New Ways of Working

Explore and keep track of key legal and compliance considerations for multinational employers as new ways of working become increasingly embedded as the pandemic begins to recede. Learn more about the response taken in specific countries or build your own report to compare approaches taken around the world.

Choose countries

 

Choose questions

Choose the questions you would like answering, or choose all for the full picture.

02. Outline the key data protection risks associated with remote working in your jurisdiction.

02. Outline the key data protection risks associated with remote working in your jurisdiction.

Flag / Icon

Belgium

  • at Van Olmen & Wynant

Employees who process data at home could create a data leak when they lose the data or improperly dispose of it after it is no longer useful for the company. It is also more difficult to protect digital data in a non-professional setting and a private network might be more vulnerable to breaches.

Article 9.3 of CBA No. 149 states that company data used and processed by teleworkers for professional purposes must be protected. Employers should inform teleworkers of the company's rules on data protection and, in particular, the restrictions and penalties for the misuse of IT equipment and tools. Considering this, it is strongly recommended for companies to draft and implement an IT policy.

Also, employees’ personal data could be at risk since teleworking often means a direct insight into the personal life of the employee, using remote-monitoring devices. Such devices or software could register data that is not purely linked to their work and might possibly breach several GDPR principles, such as data minimisation.

Last updated on 21/09/2021

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

Employers must ensure the protection of their company’s data but also of employees’ data.

According to article L. 1222-10 of the French labour code, the employer must inform the teleworking employee of the company's rules regarding data protection and any restrictions on the use of computer equipment or tools. Once informed, the employee must respect these rules.

The collective national agreement of 26 November 2020, provides more details in article 3.1.4. It is the employer's responsibility to take necessary measures to protect the personal data of a teleworking employee and the data of anyone else the employee processes during their activity, in compliance with the GDPR of 27 April 2016 and the rulings of the National Commission for Technology and Civil Liberties (the CNIL).

The CNIL said in its 12 November 2020 Q&A on teleworking that employers are responsible for the security of their company's personal data, including when they are stored on terminals over which they do not have physical or legal control (eg, employee's personal computer) but whose use they have authorised to access the company's IT resources.

The National Agreement of 26 November 2020 recommends three practices:

  • the establishment of minimum instructions to be respected in teleworking, and the communication of this document to all employees;
  • providing employees with a list of communication and collaborative work tools appropriate for teleworking, which guarantee the confidentiality of discussions and shared data; and
  • the possibility of setting up protocols that guarantee confidentiality and authentication of the recipient server for all communications.
Last updated on 21/09/2021

Flag / Icon

Turkey

  • at Gün + Partners
  • at Gün + Partners
  • at Gün + Partners

The key data protection risks associated with remote working are data security and the processing of additional personal data while working remotely.

Under article 12 of the Personal Data Protection Law numbered 6698 (the DPL), data controllers must take all administrative and technical measures necessary to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure the security of personal data.

The Regulation also stipulates that the employer must inform remote workers about workplace rules and applicable legislation concerning the protection and transfer of data related to the workplace and their assignments (which may include personal data). The Regulation also emphasises that employers must take all necessary measures for the security of data. Per the Regulation, in the remote-working agreement, the employer must determine the definition and scope of data that needs to be protected.

There is no guidance from the Turkish Data Protection Authority (DPA) concerning measures to be taken specifically for remote working. Its general Guideline for Personal Data Security (Data Security Guideline) and the principal decision of the Turkish Data Protection Board concerning measures required to be taken by data controllers for processing sensitive personal data (Board Resolution for Sensitive Personal Data Security) should be considered by employers. The measures listed in the Data Security Guideline and the Board Resolution for Sensitive Personal Data Security are not exhaustive. Employers must consider all necessary measures for cyber security. International guidelines and IT sector developments should also be considered.

