New Ways of Working

Explore and keep track of key legal and compliance considerations for multinational employers as new ways of working become increasingly embedded as the pandemic begins to recede. Learn more about the response taken in specific countries or build your own report to compare approaches taken around the world.

Choose countries

 

Choose questions

Choose the questions you would like answering, or choose all for the full picture.

02. Outline the key data protection risks associated with remote working in your jurisdiction.

02. Outline the key data protection risks associated with remote working in your jurisdiction.

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

Employers must ensure the protection of their company’s data but also of employees’ data.

According to article L. 1222-10 of the French labour code, the employer must inform the teleworking employee of the company's rules regarding data protection and any restrictions on the use of computer equipment or tools. Once informed, the employee must respect these rules.

The collective national agreement of 26 November 2020, provides more details in article 3.1.4. It is the employer's responsibility to take necessary measures to protect the personal data of a teleworking employee and the data of anyone else the employee processes during their activity, in compliance with the GDPR of 27 April 2016 and the rulings of the National Commission for Technology and Civil Liberties (the CNIL).

The CNIL said in its 12 November 2020 Q&A on teleworking that employers are responsible for the security of their company's personal data, including when they are stored on terminals over which they do not have physical or legal control (eg, employee's personal computer) but whose use they have authorised to access the company's IT resources.

The National Agreement of 26 November 2020 recommends three practices:

  • the establishment of minimum instructions to be respected in teleworking, and the communication of this document to all employees;
  • providing employees with a list of communication and collaborative work tools appropriate for teleworking, which guarantee the confidentiality of discussions and shared data; and
  • the possibility of setting up protocols that guarantee confidentiality and authentication of the recipient server for all communications.
Last updated on 21/09/2021

Flag / Icon

Turkey

  • at Gün + Partners
  • at Gün + Partners
  • at Gün + Partners

The key data protection risks associated with remote working are data security and the processing of additional personal data while working remotely.

Under article 12 of the Personal Data Protection Law numbered 6698 (the DPL), data controllers must take all administrative and technical measures necessary to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure the security of personal data.

The Regulation also stipulates that the employer must inform remote workers about workplace rules and applicable legislation concerning the protection and transfer of data related to the workplace and their assignments (which may include personal data). The Regulation also emphasises that employers must take all necessary measures for the security of data. Per the Regulation, in the remote-working agreement, the employer must determine the definition and scope of data that needs to be protected.

There is no guidance from the Turkish Data Protection Authority (DPA) concerning measures to be taken specifically for remote working. Its general Guideline for Personal Data Security (Data Security Guideline) and the principal decision of the Turkish Data Protection Board concerning measures required to be taken by data controllers for processing sensitive personal data (Board Resolution for Sensitive Personal Data Security) should be considered by employers. The measures listed in the Data Security Guideline and the Board Resolution for Sensitive Personal Data Security are not exhaustive. Employers must consider all necessary measures for cyber security. International guidelines and IT sector developments should also be considered.

Employers who have failed to take appropriate measures to protect the unlawful processing of or access to personal data may be required to pay an administrative fine amounting to between 40,179 Turkish lira and 2,678,859[1] Turkish lira. Furthermore, additional technical measures taken for remote-working opportunities must also be communicated to the Data Controllers’ Registry if the employer is required to register data-processing activities (eg, employers located in Turkey that have more than 50 employees or have a balance sheet of more than 25 million lira fall under this obligation). Otherwise, although it may not be an imminent risk, an administrative sanction amounting to between 53,572 lira and 2,678,859 lira may be applied against the employer.

Lastly, if having remote-working employees requires an employer to process additional employee data, then the employer must inform their employees accordingly by providing an appropriate privacy notice under the DPL. Otherwise, they may be fined between 13,391 lira and 267,886 lira. The employer should determine what legal ground should be applied to the data processing due to remote working. If the applicable legal ground is consent but consent is not obtained lawfully from employees, then the employer may face an administrative fine of between 40,179 lira and 2,678,859 lira for unlawful processing. 


[1] All administrative fine amounts mentioned in this questionnaire will be updated for each year based on a re-evaluation determined annually.

Last updated on 09/02/2022

05. What potential issues and risks arise for employers in the context of cross-border remote-working arrangements?

05. What potential issues and risks arise for employers in the context of cross-border remote-working arrangements?

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

Cross-border remote working can accentuate some of the problems caused by teleworking or create new ones.

Among the existing problems, the loss of social ties is accentuated if the teleworker decides to work from another country. Indeed, the employee abroad will never physically see his colleagues, which will create a distance between the employee working from abroad and other employees.

Similarly, employers must ensure the protection of the health and safety of workers (article L. 4121-1 labour code). This is a difficult obligation to meet in teleworking, especially because employers do not have access to remote employees’ workplaces. It is even more difficult if the employee works from another country because the sanitary, electrical and other standards are different and potentially less protective than French rules.

