is generally not allowed, monitoring employees' browser history or emails might be possible if the employer prohibits private use of the laptop; there is cause for the monitoring; and the measure does not lead to permanent monitoring of the employee's digital behaviour. Irrespective of this, if a works council has been established, the employer also needs the consent of the employee representatives to use a technical device that monitors employees' performance or behaviour. This is the case with any software.

In any event, the use of a keylogger that continuously records an employee's activities is unlawful. The data cannot be used in a procedural dispute, as the German Federal Labour Court ruled in its judgment of 27 July 2017 (2 AZR 681/16). Employers must always bear in mind the need to comply with the principles of the GDPR and the BDSG, as the personal data that employers collect when monitoring remote work is sensitive data. Employers must therefore take all necessary measures to ensure data confidentiality and secure access to company servers. Monitoring of private emails or private browser history is only permitted if there are clear signs that the employee has committed a criminal offence, but even then, the investigation must be proportionate.

Last updated on 21/09/2021

Flag / Icon

Greece

  • at Kyriakides Georgopoulos Law Firm
  • at Kyriakides Georgopoulos Law Firm
  • at Kyriakides Georgopoulos Law Firm

Limits on employer monitoring of worker activity do not significantly change in the context of remote working, taking into account that corporate equipment and networks are mainly used, and corporate data is being processed by employees. However, even if personal equipment is being used by employees, the following considerations should be taken into account.

According to applicable privacy and data protection legislation, HDPA decisions and the approach adopted by the European Court of Human Rights in Barbulescu v Romania in 2017, an employer may lawfully access and process personal data (e-mails and other documents) stored in employees' computers in cases where this processing is necessary for the overriding legitimate interests pursued by the employer or by a third party (legal basis of article 6 (1)(f) GDPR). Such legitimate interest of the employer may comprise the need to ensure the smooth running of the business by establishing mechanisms for checking that its employees are performing their professional duties adequately and with the necessary diligence, as well as the need to protect its business and property from significant threats, such as hindering the leaking of confidential information to a competitor or providing evidence of employee's criminal activities. In the latter case, the employer should, however, ensure that it does not enter into the exercise of investigative actions which, by law, are executed exclusively by the competent judicial-prosecutorial authorities.

Particular emphasis should be paid to ensuring the necessity and proportionality of the planned measure and the employer should be able to demonstrate that no less onerous and invasive measures exist to achieve the goal. In this context,  excessive and constant monitoring of employees’ computers and communications cannot be justified. In addition, access should not extend to all communications and their content, but only to those necessary under the proportionality principle.

Employees have a legitimate expectation of privacy in the workplace, which is not altered by the fact that they use equipment, communication devices or any other professional facilities and infrastructure of the employer, even more so if they use their personal equipment. Even if employees have been explicitly informed beforehand of a relevant internal regulation that prohibits the personal use of company computers, this alone does not legally justify monitoring or control of the personal data processed by the employee;  a more specified notice is required. In particular, employers should inform employees beforehand in clear and plain language of the implementation of monitoring methods, and their purpose, extent, nature, circumstances, etc, as required under articles 13 and 14 of the GDPR. In addition, employees should be provided with internal regulations on the proper use of company resources.  which shall include Lastly, employees’ representatives should also be informed of and express their opinion before the establishment of any monitoring systems in the workplace.

Last updated on 21/09/2021

Flag / Icon

Hong Kong

  • at Lewis Silkin
  • at Lewis Silkin
  • at Lewis Silkin

There are no specific statutory limits on employers monitoring employees’ activity in remote-working arrangements, as long as the employer complies with the PDPO. However, employers mustn't collect employees’ personal data (ie, browser history) without having notified them in advance of the personal data that they intend to collect and the purpose for which it is being collected, under the PDPO. This can be done in a PICS, where monitoring of an employee’s use of telephone, email, internet and video for performance-related and other reasons is likely to be included.

The privacy commissioner has released guidance about monitoring and personal data privacy at work. This includes guidelines on the monitoring of telephone, email, internet and video. These monitoring practices should serve a legitimate purpose that relates to the function and activity of the employer and should be necessary for that purpose. If an employer does not believe it can adhere to these guidelines, it may prefer to find less invasive ways of ensuring that employees are adhering to their job duties when working from home (eg, regular check-ins or asking them to complete timesheets).

