New Ways of Working

Explore and keep track of key legal and compliance considerations for multinational employers as new ways of working become increasingly embedded as the pandemic begins to recede. Learn more about the response taken in specific countries or build your own report to compare approaches taken around the world.

Choose countries

 

Choose questions

Choose the questions you would like answering, or choose all for the full picture.

02. Outline the key data protection risks associated with remote working in your jurisdiction.

02. Outline the key data protection risks associated with remote working in your jurisdiction.

Flag / Icon

Argentina

  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua

There is no specific statutory regulation on this matter related to employees under the home office framework. However, it is advisable to create a clear general policy on data protection or include in employment agreements provisions regarding data protection in order to clarify to employees the extent of their obligation. We recommend executing those documents in Spanish, due to the protective nature of local labour law; if there is a conflict with employees, a labour court is likely to dismiss all documents in a foreign language.

As a result, the Personal Data Protection Law (PDPL), Law No. 25,326, establishes the full protection of personal information recorded in personal files, registers, banks, or other technical means of data storage and processing. Therefore, employers must comply with the PDPL and take steps to ensure that this law applies throughout their organisation.

The main aspects of the PDPL are:

  1. The purpose of collecting employee data must be communicated to employees and written consent needs to be obtained.
  2. However, consent is not required if the data has been obtained from a public source; collected for the performance of the state’s duties; consists of lists limited to name, ID number, tax or social security identification, occupation, date of birth, domicile, and telephone number; or arises from a contractual relationship, either scientific or professional, of the data owner, and are necessary for its development or fulfilment.
  3. In addition, this Law establishes the employee’s right to access and modify any incorrect or false information. Furthermore, the collection of information related to an employee’s private life is permissible as long as the information collected complies with the following requirements: it is not used for discriminatory purposes; it does not violate the individual’s right to privacy; and it is reasonably used.
  4. When an employer requests personal data from an employee, they must be notified in advance and in an express and clear manner about: the purpose for which the data needs to be processed and who can use such data; the existence of the relevant data file or register, whether electronic or otherwise, and the identity and domicile of the responsible person; the compulsory or discretionary character of the information requested; the consequences of providing the data, of refusing to provide such data, or if it is inaccurate; and the data owner’s rights to data access, rectification, and suppression.
  5. Indeed, the processing of personal data requires express consent from the data owner, which must be accompanied by appropriate information, prominently and expressly explaining the nature of consent sought. This can be achieved by the employee signing a general consent form on entering employment. However, consent may be withdrawn by an employee.
  6. Various restrictions apply to the disclosure of personal data to third parties. This is generally only allowed if it is in the legitimate interests of the database owner (eg, the employer) and the data owner (eg, the employee) has consented. This consent can be revoked at any time by the data owner.
  7. The transfer of personal data to another country – which does not guarantee a proper level of data protection – is forbidden. Nevertheless, such prohibition is not applied when the individuals, whose personal information is intended to be transferred, give their express written consent.

All data regarding employees’ health is sensitive information, so the employer must get the express authorisation of the employee for any transfer of such date, and employers should stop or restrict the transfer to other companies or its employees that lack sufficient clearance to deal with health information, including covid-19 information.

Last updated on 13/07/2022

Flag / Icon

Australia

  • at People + Culture Strategies

In the context of an employer-controlled workplace, it is generally much easier to control and mitigate risks to an organisation’s confidential and sensitive information. There are physical protections intrinsic to the workplace (including by generally being off-limits to non-staff) and cyber-networks often have institutional protections in place, such as virtual private networks, firewalls, anti-virus software and secure IP addresses.

Other data protections that normally exist in an employer-controlled workplace include:

  • the use of private meeting rooms to conduct meetings and discussions involving sensitive and confidential information;
  • the secure storage of private, confidential and sensitive information (both hardcopy and in electronic form) on employer-controlled premises;
  • restrictions on the use of personal electronic devices in the workplace; and
  • the content of phone calls or video calls, and even information simply displayed in the workplace (including on computer screens), being kept private under the confines of the physical workplace.

