New Ways of Working

Explore and keep track of key legal and compliance considerations for multinational employers as new ways of working become increasingly embedded as the pandemic begins to recede. Learn more about the response taken in specific countries or build your own report to compare approaches taken around the world.

Choose countries

 

Choose questions

Choose the questions you would like answering, or choose all for the full picture.

02. Outline the key data protection risks associated with remote working in your jurisdiction.

02. Outline the key data protection risks associated with remote working in your jurisdiction.

Flag / Icon

Argentina

  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua

There is no specific statutory regulation on this matter related to employees under the home office framework. However, it is advisable to create a clear general policy on data protection or include in employment agreements provisions regarding data protection in order to clarify to employees the extent of their obligation. We recommend executing those documents in Spanish, due to the protective nature of local labour law; if there is a conflict with employees, a labour court is likely to dismiss all documents in a foreign language.

As a result, the Personal Data Protection Law (PDPL), Law No. 25,326, establishes the full protection of personal information recorded in personal files, registers, banks, or other technical means of data storage and processing. Therefore, employers must comply with the PDPL and take steps to ensure that this law applies throughout their organisation.

The main aspects of the PDPL are:

  1. The purpose of collecting employee data must be communicated to employees and written consent needs to be obtained.
  2. However, consent is not required if the data has been obtained from a public source; collected for the performance of the state’s duties; consists of lists limited to name, ID number, tax or social security identification, occupation, date of birth, domicile, and telephone number; or arises from a contractual relationship, either scientific or professional, of the data owner, and are necessary for its development or fulfilment.
  3. In addition, this Law establishes the employee’s right to access and modify any incorrect or false information. Furthermore, the collection of information related to an employee’s private life is permissible as long as the information collected complies with the following requirements: it is not used for discriminatory purposes; it does not violate the individual’s right to privacy; and it is reasonably used.
  4. When an employer requests personal data from an employee, they must be notified in advance and in an express and clear manner about: the purpose for which the data needs to be processed and who can use such data; the existence of the relevant data file or register, whether electronic or otherwise, and the identity and domicile of the responsible person; the compulsory or discretionary character of the information requested; the consequences of providing the data, of refusing to provide such data, or if it is inaccurate; and the data owner’s rights to data access, rectification, and suppression.
  5. Indeed, the processing of personal data requires express consent from the data owner, which must be accompanied by appropriate information, prominently and expressly explaining the nature of consent sought. This can be achieved by the employee signing a general consent form on entering employment. However, consent may be withdrawn by an employee.
  6. Various restrictions apply to the disclosure of personal data to third parties. This is generally only allowed if it is in the legitimate interests of the database owner (eg, the employer) and the data owner (eg, the employee) has consented. This consent can be revoked at any time by the data owner.
  7. The transfer of personal data to another country – which does not guarantee a proper level of data protection – is forbidden. Nevertheless, such prohibition is not applied when the individuals, whose personal information is intended to be transferred, give their express written consent.

All data regarding employees’ health is sensitive information, so the employer must get the express authorisation of the employee for any transfer of such date, and employers should stop or restrict the transfer to other companies or its employees that lack sufficient clearance to deal with health information, including covid-19 information.

Last updated on 13/07/2022

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

Employers must ensure the protection of their company’s data but also of employees’ data.

According to article L. 1222-10 of the French labour code, the employer must inform the teleworking employee of the company's rules regarding data protection and any restrictions on the use of computer equipment or tools. Once informed, the employee must respect these rules.

The collective national agreement of 26 November 2020, provides more details in article 3.1.4. It is the employer's responsibility to take necessary measures to protect the personal data of a teleworking employee and the data of anyone else the employee processes during their activity, in compliance with the GDPR of 27 April 2016 and the rulings of the National Commission for Technology and Civil Liberties (the CNIL).

The CNIL said in its 12 November 2020 Q&A on teleworking that employers are responsible for the security of their company's personal data, including when they are stored on terminals over which they do not have physical or legal control (eg, employee's personal computer) but whose use they have authorised to access the company's IT resources.