Last updated on 11/10/2021

Flag / Icon

India

  • at Nishith Desai
  • at Nishith Desai

Employers in India largely rely on their policies regarding the monitoring of worker activity, in absence of codified laws. As a result of the covid-19 pandemic and resultant lockdown, employers were not fully prepared to shift to remote working and hence faced challenges vis-à-vis ethics and the legalities of monitoring employee activity. Incidentally, there was an employee protest in one case when the employer’s client required the employees providing services remotely to keep their cameras on.

While there is no legal requirement of time tracking specifically in the context of remote working in India, employers are generally required to track the working hours of employees (largely from an overtime perspective) and to comply with certain recordkeeping requirements under applicable labour laws. In this context, employers should bear in mind that their records do not falsely show an employee working beyond the stipulated daily and weekly working hours prescribed under applicable labour laws, which may trigger overtime requirements thereunder.

The law on the protection of women from sexual harassment applies to employees while they are working from home, given the expanded definition of “workplace” that includes “a dwelling place or a house”. Employers need to be careful to ensure that there is no abuse of the online means of communication, such as video calls, in the process of monitoring their employees that may lead to workplace sexual harassment-related claims. 

Last updated on 18/11/2021

Flag / Icon
Ireland

Ireland

  • at Littler

Employers must have regard to an employee’s right to privacy and data protection rights. They must have a legal basis under GDPR for processing employee personal data in that manner and must also be able to demonstrate that the monitoring in question is a necessary and proportionate action to achieve a legitimate aim; and that there is no less intrusive alternative way of achieving that purpose.

Guidance from the Data Protection Commissioner has focused on employers being transparent regarding the measures they adopt, including the purpose of collecting any personal data; minimising the amount of data that is processed; and preserving the confidentiality of any such data.

Last updated on 21/09/2021

Flag / Icon

Italy

  • at Toffoletto De Luca Tamajo

Employee monitoring is governed by article 4 of the Law no. 300/1970.

According to this article if tools that potentially enable employee remote monitoring are needed for the performance of work, employers may be able to collect information from them without a trade union agreement or administrative authorisation. However, information collected through those tools can be lawfully used for all purposes connected with employment, including disciplinary reasons, only if: (i) a company policy is in place adequately detailing the expected use of the tools and the nature of possible checks carried out by the employer; and (ii) the above is done in compliance with data protection legislation. 

No specific guidance or legal provisions have been issued for remote working, so employers should firstly ensure that they are able to monitor their employees in compliance with the above rules. Moreover, the individual agreement signed with the employee working remotely needs to include a reference to how the employer will exercise its monitoring power.

©Toffoletto De Luca Tamajo, ©Ius Laboris

Last updated on 21/09/2021

Flag / Icon

Mexico

  • at Marván, González Graf y González Larrazolo
  • at Marván, González Graf y González Larrazolo
  • at Marván, González Graf y González Larrazolo

According to article 330-I of the amended FLL; the mechanisms employed to monitor teleworkers must be proportional to their purpose; employers must always guarantee the employees’ right to privacy; and the legal framework for protecting personal data must be complied with.

Additionally, activity monitoring must be limited to employees’ working hours and digital connectivity, be transparent, and the employer must respect the employees’ right to disconnect, meaning that they need to respect employees’ time off and must never expect their availability outside of working hours. Further, webcams are not mandatory, and employees have the right to refuse to turn them on.

Last updated on 21/09/2021

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

In terms of privacy, the teleworking regime establishes that employers must respect employees’ privacy and time with their families, as well as provide them with good working conditions, both physically and psychologically.

Whenever remote working is carried out at an employee's home, visiting the workplace should only be necessary to check work performance or equipment and can only take place between 9am and 7 pm, in the presence of the employee or a person designated by the employee.

Regarding limits on employers monitoring employee activity, the Portuguese Labour Code prohibits the use of remote surveillance in the workplace to monitor the professional performance of employees.

Especially during the pandemic, when remote working and teleworking, in particular, were normalised, concerns arose regarding the limits of monitoring and how to adequately safeguard employees’ privacy.

On 17 April 2020, the National Data Protection Commission (CNPD) issued guidelines on remote control during teleworking, especially the need for monitoring working time and the fact that, in several companies, employees were using their own devices to work.

In these guidelines, the National Data Protection Commission clarified that, regardless of who owns the work equipment, under the teleworking regime employers retain powers to direct and control the execution of work by employees. However, since there are no special provisions on remote control during teleworking, the National Data Protection Commission believes that the general rule prohibiting the use of remote surveillance fully applies.

