New Ways of Working

Explore and keep track of key legal and compliance considerations for multinational employers as new ways of working become increasingly embedded as the pandemic begins to recede. Learn more about the response taken in specific countries or build your own report to compare approaches taken around the world.

Choose countries

 

Choose questions

Choose the questions you would like answering, or choose all for the full picture.

02. Outline the key data protection risks associated with remote working in your jurisdiction.

02. Outline the key data protection risks associated with remote working in your jurisdiction.

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

Employers must ensure the protection of their company’s data but also of employees’ data.

According to article L. 1222-10 of the French labour code, the employer must inform the teleworking employee of the company's rules regarding data protection and any restrictions on the use of computer equipment or tools. Once informed, the employee must respect these rules.

The collective national agreement of 26 November 2020, provides more details in article 3.1.4. It is the employer's responsibility to take necessary measures to protect the personal data of a teleworking employee and the data of anyone else the employee processes during their activity, in compliance with the GDPR of 27 April 2016 and the rulings of the National Commission for Technology and Civil Liberties (the CNIL).

The CNIL said in its 12 November 2020 Q&A on teleworking that employers are responsible for the security of their company's personal data, including when they are stored on terminals over which they do not have physical or legal control (eg, employee's personal computer) but whose use they have authorised to access the company's IT resources.

The National Agreement of 26 November 2020 recommends three practices:

  • the establishment of minimum instructions to be respected in teleworking, and the communication of this document to all employees;
  • providing employees with a list of communication and collaborative work tools appropriate for teleworking, which guarantee the confidentiality of discussions and shared data; and
  • the possibility of setting up protocols that guarantee confidentiality and authentication of the recipient server for all communications.
Last updated on 21/09/2021

Flag / Icon

Saudi Arabia

  • at Clyde & Co
  • at Clyde & Co

Data loss, cyber security, privacy and maintaining confidentiality are the key data risks associated with working remotely in most jurisdictions. These risks are heightened in Saudi Arabia as there are no specific data protection laws in place. Taking precautions against importing viruses, compromising system security, and maintaining confidentiality while working remotely are key considerations for employers. Internal policies and procedures should be put in place to ensure employees are aware of their obligations, and operating through virtual private networks could minimise potential risks.

Last updated on 29/11/2021

03. What are the limits on employer monitoring of worker activity in the context of a remote-working arrangement and what other factors should employers bear in mind when monitoring worker activity remotely?

03. What are the limits on employer monitoring of worker activity in the context of a remote-working arrangement and what other factors should employers bear in mind when monitoring worker activity remotely?

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

The rules for monitoring employees do not differ between teleworkers and office workers. Thus, like any employee, teleworkers must be informed in advance of the methods and techniques used to monitor his or her activity (article L. 1222-3 of the labour code).

The implementation of a device allowing the control of the employee's working time must be justified by the nature of the task to be performed and proportionate to the purpose (National Agreement of 26 November 2020).

The CNIL said in a Q/A on 12 November 2020 that the devices used to monitor employees’ activity must not be aimed at trapping employees and cannot lead to permanent surveillance of employees. Thus, audio or video devices, permanent screen-sharing or keyloggers must not be implemented.

If the employer exercises excessive surveillance on his employee, it may receive a financial penalty.

Finally, the CNIL advises employers to prioritise monitoring the completion of missions by setting objectives rather than monitoring the working time or the daily activity of employees.

Last updated on 21/09/2021

Flag / Icon

Saudi Arabia

  • at Clyde & Co
  • at Clyde & Co

Until recently, the legislative framework in KSA regarding data protection and personal rights to privacy was a patchwork, with discrete obligations and requirements contained in a variety of laws, as there was no comprehensive data protection law or specific legislation dealing with monitoring worker activity remotely. However, in September 2021 KSA published its first comprehensive national data protection law to regulate the collection and processing of personal information. The Personal Data Protection Law (PDPL) was implemented by Royal Decree M/19 of 9/2/1443H (16 September 2021) approving Resolution No. 98 dated 7/2/1443H (14 September 2021).  It will be effective from 23 March 2022. The executive regulations supplementing the Law should also be issued before it comes into force.

The PDPL is designed to protect “personal data”(ie, any information, in whatever form, through which a person may be directly or indirectly identified). This expressly includes an individual’s name, identification number, addresses and contact numbers, photographs and video recordings of the person. The PDPL applies to any processing by businesses or public entities of personal data performed in Saudi Arabia by any means whatsoever, including the processing of the personal data of Saudi residents by entities located outside the Kingdom. The PDPL does not apply to the processing of personal data for personal and family use.

Individuals (data subjects), will, subject to some exceptions, have the right to be informed of personal data processing and the legal basis of such processing, the right to access their personal data (including to obtain a free of charge copy of the same), the right to correct or update their personal data, and the right to request its destruction if no longer needed. Data subjects may also file complaints relating to the application of the PDPL with the regulatory authority. Organisations that collect personal data and determine the purpose for which it is used and the method of processing (controllers) will be required to register on an electronic portal that will form a national record of controllers. Controllers must also ensure the accuracy, completeness and relevancy of personal data before processing it, to maintain a record of processing for a period that will be prescribed by the executive regulations, and to ensure that staff are suitably trained in the PDPL and data protection principles.

Data subjects may withdraw their consent to the processing of personal data at any time and consent must not be a pre-requisite for the controller to offer a service or benefit (unless the service or benefit is specifically related to the processing activity for which consent is obtained).

There are also additional laws in KSA that safeguard the rights of the individual to privacy. These include:

  • shariah law – its principles protect an individual’s right to privacy;
  • the Basic Law of Governance (Law No. A/90), which protects the privacy of individuals by safeguarding telegraphic, postal, telephone and other means of communication and making it unlawful to confiscate, delay, read or breach;
  • the Telecommunications Act (Council of Ministers Resolution No. 74/2001) restricts the disclosure of information or content that is intercepted in the course of its transmission; and
  • the Anti-Cyber Crime Law (Royal Decree No. M/17 makes it an offence to spy, intercept or receive data that is transmitted through an information network without consent, breach privacy through the use of camera-equipped and mobile phones, unlawfully access computers to delete, erase, destroy, leak, damage, alter or redistribute personal information, and defame or inflict damage on a person through the use of electronic devices.

While it is increasingly commonplace for employers to monitor the use of the internet and communications systems, especially email, before doing so – and to limit the risk of a potential breach of any of the above legislative provisions – employers should ensure that the employee has provided their express consent to any monitoring – this could be captured under the data protection clause of the employee’s contract of employment.

Last updated on 15/03/2022

10. Are there some workplaces or specific industries or sectors in which the government has required that employers make access to the workplace conditional on individuals having received a Covid-19 vaccination?

10. Are there some workplaces or specific industries or sectors in which the government has required that employers make access to the workplace conditional on individuals having received a Covid-19 vaccination?

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

Please see above (questions 8 and 9) regarding the workplaces and specific industries concerned by making the access to the workplace conditional on individuals having received a Covid-19 vaccination.

Last updated on 21/09/2021

Flag / Icon

Saudi Arabia

  • at Clyde & Co
  • at Clyde & Co

See question 8.

Last updated on 29/11/2021