However, the risks to data protection can be much harder to mitigate in the remote-working environment. These risks are heightened for several reasons, including that an employer has much less “visibility” over how employees deal with the employer’s (and any client’s) information in the home environment and much less when it comes to others who may be sharing that space. In this context, one obvious risk is the inadvertent and even deliberate sharing of sensitive information with one’s housemates, family members or guests.

Last updated on 21/09/2021

Flag / Icon

Austria

  • at Littler
  • at Littler
  • at Littler

The potential data protection risks associated with remote working are largely equivalent to those associated with working in a regular workplace, but are arguably even more prevalent.

A significant potential risk factor is the transfer of personal data if it is no longer securely stored on a company's servers. In addition, employers thereby transfer responsibility for the safekeeping and use of sensitive data to the worker. In doing so, employers have a significantly reduced ability to exert any influence. Nevertheless, companies are still generally regarded as being responsible for data protection within the meaning of the General Data Protection Regulation (GDPR), which creates a certain amount of friction.

It is also questionable whether a so-called privacy impact assessment must be carried out when working in a home office.

In principle, such an assessment must be conducted if data processing – especially when using new technologies – is likely to result in a high risk to the rights and freedoms of natural persons due to the nature, scope, circumstances, and purposes of the processing.

At present, it cannot be assumed that the threshold for the use of new technologies has already been exceeded in the context of remote working. In individual cases, however, it could amount to an "organisational solution" within the meaning of the GDPR, which also triggers the obligation of a privacy impact assessment by the data controller.

Insecure data connections that might not be constantly checked and maintained should also be considered. Another potential risk arises from it being easier for third parties to obtain access to sensitive data, whether it be persons in the same household or others at public places of work.

From a legal perspective, compliance with data security can also be adequately ensured for remote work, considering the GDPR and the corresponding national legal basis (Austrian Data Protection Act).

In home-office agreements, however, it is advisable to make further reference to data protection aspects. Here, companies should refer to the secure and data protection-compliant transport of sensitive hardware. Additionally, companies should take technical and organisational measures to ensure data security (eg, use of VPN, two-factor authentication with mobile phones, encryption of USB sticks, provision of a LAN network, requirements for secure storage of access data).

Last updated on 21/09/2021

Flag / Icon

Belgium

  • at Van Olmen & Wynant

Employees who process data at home could create a data leak when they lose the data or improperly dispose of it after it is no longer useful for the company. It is also more difficult to protect digital data in a non-professional setting and a private network might be more vulnerable to breaches.

Article 9.3 of CBA No. 149 states that company data used and processed by teleworkers for professional purposes must be protected. Employers should inform teleworkers of the company's rules on data protection and, in particular, the restrictions and penalties for the misuse of IT equipment and tools. Considering this, it is strongly recommended for companies to draft and implement an IT policy.

Also, employees’ personal data could be at risk since teleworking often means a direct insight into the personal life of the employee, using remote-monitoring devices. Such devices or software could register data that is not purely linked to their work and might possibly breach several GDPR principles, such as data minimisation.

Last updated on 21/09/2021

Flag / Icon

Brazil

  • at Pinheiro Neto
  • at Pinheiro Neto Advogados

In a remote-working environment, employees are more likely to use their personal devices and Wi-Fi and might share their workspace with family members or roommates. In addition, employees are more prone to mix personal and work-related data. These may lead not only to potential issues involving one’s privacy but also cyber threats and data leakage. Therefore, employers are strongly advised to implement strict policies on remote working, use of personal devices and data storage, as well as to provide the appropriate training.  

Last updated on 21/09/2021

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

Employers must ensure the protection of their company’s data but also of employees’ data.

According to article L. 1222-10 of the French labour code, the employer must inform the teleworking employee of the company's rules regarding data protection and any restrictions on the use of computer equipment or tools. Once informed, the employee must respect these rules.

The collective national agreement of 26 November 2020, provides more details in article 3.1.4. It is the employer's responsibility to take necessary measures to protect the personal data of a teleworking employee and the data of anyone else the employee processes during their activity, in compliance with the GDPR of 27 April 2016 and the rulings of the National Commission for Technology and Civil Liberties (the CNIL).