Therefore, technological solutions for remote monitoring of employee performance are not allowed. For example, software that, in addition to tracking working times, records websites visited; tracks equipment locations in real-time; monitors the use of peripheral devices; captures screenshots; records when access to applications is initiated; controls the document being worked on; or records the time spent on each task are all prohibited.

Please note that, during the pandemic, when remote working was most widespread, the National Data Protection Commission and Trade Unions reported a significant increase in employees’ complaints about illegal monitoring taking place.

Also, since Portuguese labour law imposes an obligation to register working time (eg, start, pauses, end of work time), in teleworking this can be done through technological solutions. Applications specially designed for this purpose are allowed provided data protection principles are respected.

Last updated on 21/09/2021

Flag / Icon

Qatar

  • at Clyde & Co
  • at Clyde & Co

Qatar has an established legislative framework pertaining to data protection and personal rights to privacy. By way of background, the Qatar government enacted Law No. 13 of 2006 relating to the protection of personal data (PDPL) in 2017, which imposes obligations on natural and legal persons processing data related to identifiable individuals using electronic means. Additionally, the Qatar data protection authority, the Compliance & Data Protection Department (CDP), issued 14 guidelines in November 2020 to clarify obligations under the PDPL (the Guidelines).

The PDPL and the Guidelines guarantee the rights of data subjects, including the right to information and access to their personal data; the right to rectification; the right to erasure; the right to restriction of processing; the right to object; and the right to not be subjected to automated individual decision-making.

The CDP was established in 2020, and now serves as an independent, effective and impartial oversight system that guarantees compliance with the PDPL. An individual whose privacy rights have not been respected can complain directly to the CDP.

The Qatar Penal Code (11/2004, as amended) also establishes criminal offences concerning intercepting or disclosing correspondence or telephone conversations.

In addition to the Qatari Constitution, the International Covenant on Civil and Political Rights (ICCPR) and the Arab Charter on Human Rights (ACHR), to which Qatar is a party, all enshrine the rights to privacy, freedom of speech and the right of access to a court. All three legal texts apply equally to Qataris and non-Qataris.

It is increasingly commonplace for employers to monitor the use of the internet and communications systems, especially email; however, an employer's ability to monitor employees' activities must be carefully managed and employers should obtain prior employee consent. Employers must observe the legislative framework set out above and ensure that their employees have provided their express consent to any monitoring – this could be captured under the data protection clause of the employee’s contract of employment.

Last updated on 08/11/2021

Flag / Icon

Saudi Arabia

  • at Clyde & Co
  • at Clyde & Co

The legislative framework in the KSA regarding data protection and personal rights to privacy is a patchwork, with discrete obligations and requirements contained in a variety of laws. There is no comprehensive data protection law and there is no specific legislation dealing with monitoring worker activity remotely. There are, however, a number of laws in the KSA that safeguard the rights of the individual to privacy. These include:

  • shariah law – its principles protect an individual’s right to privacy;
  • the Basic Law of Governance (Law No. A/90), which protects the privacy of individuals by safeguarding telegraphic, postal, telephone and other means of communication and making it unlawful to confiscate, delay, read or breach;
  • the Telecommunications Act (Council of Ministers Resolution No. 74/2001) restricts the disclosure of information or content that is intercepted in the course of its transmission; and
  • the Anti-Cyber Crime Law (Royal Decree No. M/17 makes it an offence to spy, intercept or receive data that is transmitted through an information network without consent, breach privacy through the use of camera-equipped and mobile phones, unlawfully access computers to delete, erase, destroy, leak, damage, alter or redistribute personal information, and defame or inflict damage on a person through the use of electronic devices.

While it is increasingly commonplace for employers to monitor the use of the internet and communications systems, especially email, before doing so – and to limit the risk of a potential breach of any of the above legislative provisions – employers should ensure that the employee has provided their express consent to any monitoring – this could be captured under the data protection clause of the employee’s contract of employment.

Last updated on 29/11/2021

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas

In general terms, there are no substantial differences between remote and on-site workers.

Any digital program or software to monitor workers must guarantee their privacy and the protection of their personal data under the Organic Law on Personal Data Protection and Digital Rights Guarantees.

Article 17.2 of the Law on Remote Working provides that the employer cannot force employees to install programs or apps on their private devices, or to use their private devices for work.