The National Agreement of 26 November 2020 recommends three practices:

  • the establishment of minimum instructions to be respected in teleworking, and the communication of this document to all employees;
  • providing employees with a list of communication and collaborative work tools appropriate for teleworking, which guarantee the confidentiality of discussions and shared data; and
  • the possibility of setting up protocols that guarantee confidentiality and authentication of the recipient server for all communications.
Last updated on 21/09/2021

10. Are there some workplaces or specific industries or sectors in which the government has required that employers make access to the workplace conditional on individuals having received a Covid-19 vaccination?

10. Are there some workplaces or specific industries or sectors in which the government has required that employers make access to the workplace conditional on individuals having received a Covid-19 vaccination?

Flag / Icon

Argentina

  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua

No, there are not.

Last updated on 13/07/2022

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

Please see above (questions 8 and 9) regarding the workplaces and specific industries concerned by making the access to the workplace conditional on individuals having received a Covid-19 vaccination.

Last updated on 21/09/2021

11. What are the key privacy considerations employers face in relation to ascertaining and processing employee medical and vaccination information?

11. What are the key privacy considerations employers face in relation to ascertaining and processing employee medical and vaccination information?

Flag / Icon

Argentina

  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua

According to Resolution No. 4/2021, employees may present a reliable proof of vaccination, or state (as an affidavit) the reasons why they were not able to take a vaccine, as applicable. Therefore, employers are entitled to enquire about an employee’s vaccination status (even though it is considered sensitive data according to PDPL).

However, employers may not use this information to discriminate between employees, as this may expose the employer to potential claims and, eventually, constructive dismissal liability.

In addition, employers may collect and store such documentation according to the provisions established in PDPL (please see question 2 above).

As mentioned previously, it is recommended that employers request the information in Spanish to avoid unnecessary misinterpretation. If the employee does not speak Spanish, it is also recommended that a dual language is used. The Spanish version will always prevail in the event of a dispute.

Last updated on 13/07/2022

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

Moreover, regarding the processing of data relating to an employee’s vaccination, the CNIL has not yet issued a directive on the specific subject of the processing of employee vaccination data by employers. Because of their sensitive nature, data relating to employee health are subject to special legal protection: they are in principle prohibited from being processed. Employers, therefore, may not keep a list of vaccinated employees, or disclose the names of those who do not wish to be vaccinated.

In fact, according to the CNIL, "because of their sensitive nature, data relating to a person's health are subject to special legal protection: they are in principle prohibited from being processed. In order to be processed, its use must necessarily fall within one of the exceptions provided for by the GDPR, thus guaranteeing a balance between the desire to ensure the security of individuals and respect for their rights and fundamental freedoms. Moreover, their sensitivity justifies that they be processed under very strong conditions of security and confidentiality and only by those who are authorized to do so.

The exceptions that can be used in the context of work are limited and can generally be based on either :

  • the need for the employer to process this data to meet its obligations in terms of labour law, social security and social protection: this is the case for the processing of reports by employees,
  • the need for a health professional to process such data for the purposes of preventive or occupational medicine, (health) assessment of the worker's capacity to work, medical diagnoses etc.

For these reasons, employers who would like to initiate any steps aimed at ascertaining the state of health of their employees must rely on the occupational health services.

The CNIL points out that only competent health personnel (in particular occupational medicine) may collect, implement and access any medical forms or questionnaires from employees/agents containing data relating to their health or information relating in particular to their family situation, their living conditions or their possible movements"

However, we find these exceptions difficult to apply in the context of covid-19.

For employees subject to mandatory vaccination, the law allows the employer, or regional health agency if applicable, to store the result of the check on the proof of vaccination status.

Please note that the employer may not keep the proof of vaccination. In other words, the employer may not keep the QR code, only the “Yes/No” result of the test. Keeping the result is limited in time (currently until 15 November 2021).

The information thus collected is personal data subject to the General Data Protection Regulation (GDPR).

Last updated on 21/09/2021