The CNIL said in its 12 November 2020 Q&A on teleworking that employers are responsible for the security of their company's personal data, including when they are stored on terminals over which they do not have physical or legal control (eg, employee's personal computer) but whose use they have authorised to access the company's IT resources.

The National Agreement of 26 November 2020 recommends three practices:

  • the establishment of minimum instructions to be respected in teleworking, and the communication of this document to all employees;
  • providing employees with a list of communication and collaborative work tools appropriate for teleworking, which guarantee the confidentiality of discussions and shared data; and
  • the possibility of setting up protocols that guarantee confidentiality and authentication of the recipient server for all communications.
Last updated on 21/09/2021

Flag / Icon

Germany

  • at CMS Hasche Sigle

As in other countries in Europe, the provisions of the EU General Data Protection Regulation (GDPR) and its German implementation in the shape of the German Federal Data Protection Act (BDSG) must be observed. Against this background, special measures must be taken to protect personal data in connection with remote work. This especially concerns third-party access to systems when computers and other portable devices are used in the home or on the go. To this end, employers often issue guidelines of standards with which employees must comply.

Also, remote working poses many data protection risks in terms of IT security and confidentiality. For example, cybercrime exploits the vulnerabilities inherent to remote working to infiltrate IT systems and steal confidential data, for instance through phishing attacks. At the same time, the confidentiality of a phone call, for example, is harder to protect while working in a co-working space, on a train or at home than in a typical workspace. Therefore, remote working may require different security measures and employers should inform their employees accordingly. In this regard, the European Union Agency for Cybersecurity last year published cybersecurity tips for remote working, both for employees (connecting to the internet via secure wi-fi networks, fully updating antivirus software and using a secure connection) and for employers (providing initial and regular feedback to employees on how to react if problems arise and restricting access to sensitive systems, etc.).

Last updated on 21/09/2021

Flag / Icon

Greece

  • at Kyriakides Georgopoulos Law Firm
  • at Kyriakides Georgopoulos Law Firm
  • at Kyriakides Georgopoulos Law Firm

Although necessitated by the circumstances, the transition of employees from corporate networks to largely unmonitored and vulnerable private networks outside the reach of perimeter-based security tools finds most employers unprepared and, thus, exposed to greater cyber threats and personal data breaches compared to on-site work. Employers are urged to take into consideration the increased risks a remote working environment poses to their data, systems, and networks and to invest heavily in IT security, while employees are encouraged to carefully follow all IT security guidelines, stay alert to security incidents, and be vigilant with phishing attacks. Within this framework, the Hellenic Data Protection Authority (HDPA) issued “Guidelines for implementing safety measures in the context of teleworking” on 15 April 2020, including appropriate safety measures concerning network access, the use of email or messaging applications, the use of terminal or storage media and how teleconferencing takes place to mitigate data protection risks associated with remote working.

On the other hand, many of these measures may result in more extensive collection and processing (recording, use, disclosure, etc) of employees’ personal data, including monitoring procedures. The key issue for most employers amid these circumstances is to find the right balance between protecting their IT systems and data, on the one hand, and safeguarding the data protection and privacy rights of their employees while working from home on the other.

Last updated on 14/07/2022

Flag / Icon

Hong Kong

  • at Lewis Silkin
  • at Lewis Silkin
  • at Lewis Silkin

As a result of the covid-19 pandemic, many companies in Hong Kong encouraged their staff to work remotely. This meant taking documents home from the office and using video conferencing, cloud computing and intranet platforms, where those software solutions were available, and also using personal devices to work more. As a result, confidentiality and security of data became more at risk.

Due to space constraints in Hong Kong, it is not practicable to expect employees to work or conduct confidential discussions in an isolated area away from others. Often employees are sharing workspace with family members and may also share a laptop or PC with them. If working from home is not an option for an employee, he or she may be working from cafes or public spaces. As a result, non-employees may overhear confidential discussions or see confidential documents. If these conversations and documents contain personal data (of employees, customers, clients, suppliers or other third parties), then the potential leakage of this data may constitute a breach of the Personal Data (Privacy) Ordinance (PDPO). There may also be contractual confidentiality breaches.