Regarding workers who travel regularly to carry out their duties, under article 90 of the Organic Law on Personal Data Protection and Digital Rights Guarantees, any geolocation system must comply with the requirements mentioned above (ie, be necessary, appropriate and proportional), and employers must inform the workers and their legal representatives specifically, clearly and unambiguously of the existence and characteristics of such systems in advance. Besides, the employer must inform them that they may exercise their rights to access, rectification, erasure and restriction of the processing of data.

Collective bargaining agreements may provide additional information on this topic.

Last updated on 21/09/2021

Flag / Icon

Sweden

  • at DLA Piper
  • at DLA Piper
  • at DLA Piper

From a privacy perspective, employers must consider the GDPR and other privacy-related legislation. The GDPR states, inter alia, that the processing of personal data must be adequate, relevant and limited to what is necessary concerning the purposes for which they are processed (ie, the data minimisation principle). This means that the employer's monitoring of employees cannot be too intrusive – it must be proportionate for the purpose. Furthermore, employers must be able to demonstrate that the purpose of the processing cannot be fulfilled by other, less-intrusive, means. Employers must also adhere to other GDPR requirements, eg, providing employees with information about the data processing in advance. Further, employers must always act in accordance with good practices in the Swedish labour market.

When it comes to employees’ use of email and the internet, the Swedish Authority for Privacy Protection recommends that employers have guidelines for internet use and e-mail. The guidelines should clearly state what type of private use is permitted, and also when the employer may consider controlling employees' internet or e-mail use. Depending on the situation, it may be lawful to carry out inspections of an employee's online usage. If there is a concrete suspicion that an employee is acting in breach of his or her employment contract, it may be lawful to monitor that employee, subject to complying with the GDPR and other privacy legislation. Employees must be informed about inspections or monitoring that may take place.

In terms of time tracking, the Swedish Working Hours Act also applies to remote working, meaning that the same limits on overtime and provisions on minimum daily rest periods must be observed. In some circumstances, however, such as when the work is performed without employer supervision or control, the Working Hours Act may not apply. There are no general guidelines on when the exemption is applicable, but it should be applied restrictively and is rarely applicable in the case of remote working. Employers should therefore engage in dialogue with employees on their working time to ensure compliance with the Working Hours Act.

Last updated on 21/09/2021

Flag / Icon

Switzerland

  • at Lenz & Staehelin

According to Swiss legislation, control or surveillance systems that are primarily intended to monitor the behaviour of employees are prohibited if they are detrimental to the health or well-being of employees. Health is understood in its broad sense and also includes mental health. There are no strict limits as to what surveillance is, but measures must always be proportional.

The European Court of Human Rights, whose Convention has been ratified by Switzerland, has laid down seven guiding principles for contracting states concerning legal surveillance of employees. These principles relate to information, the scope of surveillance, legitimacy of the reasons for surveillance, use of the least intrusive means, the consequences of surveillance, guarantees offered to employees and the principle of trust.

As an example, the Swiss Federal Supreme Court, which is the highest judicial authority in Switzerland, has ruled that it is unlawful for employers to install spyware without employees' knowledge to check whether they are using the internet for private purposes. In that case, the court held that the system was capable of exerting control over employees' behaviour, which is prohibited. It also held that the surveillance was disproportionate since the employer simply could have blocked access to certain websites.

The above-mentioned principles must also be complied with when it comes to remote working, which does not differ fundamentally from onsite working.

Last updated on 30/09/2021

Flag / Icon

Turkey

  • at Gün + Partners
  • at Gün + Partners
  • at Gün + Partners

One way to monitor employee activity in the context of remote working could be to control employees’ use of servers, e-mail accounts and internet while using the employer’s equipment. In Turkey, it is generally accepted that employers are authorised to control employees’ use of servers, e-mail accounts and internet from their equipment within the scope of their right to manage, and there are no particular rules or exceptions as to remote working.

However, even though employers are entitled to such control, monitoring should be proportional to the legitimate purposes of the employer, such as controlling productivity and quality, or providing security. Employers should inform their employees about monitoring on the equipment and servers as well as the reasons for it. Furthermore, employers must provide necessary information about the scope of their monitoring activities to employees under the DPL. Otherwise, there is a risk of an administrative fine.

Employers should also bear in mind that, during such monitoring, they must avoid violating privacy rights. The Constitutional Court recently held that if employees are informed that their e-mails are monitored, the secrecy of private life and freedom of communication must not be violated. The Constitutional Court also stated that the conflicting interests of the employer and employees should be balanced fairly and any intervention by monitoring e-mail accounts should be evaluated on the grounds of proportionality and the legitimate purposes of the employer.