As for social security law, in principle, the employee depends on the social security system of the country where they work. The employee can only continue to benefit from the French social security system if they are in a secondment situation. Moreover, this is only a temporary solution because the secondment implies a temporary mission. The employer will therefore have to register the employee with the social security system of the country where they are working, which will cause problems in terms of social contributions.

Another question that may arise is whether an employer should accept a work stoppage prescribed by a foreign doctor.

Finally, another problem that may arise is the employee's right to disconnect. Indeed, the employer and the employee must agree on a time slot during which the employee can not be contacted to respect his private life as much as possible.[4] It can be difficult to establish a time slot that suits both the employee and the employer in case of major time zone discrepancies.


[4] National agreement of November 26, 2020

Last updated on 21/09/2021

Flag / Icon

Turkey

  • at Gün + Partners
  • at Gün + Partners
  • at Gün + Partners

Theoretically, cross-border remote-working arrangements are possible from an employment law perspective as the law does not provide a clear rule or restriction on this. However, in practice, the Social Security Institution does not consider days worked overseas as workdays subject to social security premiums. Therefore, such arrangements may not be possible.

Employers located in Turkey must consider their data privacy obligations where employees are working in the context of cross-border remote-working arrangements, because the relevant obligations are mostly applicable on a residency basis due to the principle of territoriality. On the other hand, under Turkish legislation, employers must ensure the security of data shared with the relevant employees.

In addition, employers should bear in mind that any data shared with such employees would be an overseas transfer of data. As a result, if the transferred data contains personal data, consent must be obtained for such transfer of data abroad from the data subject, covering the purpose of processing this data unless the employers have permission from the DPA for the relevant international transfer. International transfers of personal data are restricted in Turkey. Unlike GDPR, the DPL does not protect international transfers in the European Economic Area (EEA) as Turkey is not in the EEA and standard contractual clauses do not apply to the transfer of personal data from Turkey to overseas.

Depending on the sector in which employers are engaged, there may be further data-residency and data-localisation requirements. Therefore, before any cross-border remote-working arrangements, employers must evaluate whether they are subject to such requirements and how they should approach the data to be processed by the relevant employees for their duties and assignments on a case-by-case basis.

Last updated on 21/09/2021

10. Are there some workplaces or specific industries or sectors in which the government has required that employers make access to the workplace conditional on individuals having received a Covid-19 vaccination?

10. Are there some workplaces or specific industries or sectors in which the government has required that employers make access to the workplace conditional on individuals having received a Covid-19 vaccination?

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

Please see above (questions 8 and 9) regarding the workplaces and specific industries concerned by making the access to the workplace conditional on individuals having received a Covid-19 vaccination.

Last updated on 21/09/2021

Flag / Icon

Turkey

  • at Gün + Partners
  • at Gün + Partners
  • at Gün + Partners

No. As mentioned above, the Ministry of Health has stated that the covid-19 vaccination is available voluntarily. Also, according to the Ministry of Labour and Social Security’s general letter, mandatory PCR testing was regulated as a voluntary mechanism at the employer’s discretion, considering different working methods in all workplaces.

On the other hand, the Ministry of Internal Affairs issued a separate circular, which regulated mandatory PCR testing before attending collective activities such as a concert, cinema or theatre; or undergoing intercity travel by plane, bus, train or other means of public transportation, except for private vehicles. Before, it could be possible to say that, in addition to the attendees, employees who facilitate these activities could also be requested to provide a negative PCR test result if they are unvaccinated. Likewise, the Ministry of Education introduced a similar practice at schools. All unvaccinated school staff encountering students face-to-face had to undergo mandatory PCR testing twice a week.

However, as of 14 January, no mandatory PCR testing is deemed required for the following individuals even if they are unvaccinated (or their vaccination processes are not complete) or are not recovered from covid-19 within the past 180 days:

  • those undergoing intercity travel by plane, bus, train or other means of public transportation;
  • those who attend collective activities such as a concert, cinema or theatre;
  • all school staff working at Ministry of Education schools (teachers, service drivers, etc);
  • employees of public and private workplaces; and
  • those attending student camps organised by public or private institutions;

However, mandatory PCR testing is still required for the following individuals:

  • employees of nursing homes, aged-care facilities, prisons or penitentiaries who are unvaccinated or not recovered from covid-19 within the last 180 days, or their vaccination process is not complete;
  • prisoners and convicts at prisons or penitentiaries;
  • those traveling abroad (subject to the rules of the travelled country); and
  • those undergoing intercity travel by plane who are unvaccinated or not recovered from covid-19 within the past 180 days, or their vaccination process is not complete.

With that in mind, all these announcements were qualified as recommendations in terms of their binding power, and therefore several Turkish scholars take the view that employers, especially by gathering Occupational Health and Safety Councils (if they exist), can still decide to mandate PCR testing to ensure occupational health and safety at workplaces by complying with the personal data protection rules.

Last updated on 09/02/2022