A typical home network is unlikely to have the same stringent security protections in place that an office network does. Attackers have seen an opportunity to steal user credentials from personal devices, which are now being used for work and likely do not have the same security protections as corporate devices. Using unsecured networks and devices may lead to data leakage or theft, which would be in breach of the PDPO.

If personal data is being processed by new third parties as a result of having to implement remote-working arrangements, an employer will need to notify its employees of this. This can be done by issuing employees with a revised or new Personal Information Collection Statement (PICS) setting out the change. The PDPO specifies that a data user, when collecting personal data directly from a data subject, must take all reasonably practicable steps to ensure that the data subject is informed of the intended use of their data and who will be handling such data. A PICS is therefore used to comply with these notification requirements and is a statement regarding a data user’s privacy policies and practices in relation to the personal data it handles. 

Last updated on 11/10/2021

Flag / Icon

India

  • at Nishith Desai
  • at Nishith Desai

An individual’s sensitive personal data or information (SPDI), which includes information on passwords; financial information such as a bank account, credit card or debit card or other payment instrument details; physical, physiological and mental health conditions; sexual orientation; medical records and history; or biometric information or other details related to such information provided to a body corporate for the provision of services or such information received for processing under a lawful contract or otherwise and its storage are protected under Indian data privacy rules. There are certain mandatory obligations for collectors of such SPDI in electronic forms, including obtaining the consent of the data provider, formulating, publishing, and complying with a privacy policy for treatment of such data and adopting certain standards of security practices. However, these obligations are not specific to remote-working arrangements; they govern the terms of the data being collected by the employer.

With employees working remotely, employers are facing a challenge with protecting the security of client data and other confidential information, which may be duplicated or disclosed to third parties by employees working remotely on unsecured personal devices.

Last updated on 08/07/2022

Flag / Icon
Ireland

Ireland

  • at Littler

The Data Protection Commissioner has issued guidance on the protection of personal data when working remotely (see here).

The key risks identified relate to protecting and preventing access to laptops, USBs, phones, tablets and other devices; emails; using unsecured networks to transmit data or to access company networks; and ensuring the security and confidentiality of hard-copy documents.

Employers should update data protection policies to take account of remote working and should also consider any data protection issues that may arise from an employee moving to work outside of Ireland.

Last updated on 21/09/2021

Flag / Icon

Italy

  • at Toffoletto De Luca Tamajo

Data security requirements applicable to all employees working at the company premises continue to apply to employees working remotely. In addition, the National Protocol on Smart Working specifies that the employer should promote the adoption of a policy also concerning data breach management and the implementation of proper security measures.

The main risks are linked to the transmission of company data outside the company premises, in places not necessarily identified.

Last updated on 14/07/2022

Flag / Icon

Mexico

  • at Marván, González Graf y González Larrazolo
  • at Marván, González Graf y González Larrazolo
  • at Marván, González Graf y González Larrazolo

Security controls

The common risks associated with remote working derive from the absence of security controls over equipment, software, and data, and not having any policies for remote-working schemes, leading to:

  • employees storing sensitive information in their local machines, without the control of employers over such tools;
  • compromised security controls; and
  • Wi-Fi networks and routers in homes are more easily compromised, increasing the risk of exposure.

Companies have the right to install security controls for the equipment and tools to be used by teleworkers to avoid any leaks of information and limit their use, because this hardware is the property of the employer. The common practice in Mexico is to implement a security data policy and a work tools policy.

Additionally, even though there are no specific legal provisions concerning the plausible risks associated with data protection in remote-working schemes, the Federal Law for the Protection of Personal Data in Possession of Private Individuals or Entities, the Federal Law for the Protection of Industrial Property, and their regulations and guidelines, establish provisions for the protection of rights concerning personal data, confidential information, and trade secrets, which also apply to remote-working schemes; therefore, all employees working remotely must comply with these laws and regulations. To prevent and avoid the disclosure of this information, the prevailing practice is to enter into agreements with employees establishing specific obligations in connection to confidentiality and data privacy. Such obligations usually refer to the policies and processes established by employers to ensure information security, and the corresponding penalties in the event of any breach.