From a data privacy perspective, employers firstly should determine what personal data needs to be processed to if employers have a legitimate interest to monitor employees’ activities, whether the processing of such data may potentially harm employees considering their rights, and whether employers have any options other than processing such personal data when trying to achieve this legitimate interest. Employers must apply a balance test to determine whether its legitimate interest overrides the personal rights and interests of their employees. Otherwise, employers cannot depend on legitimate interest as a legal ground for processing and will need the explicit consent of their employees to apply the relevant monitoring tool. In any case, if any monitoring requires the processing of sensitive personal data, consent will be required as per the DPL. Even if consent is given to employers, this does not mean that they can use monitoring tools to process any personal data that is not required to achieve the legitimate purposes of the monitoring. Any processing in contravention of the DPL (including the general principles applicable to data processing) may impose a risk of an administrative fine.

In light of the above, each monitoring tool considered by employers must be evaluated on a case-by-case basis for determining which legal ground is applicable and to what extent.

Last updated on 21/09/2021

Flag / Icon

UAE

  • at Clyde & Co
  • at Clyde & Co

The legislative framework in the UAE regarding data protection and personal rights to privacy is a patchwork, with discrete obligations and requirements contained in a variety of laws. There is no comprehensive federal data protection law and there is no specific legislation dealing with monitoring worker activity remotely. The following laws are likely to apply:

  • The UAE Constitution;
  • The Penal Code (Federal Law No. 3/1987, as amended); and
  • The Cyber Crime Law (Federal Law Decree No. 5/ 2012, as amended).

By way of summary, the UAE law provisions relevant to privacy are general and do not expressly permit or prohibit employers from monitoring employee activities on employer-owned IT and communications systems. An employer's ability to monitor employees' activities must be carefully managed and employers should obtain prior employee consent. The UAE Constitution contains a general right to privacy for individuals and guarantees freedom of communication by post, telegraph, or other means of communication. The Penal Code also establishes criminal offences concerning intercepting or disclosing correspondence or telephone conversations and the Cyber Crimes Law likely extends this to IT communications.  

It is increasingly commonplace for employers to monitor the use of the internet and communications systems, especially email. However, in light of the above, employers should ensure that the employee has provided its express consent to any monitoring – this could be captured under the data protection clause of the employee’s contract of employment. 
 

Last updated on 08/11/2021

Flag / Icon

United Kingdom

  • at Littler

Monitoring worker activity generally (whether remote-working or non-remote working) is possible but must be handled with caution and appropriate safeguards. As a general rule, employers are entitled to monitor worker activity to some extent, but they must undertake an impact assessment before doing so (which is an internal assessment of the impact of the proposed monitoring on data privacy), tell workers in advance about the monitoring and only monitor workers to the minimum extent reasonably feasible to achieve the employer’s goals.

The monitoring must be necessary, justified and proportionate. In other words, any monitoring must have a legal basis under GDPR for processing employee personal data in that manner (the legal basis may vary depending on the specific purpose of the monitoring), and the employer must also be able to demonstrate that: (a) the monitoring in question is a necessary and proportionate action to achieve a legitimate aim; and (b) that there is no less intrusive alternative way of achieving that purpose. There are also separate obligations in relation to data security and retention.

The more intrusive and extensive the monitoring, the greater the risk that employer monitoring may breach the UK’s data protection legislation, the Data Protection Act 2018 (and the UK’s implementation of the EU’s GDPR).

The ICO has previously published extensive guidance on how employers should implement a monitoring system. See here from page 58. This guidance was published before the pandemic, but is equally applicable. Recently, the ICO has also published specific guidance on monitoring employees using surveillance cameras, to check for compliance with pandemic health & safety obligations: see here.

Last updated on 21/09/2021

Flag / Icon

United States

  • at Littler
  • at Littler
  • at Littler

Monitoring and surveillance laws vary from state to state, and there are also, potentially, tort and criminal laws regarding invasion of privacy that must be considered where the employee has an expectation of privacy.  While audio or key-stroke monitoring may be minimally intrusive, video surveillance is almost always problematic. Some states require only one-party consent for audio monitoring, but others require that all the parties to a conversation consent to such monitoring.