Employers who have failed to take appropriate measures to protect the unlawful processing of or access to personal data may be required to pay an administrative fine amounting to between 40,179 Turkish lira and 2,678,859[1] Turkish lira. Furthermore, additional technical measures taken for remote-working opportunities must also be communicated to the Data Controllers’ Registry if the employer is required to register data-processing activities (eg, employers located in Turkey that have more than 50 employees or have a balance sheet of more than 25 million lira fall under this obligation). Otherwise, although it may not be an imminent risk, an administrative sanction amounting to between 53,572 lira and 2,678,859 lira may be applied against the employer.

Lastly, if having remote-working employees requires an employer to process additional employee data, then the employer must inform their employees accordingly by providing an appropriate privacy notice under the DPL. Otherwise, they may be fined between 13,391 lira and 267,886 lira. The employer should determine what legal ground should be applied to the data processing due to remote working. If the applicable legal ground is consent but consent is not obtained lawfully from employees, then the employer may face an administrative fine of between 40,179 lira and 2,678,859 lira for unlawful processing. 


[1] All administrative fine amounts mentioned in this questionnaire will be updated for each year based on a re-evaluation determined annually.

Last updated on 09/02/2022

10. Are there some workplaces or specific industries or sectors in which the government has required that employers make access to the workplace conditional on individuals having received a Covid-19 vaccination?

10. Are there some workplaces or specific industries or sectors in which the government has required that employers make access to the workplace conditional on individuals having received a Covid-19 vaccination?

Flag / Icon

Belgium

  • at Van Olmen & Wynant

Until now, there have been no such requirements. But as stated above, this will be the case in the healthcare sector, starting from 1 April 2022.

Last updated on 01/12/2021

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

Please see above (questions 8 and 9) regarding the workplaces and specific industries concerned by making the access to the workplace conditional on individuals having received a Covid-19 vaccination.

Last updated on 21/09/2021

Flag / Icon

Turkey

  • at Gün + Partners
  • at Gün + Partners
  • at Gün + Partners

No. As mentioned above, the Ministry of Health has stated that the covid-19 vaccination is available voluntarily. Also, according to the Ministry of Labour and Social Security’s general letter, mandatory PCR testing was regulated as a voluntary mechanism at the employer’s discretion, considering different working methods in all workplaces.

On the other hand, the Ministry of Internal Affairs issued a separate circular, which regulated mandatory PCR testing before attending collective activities such as a concert, cinema or theatre; or undergoing intercity travel by plane, bus, train or other means of public transportation, except for private vehicles. Before, it could be possible to say that, in addition to the attendees, employees who facilitate these activities could also be requested to provide a negative PCR test result if they are unvaccinated. Likewise, the Ministry of Education introduced a similar practice at schools. All unvaccinated school staff encountering students face-to-face had to undergo mandatory PCR testing twice a week.

However, as of 14 January, no mandatory PCR testing is deemed required for the following individuals even if they are unvaccinated (or their vaccination processes are not complete) or are not recovered from covid-19 within the past 180 days:

  • those undergoing intercity travel by plane, bus, train or other means of public transportation;
  • those who attend collective activities such as a concert, cinema or theatre;
  • all school staff working at Ministry of Education schools (teachers, service drivers, etc);
  • employees of public and private workplaces; and
  • those attending student camps organised by public or private institutions;

However, mandatory PCR testing is still required for the following individuals:

  • employees of nursing homes, aged-care facilities, prisons or penitentiaries who are unvaccinated or not recovered from covid-19 within the last 180 days, or their vaccination process is not complete;
  • prisoners and convicts at prisons or penitentiaries;
  • those traveling abroad (subject to the rules of the travelled country); and
  • those undergoing intercity travel by plane who are unvaccinated or not recovered from covid-19 within the past 180 days, or their vaccination process is not complete.

With that in mind, all these announcements were qualified as recommendations in terms of their binding power, and therefore several Turkish scholars take the view that employers, especially by gathering Occupational Health and Safety Councils (if they exist), can still decide to mandate PCR testing to ensure occupational health and safety at workplaces by complying with the personal data protection rules.

Last updated on 09/02/2022