Last updated on 21/09/2021

Flag / Icon

Netherlands

  • at Rutgers & Posch
  • at Rutgers & Posch

Employees who process data at home could create a data leak if they lose the data or improperly dispose of it after it is no longer useful for the company or their work. It is also more difficult to protect digital data in a non-professional setting and a private network might be more vulnerable to breaches. If a data breach does occur, the employee should, in principle, report this to the Dutch Data Protection Authority within 72 hours.

Employers are advised to update data protection policies to take into account remote working, and should also consider any data protection issues that may arise from an employee moving to work outside of The Netherlands.

Last updated on 08/03/2022

Flag / Icon

Poland

  • at Bird & Bird
  • at Bird & Bird

Telework or remote work should be organised in a way that ensures the protection of confidential information and other legally protected secrets, including trade secrets or personal data, as well as information whose disclosure could harm the employer.

Certain risks are present when employees perform work remotely:

  • they may use their own private equipment;
  • they may use company equipment for private purposes;
  • they may use an unsecured internet connection, including without a VPN (Virtual private network) connection; and
  • they may work from various unregulated locations, including coworking areas. 

Therefore, it is recommended that employers develop instructions regarding data protection and information safety (usually as part of their teleworking policy, which must be introduced with the participation of the employees' representatives) and ensure that these are introduced and applied effectively in the day-to-day work of remote workers.

Last updated on 21/03/2022

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

Until the pandemic, teleworking was used rather infrequently, and most Portuguese employers were not prepared – namely in terms of technology and data storage – to suddenly have their workforce almost entirely and permanently working from home or remotely.

For those reasons, teleworking mainly raised – and continues to raise – concerns regarding the employer’s capacity to ensure that information is protected and that it stays confidential despite being remotely accessed and processed. Remote working enhances security vulnerabilities, which can lead to data breaches.

We would also like to highlight the use of technological solutions that, on one hand, allow employers to exercise their powers of management and control over work performance, but that, on the other, do not violate the general rule prohibiting the use of remote surveillance to control employees' professional performances, or that do not cause excessive restrictions on employees’ private lives.

Last updated on 13/07/2022

Flag / Icon

Qatar

  • at Clyde & Co
  • at Clyde & Co

Data loss, cyber security, privacy and maintaining confidentiality are the key data risks associated with working remotely.  Taking precautions against importing viruses, compromising system security, and maintaining confidentiality while working remotely are key considerations for employers. Internal policies and procedures should be put in place to ensure employees are aware of their obligations, and operating through virtual private networks could minimise potential risks. 

Last updated on 08/11/2021

Flag / Icon

Saudi Arabia

  • at Clyde & Co
  • at Clyde & Co

Data loss, cyber security, privacy and maintaining confidentiality are the key data risks associated with working remotely in most jurisdictions. These risks are heightened in Saudi Arabia as there are no specific data protection laws in place. Taking precautions against importing viruses, compromising system security, and maintaining confidentiality while working remotely are key considerations for employers. Internal policies and procedures should be put in place to ensure employees are aware of their obligations, and operating through virtual private networks could minimise potential risks.

Last updated on 29/11/2021

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas

Apart from the general personal data protection issues to be considered, there are two significant risks.

First, under article 17 of Law 10/2021, any digital program or software to monitor remote workers must grant employees privacy and protection of personal data according to the Organic Law on Personal Data Protection and Digital Rights Guarantees. In particular:

  • an employer’s access to the digital technology provided to the remote worker must be limited to checking compliance with labour obligations and to guaranteeing the integrity of the devices;
  • employers must establish the terms of use of the digital devices, and the workers’ representatives must participate in drafting them;
  • employers must inform remote workers about the terms of use of the digital devices; and
  • regardless of the terms of use, an employer’s access to the digital means must be necessary for the employer to achieve a legal purpose, appropriate for such legal purpose and proportional to achieve such legal purpose. Based on this, the employer should implement the least invasive way of monitoring remote workers’ activity to achieve the legal purpose the employer is pursuing.

Any measure to monitor employees’ activity should meet these requirements; otherwise, an employer’s decision arising from such monitoring could be deemed unfair, and there could be a breach of the employee’s privacy, which could lead to a damages claim and an administrative fine.