Up-to-date information on the USA’s response to the pandemic, including State-level news and developments, can be found at Littler’s covid hub here.

Last updated on 21/09/2021

04. Are employers required to provide work equipment (for example, computers and other digital devices) or to pay for or reimburse employees for costs associated with remote working (for example, internet and electricity costs)?

04. Are employers required to provide work equipment (for example, computers and other digital devices) or to pay for or reimburse employees for costs associated with remote working (for example, internet and electricity costs)?

Flag / Icon

Argentina

  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua

Employers must provide employees with equipment, working tools and the necessary support for performing their duties, as well as meet all the installation, maintenance and repair costs related to the use of an employee’s own equipment.

If employees incur higher expenses related to the connectivity required to perform their duties, those expenses must be reimbursed by employers.

The provision of equipment is not considered a part of compensation and, therefore, they must not be included in calculations for any severance payments, or union or social security contributions. The guidelines for determining these costs may be agreed upon by the parties if the labour relationship is not under a CBA.

In addition, according to Resolution No. 1522/2012 issued by the Labor Risks Superintendent (SRT), employers must provide the following to home workers: one ergonomic chair; one portable fire extinguisher; one first aid kit; one mouse pad and one Manual of Good Health Practices in the home office (however, this Resolution does not apply if the home-working arrangement is implemented due to the covid-19 health emergency).

Last updated on 21/09/2021

Flag / Icon

Australia

  • at People + Culture Strategies

There are no laws requiring employers to pay or reimburse employees for costs associated with remote working such as increased electricity costs and internet costs, although some employers may have a contractual obligation to reimburse employees for these costs.

An “expenses” clause is common in Australian employment contracts and provides that an employer will reimburse an employee for any genuine expense they incur in the proper performance of their duties (and for which they can produce receipts). Depending on how such clauses are drafted, employees may have a contractual right to reimbursement of internet and electricity costs as legitimate work-related expenses in the context of remote-working arrangements.

Last updated on 21/09/2021

Flag / Icon

Austria

  • at Littler
  • at Littler
  • at Littler

The basic obligation of employers to reimburse employees for expenses incurred on behalf of employers already results from general private law for all forms of remote working (more precisely: section 1014 of the General Civil Code).

However, the reimbursement of costs is more precisely defined for work in a home office. Employers are, in principle, obliged by law to provide home workers with the necessary digital work equipment. If an arrangement has been made by works agreement or individual agreement whereby the employee provides digital work equipment, which includes the necessary data connection, the employer shall pay the reasonable and necessary reimbursement of costs. To this extent, the employer is obliged by law to pay compensation.

This expense is to be borne by the employer, who may, however, pay a so-called home office allowance tax-free to the employee up to a limit of €300 and thereby, or by paying an appropriate lower amount, compensate the employee for expenses, including those resulting from increased internet or electricity consumption.

Last updated on 21/09/2021

Flag / Icon

Belgium

  • at Van Olmen & Wynant

Article 7 CBA No. 149 states that employers need to arrange with employees on the provision of work equipment and reimbursement of costs related to remote work (use of a private computer, internet, electricity and gas etc). However, this provision does not include an obligation for employers to provide equipment or to reimburse these costs; it is also possible that there is no such compensation. Nonetheless, reimbursement of these costs is an attractive compensation tool for employers, as they are excluded from income tax or social security contributions (up to a certain limit).

Only a limited group of employees who fall under the homeworking system are entitled by law (article 119.6 Employment Contract Act) to remuneration of 10% of their salary to reimburse costs related to homework.

If an employee cannot work remotely because their employer refuses to provide a laptop (which an employee might not have), it could become impossible for that employee to work, which could be considered a breach of contractual and legal obligations by their employer.

Last updated on 21/09/2021

Flag / Icon

Brazil

  • at Pinheiro Neto
  • at Pinheiro Neto Advogados

Employers are not required to provide work equipment in a remote-working arrangement. The CLT simply establishes that the contract governing that arrangement should be specific as to the provision of any equipment or reimbursement of expenses – if any. Notwithstanding the scant case law addressing this, precedents are inclined to understanding that companies should provide the minimum work tools needed for the rendering of services, eg, a computer and reimburse costs for the internet and power. If the company demands excessive accommodations or adaptations at employees’ homes, notably when those imply costs, employees may challenge the company’s policies and demand reimbursement – and labour courts would likely hold the employer liable for supporting the costs with excessive requests.

Last updated on 21/09/2021

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

French law has no provision for this.

