New Ways of Working

Explore and keep track of key legal and compliance considerations for multinational employers as new ways of working become increasingly embedded as the pandemic begins to recede. Learn more about the response taken in specific countries or build your own report to compare approaches taken around the world.

Choose countries

 

Choose questions

Choose the questions you would like answering, or choose all for the full picture.

02. Outline the key data protection risks associated with remote working in your jurisdiction.

02. Outline the key data protection risks associated with remote working in your jurisdiction.

Flag / Icon

Austria

  • at Littler
  • at Littler
  • at Littler

The potential data protection risks associated with remote working are largely equivalent to those associated with working in a regular workplace, but are arguably even more prevalent.

A significant potential risk factor is the transfer of personal data if it is no longer securely stored on a company's servers. In addition, employers thereby transfer responsibility for the safekeeping and use of sensitive data to the worker. In doing so, employers have a significantly reduced ability to exert any influence. Nevertheless, companies are still generally regarded as being responsible for data protection within the meaning of the General Data Protection Regulation (GDPR), which creates a certain amount of friction.

It is also questionable whether a so-called privacy impact assessment must be carried out when working in a home office.

In principle, such an assessment must be conducted if data processing – especially when using new technologies – is likely to result in a high risk to the rights and freedoms of natural persons due to the nature, scope, circumstances, and purposes of the processing.

At present, it cannot be assumed that the threshold for the use of new technologies has already been exceeded in the context of remote working. In individual cases, however, it could amount to an "organisational solution" within the meaning of the GDPR, which also triggers the obligation of a privacy impact assessment by the data controller.

Insecure data connections that might not be constantly checked and maintained should also be considered. Another potential risk arises from it being easier for third parties to obtain access to sensitive data, whether it be persons in the same household or others at public places of work.

From a legal perspective, compliance with data security can also be adequately ensured for remote work, considering the GDPR and the corresponding national legal basis (Austrian Data Protection Act).

In home-office agreements, however, it is advisable to make further reference to data protection aspects. Here, companies should refer to the secure and data protection-compliant transport of sensitive hardware. Additionally, companies should take technical and organisational measures to ensure data security (eg, use of VPN, two-factor authentication with mobile phones, encryption of USB sticks, provision of a LAN network, requirements for secure storage of access data).

Last updated on 21/09/2021

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

Employers must ensure the protection of their company’s data but also of employees’ data.

According to article L. 1222-10 of the French labour code, the employer must inform the teleworking employee of the company's rules regarding data protection and any restrictions on the use of computer equipment or tools. Once informed, the employee must respect these rules.

The collective national agreement of 26 November 2020, provides more details in article 3.1.4. It is the employer's responsibility to take necessary measures to protect the personal data of a teleworking employee and the data of anyone else the employee processes during their activity, in compliance with the GDPR of 27 April 2016 and the rulings of the National Commission for Technology and Civil Liberties (the CNIL).

The CNIL said in its 12 November 2020 Q&A on teleworking that employers are responsible for the security of their company's personal data, including when they are stored on terminals over which they do not have physical or legal control (eg, employee's personal computer) but whose use they have authorised to access the company's IT resources.

The National Agreement of 26 November 2020 recommends three practices:

  • the establishment of minimum instructions to be respected in teleworking, and the communication of this document to all employees;
  • providing employees with a list of communication and collaborative work tools appropriate for teleworking, which guarantee the confidentiality of discussions and shared data; and
  • the possibility of setting up protocols that guarantee confidentiality and authentication of the recipient server for all communications.
Last updated on 21/09/2021

03. What are the limits on employer monitoring of worker activity in the context of a remote-working arrangement and what other factors should employers bear in mind when monitoring worker activity remotely?

03. What are the limits on employer monitoring of worker activity in the context of a remote-working arrangement and what other factors should employers bear in mind when monitoring worker activity remotely?

Flag / Icon

Austria

  • at Littler
  • at Littler
  • at Littler

Relevant here are first the restrictions on the employer's control of working time. Both the Working Time Act and the Rest Periods Act also apply to remote work and to work in a home office. However, section 26 paragraph 3 of the Working Time Act provides that in the case of work that is predominantly carried out in the home, only records of the duration (not the specific beginning and end) of the working time are to be kept. If the working hours are fixed, only deviations must be recorded.

The practical possibilities of monitoring work performance are manifold due to the IT tools that are now available (eg, log files, webcam). In contrast, in Austrian labour law, the employer's ability to control is subject to important restrictions. Control measures that affect human dignity require either the consent of the works council or – if such a council does not exist – the consent of the respective worker. Both attendance and performance or productivity controls can be relevant here. According to case law, the question of whether human dignity is affected must be assessed on a case-by-case basis. In addition to the employer's interest in monitoring, the way the monitoring is carried out is also decisive, so that the possibility of constant electronic monitoring (for example, by controlling keystrokes or screen duplication) certainly affects human dignity[1].

However, it is of course lawful to check the availability of employees during working hours.


[1] Huger in Huger (Hrsg), Home Office und mobiles Arbeiten [2021] Rechtliche Rahmenbedingungen.

Last updated on 21/09/2021

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

The rules for monitoring employees do not differ between teleworkers and office workers. Thus, like any employee, teleworkers must be informed in advance of the methods and techniques used to monitor his or her activity (article L. 1222-3 of the labour code).

The implementation of a device allowing the control of the employee's working time must be justified by the nature of the task to be performed and proportionate to the purpose (National Agreement of 26 November 2020).

The CNIL said in a Q/A on 12 November 2020 that the devices used to monitor employees’ activity must not be aimed at trapping employees and cannot lead to permanent surveillance of employees. Thus, audio or video devices, permanent screen-sharing or keyloggers must not be implemented.

If the employer exercises excessive surveillance on his employee, it may receive a financial penalty.

Finally, the CNIL advises employers to prioritise monitoring the completion of missions by setting objectives rather than monitoring the working time or the daily activity of employees.

Last updated on 21/09/2021

10. Are there some workplaces or specific industries or sectors in which the government has required that employers make access to the workplace conditional on individuals having received a Covid-19 vaccination?

10. Are there some workplaces or specific industries or sectors in which the government has required that employers make access to the workplace conditional on individuals having received a Covid-19 vaccination?

Flag / Icon

Austria

  • at Littler
  • at Littler
  • at Littler

In principle, there is already the legal possibility to impose vaccinations for certain professions in the health sector. However, this option has not been exercised yet. There is no legal basis for compulsory vaccination in most sectors.

Workers may choose from three options (3-G rule) when they want to enter their employer’s premises. As of now, there is no regulation stipulating an entry requirement to the workplace for vaccinated workers. However, employers may only tighten access restrictions in substantiated cases. Individuals who are not employees may be subject to stricter conditions (proof of vaccination) as a result of the employer’s right of domicile.

Last updated on 31/01/2022

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

Please see above (questions 8 and 9) regarding the workplaces and specific industries concerned by making the access to the workplace conditional on individuals having received a Covid-19 vaccination.

Last updated on 21/09/2021