Second, employers must comply with the principles of personal data processing under article 5 of the GDPR, especially purpose limitation and data minimisation, which means that the personal data the employer can process should be only what is the minimum necessary data for the performance of the labour contract or compliance with their legal obligations. Therefore, employers are not entitled to, for instance, force remote workers to turn on their cameras during working hours.

Third, despite remote working, employers must comply with health and safety obligations, which could lead to the employer or its health and safety services provider visiting an employee’s home to evaluate its risks. In that case, employers should issue a report justifying the visit and provide it to the remote worker and the health and safety workers’ representatives in advance. Additionally, to access any remote worker’s home, the employer must first obtain their consent.

If they do not give their consent, measures on health and safety should be based only on the information provided by the remote workers.

Last updated on 21/09/2021

Flag / Icon

Sweden

  • at DLA Piper
  • at DLA Piper
  • at DLA Piper

Pursuant to the GDPR, personal data should, inter alia, be processed in a manner that ensures appropriate security and confidentiality for the processing of that data, including by preventing unauthorised access to or use of personal data. For natural reasons, there may be additional challenges associated with this obligation when employees are working remotely, including an increased risk of personal data breaches when employees are working from home. The Swedish Authority for Privacy Protection mentions in its Privacy Protection Report of 2020 the increase in employees working from home as a result of the covid-19 pandemic, and the increased use of cloud service providers. The Authority highlights that data in cloud services is often transferred to countries outside the EU/EEA, and especially to the US. As a result of the Schrems II ruling in 2020, the use of, eg, cloud service providers that transfer data to  such jurisdictions (eg, in connection with IT maintenance) is problematic and may need to be addressed in relation to remote working.   

In light of the above, it is important as an employer to consider what measures are necessary in terms of IT security when working from home (eg, instructions to employees).

Last updated on 21/09/2021

Flag / Icon

Switzerland

  • at Lenz & Staehelin

Employers are required to respect the general Swiss data protection principles and rules. In particular, the Swiss Code of Obligations (SCO) states that the Federal Act on Data Protection (FADP) applies to the handling of employer personal data. The term "personal data" is defined as any information relating to an identified or identifiable person (individuals and companies).

Employers must ensure the security of the data they process. They must take appropriate organisational and technical measures to protect personal data against unauthorised processing or access, such as accidental or unauthorised destruction, loss, technical errors, falsification, theft, unlawful use, alteration, copying or any other undue processing. Moreover, employers also must control access and operations undertaken by employees.

One particularity of remote working is that employees' workstation and business data are located off sites. Meaning that third parties potentially could access this data.

To prevent data protection breaches, employers must institute appropriate technical and organisational measures and raise employee's awareness of data protection risks. These measures may include securing information systems, setting up authorisations and limiting access to concerned employees, and using a VPN. In addition, employees also should be made aware of the risks and procedures through in-house training and user manuals for the IT and security systems.

Last updated on 30/09/2021

Flag / Icon

Turkey

  • at Gün + Partners
  • at Gün + Partners
  • at Gün + Partners

The key data protection risks associated with remote working are data security and the processing of additional personal data while working remotely.

Under article 12 of the Personal Data Protection Law numbered 6698 (the DPL), data controllers must take all administrative and technical measures necessary to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure the security of personal data.

The Regulation also stipulates that the employer must inform remote workers about workplace rules and applicable legislation concerning the protection and transfer of data related to the workplace and their assignments (which may include personal data). The Regulation also emphasises that employers must take all necessary measures for the security of data. Per the Regulation, in the remote-working agreement, the employer must determine the definition and scope of data that needs to be protected.

There is no guidance from the Turkish Data Protection Authority (DPA) concerning measures to be taken specifically for remote working. Its general Guideline for Personal Data Security (Data Security Guideline) and the principal decision of the Turkish Data Protection Board concerning measures required to be taken by data controllers for processing sensitive personal data (Board Resolution for Sensitive Personal Data Security) should be considered by employers. The measures listed in the Data Security Guideline and the Board Resolution for Sensitive Personal Data Security are not exhaustive. Employers must consider all necessary measures for cyber security. International guidelines and IT sector developments should also be considered.