It is, therefore, necessary to refer to the two national agreements of 2005 and 2020. These agreements stipulate that the costs incurred by the employee in the performance of his or her employment contract are borne by the employer. This obligation also applies to teleworkers. However, the national agreement of 2020 sets a few conditions for this coverage: the prior validation of the employer, the expense must be incurred for the needs of the professional activity of the employee and in the interests of the company.

The organisation responsible for collecting social security contributions (URSSAF) has issued a list of expenses that must be covered by the employer. These costs include ink cartridges, paper, telephone and internet subscriptions, electricity, heating, a proportion of rent in certain cases (see below) and home insurance.

The terms and conditions for covering business expenses (maximum amount, the procedure to follow, etc.) may be defined unilaterally by the employer, by mutual agreement between the employee and the employer, or by a collective agreement between the employer and the company's unions. Article 3.1.5 of the national agreement of 2020 and the Ministry of Labour recommend doing everything possible to reach an agreement between the employer and the unions.

If teleworking becomes permanent and the employee no longer has an office on the company's premises, the employer must pay a home occupation allowance.[3]

As for the use of the employee's personal equipment, the principle is that the employer must provide the employee with a computer for teleworking. However, if the employee agrees, they can use their personal equipment (article 7 of the national agreement of 19 July 2005).

 

[3] Cass. Soc, 14 septembre 2016, n°14-21.893

Last updated on 21/09/2021

Flag / Icon

Germany

  • at CMS Hasche Sigle

Employers are usually required to provide the necessary work equipment when remote working is agreed upon. The obligation to provide work equipment includes office furniture (such as office chairs and desks), IT equipment (hardware and software), office materials (such as stationery and toner) and the necessary telecommunications (like a telephone or internet connection). However, employers are exempt from this obligation if an employee voluntarily chooses to work on a mobile basis despite the business providing company premises.

If the employer and the employee agree that the employee will work at home, the employer usually pays for electricity, heating and internet. However, one-off agreements are usually made in these instances. In addition, the worker is generally provided with a laptop and additional equipment to ensure data security. Office equipment is usually only provided if the employee works exclusively from home (ie, no workstation is provided on company premises). Employers do this not only to save costs, but also to avoid having to check – which is controversial – whether the work station where the employee is working remotely complies with the general principles of health and safety.

Last updated on 21/09/2021

Flag / Icon

Greece

  • at Kyriakides Georgopoulos Law Firm
  • at Kyriakides Georgopoulos Law Firm
  • at Kyriakides Georgopoulos Law Firm

Employers are obliged to compensate the cost of remote working and provide technical support (ie, IT supports services, etc) to remote workers. In particular, employers must cover all costs associated with remote working, including:

•       the cost of equipment required for remote working (laptop, mouse, keyboard, printer if needed etc). Alternatively, it may be stipulated in the remote-working agreement that the employee will use their own equipment;

•       the cost of telecommunications (ie, use of internet connection, phone, etc);

•       the cost of maintaining such equipment;

•       the cost of restoring any damage caused to it (ie, either compensate the cost of fixing equipment used or replace the same. The employer’s obligation to cover such cost also remains in case the parties have agreed that employees will use their own equipment;  

•       The monthly cost of the employee using their home as a workplace.

 Please note here that the minimum amounts of the abovementioned costs to be compensated by the employer are expected to be regulated by a relevant Ministerial Decision, which has not been issued yet.

Last updated on 21/09/2021

Flag / Icon

Hong Kong

  • at Lewis Silkin
  • at Lewis Silkin
  • at Lewis Silkin

Employers in Hong Kong are not statutorily required to provide work equipment for employees working remotely or reimburse them for costs incurred in buying such equipment themselves or for the cost of working from home (eg, mobile phone, internet, utility costs and computer usage expenses).

Generally speaking, an employment contract will contain a term stating that all legitimate business expenses reasonably incurred in the proper performance of the employee’s job duties will be reimbursed by the employer to the employee. As such, an employee could potentially make a contractual claim against his or her employer for expenses incurred in buying work equipment for remote working and for the other costs of working from home, unless there is a policy or written instruction from the employer stating otherwise.

If the employer does not reimburse the employee for these costs, the employee may argue that the employer is in breach of contract, or that the costs incurred if not reimbursed would be an offset against earned wages, and therefore result in an unlawful deduction from wages. This, in turn, could lead to the employee bringing a potential claim for constructive dismissal or unreasonable variation of employment terms.

Therefore, it would be helpful for employers to have a clear policy on reimbursement of expenses related to remote working either as a standalone policy or as part of a wider remote-working policy, including what employees can and cannot claim, whether there are any caps on expenditure, how to make such claims and what types of documentary proof of expenditure are required.  

Last updated on 11/10/2021

Flag / Icon

India

  • at Nishith Desai
  • at Nishith Desai

There is no legal obligation for employers to provide work equipment or reimburse the costs of remote working. However, if an employer would like an employee to work remotely, it is generally expected that the employee will be provided with the necessary tools and equipment required for remote working, including a computer and a phone, which an employee is expected to use exclusively while dealing with work-related data. There is, however, no clarity surrounding reimbursement of costs for internet or electricity, and employers adopt different arrangements, based on their remote-working policies and practices.

Last updated on 18/11/2021

Flag / Icon
Ireland

Ireland

  • at Littler

Unless provided for in an employment contract, there is no mandatory obligation on an employer to provide particular work equipment (save as part of its ongoing health and safety obligations), to pay a working-from-home allowance or to reimburse employees for costs associated with remote working.

The Irish tax authorities permit an employer to pay an allowance of up to €3.20 per working day tax-free to employees who are working from home to cover expenses such as heat, electricity and broadband. Any amount paid over and above this permitted limit of €3.20 is fully taxable as income. Where no allowance is paid, an employee may recover up to 30% of the cost of their broadband, and up to 10% of their electricity and heating costs, directly from Revenue, the Irish taxation agency. It has been announced that up to 30% of electricity and heating costs may be recovered from 2022 onwards. However, only costs that are attributable to working days are recoverable.

Equipment that is provided by an employer to enable an employee to carry out his or her work (eg, laptop or monitor), and which is used by the employee primarily for work purposes, is not taxable as a benefit-in-kind. Vouched expenses that are incurred wholly and exclusively in the course of an employee’s duties are not generally subject to tax, but this exemption is applied on an extremely limited basis.

Last updated on 18/11/2021

Flag / Icon

Italy

  • at Toffoletto De Luca Tamajo

Under Smart Working rules employers are not required to provide any tools for employees, nor pay or reimburse any relevant costs for the same.

However, they must ensure health & safety and that any work tools assigned to the employees are functioning well.  It is recommended that employers have an internal policy regulating the use and custody of electronic equipment and how it can be safeguarded from damage and theft. However, in case of Teleworking (see point 1) the employer is required to pay all the expenses related to the installation and the use of remote working station and tools (desk, chair, wireless connection, telephone, etc.).

©Toffoletto De Luca Tamajo, ©Ius Laboris

Last updated on 21/09/2021

Flag / Icon

Mexico

  • at Marván, González Graf y González Larrazolo
  • at Marván, González Graf y González Larrazolo
  • at Marván, González Graf y González Larrazolo

Yes, employers must provide, install, and maintain the necessary supplies and equipment (for example, computers, ergonomic chairs, and printers); pay any expenses arising from teleworking, such as internet, communication and electricity services; keep a registry of the supplies delivered to the teleworkers in compliance with workplace health and safety provisions; and establish the necessary training and advisory mechanisms to guarantee the adoption and adequate use of information technology.

Last updated on 21/09/2021

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

Yes, under the general teleworking regime in the Portuguese Labour Code, unless there is a written agreement to the contrary, employers are responsible for the installation and maintenance of work equipment and the payment of any inherent costs.

Hence, as a rule, employers should make the necessary equipment available. Employees may consent to the use of their own devices for teleworking should the employer not be able to provide them – namely during the covid-19 pandemic – however, the employer is still responsible for ensuring that the equipment is adapted to and programmed for teleworking.

As mentioned above, under the general provisions on teleworking, employers should pay any extra costs related to teleworking. However, according to the Portuguese government, under the special compulsory teleworking regime (whenever the nature of the work was compatible with it) approved during the pandemic, employers must pay any additional phone and internet costs caused by mandatory teleworking, but not those of water or electricity.

Last updated on 21/09/2021

Flag / Icon

Qatar

  • at Clyde & Co
  • at Clyde & Co

Refer to question 1.

Last updated on 08/11/2021

Flag / Icon

Saudi Arabia

  • at Clyde & Co
  • at Clyde & Co

Please see question 1.

Last updated on 29/11/2021

Flag / Icon