Employers who have failed to take appropriate measures to protect the unlawful processing of or access to personal data may be required to pay an administrative fine amounting to between 40,179 Turkish lira and 2,678,859[1] Turkish lira. Furthermore, additional technical measures taken for remote-working opportunities must also be communicated to the Data Controllers’ Registry if the employer is required to register data-processing activities (eg, employers located in Turkey that have more than 50 employees or have a balance sheet of more than 25 million lira fall under this obligation). Otherwise, although it may not be an imminent risk, an administrative sanction amounting to between 53,572 lira and 2,678,859 lira may be applied against the employer.

Lastly, if having remote-working employees requires an employer to process additional employee data, then the employer must inform their employees accordingly by providing an appropriate privacy notice under the DPL. Otherwise, they may be fined between 13,391 lira and 267,886 lira. The employer should determine what legal ground should be applied to the data processing due to remote working. If the applicable legal ground is consent but consent is not obtained lawfully from employees, then the employer may face an administrative fine of between 40,179 lira and 2,678,859 lira for unlawful processing. 


[1] All administrative fine amounts mentioned in this questionnaire will be updated for each year based on a re-evaluation determined annually.

Last updated on 09/02/2022

Flag / Icon

UAE

  • at Clyde & Co
  • at Clyde & Co

Data loss, cyber security, privacy and maintaining confidentiality are the key data risks associated with working remotely in most jurisdictions. Taking precautions against importing viruses, compromising system security and maintaining confidentiality while working remotely are key considerations for employers. Internal policies and procedures should be put in place to ensure employees are aware of their obligations, and operating through virtual private networks could minimise potential risks. 

Last updated on 15/03/2022

Flag / Icon

United Kingdom

  • at Littler

The key data protection risk associated with home working is data security.

In response to this, the UK’s data protection regulator – the Information Commissioner’s Office (ICO) – has issued guidance on the protection of personal data when working from home, using bring-your-own-device (BYOD) and working remotely (see: here).

The specific issues addressed include implementing appropriate workplace policies, IT security (including cloud-based storage security), the risk of theft and confidentiality.

Employers should update data protection policies to take account of remote working, in light of the ICO’s recommendations, and should also consider any data protection issues that may arise from an employee moving to work outside of the UK.

Last updated on 21/09/2021

Flag / Icon

United States

  • at Littler
  • at Littler
  • at Littler

Data privacy rules vary from state to state. Remote work, in particular, raises issues where employers have less control over the working environment and employees are potentially accessing sensitive information in their home that they share with others.  Employers should ensure that employees working remotely can demonstrate that their location provides sufficient privacy, security, and safety to secure the confidentiality of the employee’s work, company information and materials.  Additionally, health-related data must be protected and employers should be required to protect trade secrets and other confidential data. Employers must also maintain reasonable security measures to protect sensitive personally identifying information. 

Up-to-date information on the USA’s response to the pandemic, including State-level news and developments, can be found at Littler’s covid hub here.

Last updated on 21/09/2021

03. What are the limits on employer monitoring of worker activity in the context of a remote-working arrangement and what other factors should employers bear in mind when monitoring worker activity remotely?

03. What are the limits on employer monitoring of worker activity in the context of a remote-working arrangement and what other factors should employers bear in mind when monitoring worker activity remotely?

Flag / Icon

Argentina

  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua

Regarding any monitoring system designed to protect an employer’s goods and data, the home office framework states that union participation is required to protect employees’ right to privacy.

Such union participation will be guaranteed through joint audits that include professionals selected by the union and the company. The confidentiality of the data processing of the employees involved must be guaranteed. Union participation will be limited to preserving employees’ rights under the home office framework.

Employer must take corresponding measures, especially regarding the software used, to protect any data used and processed by employees who are under the home office framework. In addition, it is forbidden to use surveillance software that violates employee privacy.

Last updated on 13/07/2022

Flag / Icon

Australia

  • at People + Culture Strategies

As a starting point, it is lawful for Australian employers to monitor staff who are working from home and there are no strict limits prescribed by law on the monitoring of worker activity in the context of remote-working arrangements.

However, this does not mean that employers can monitor employee activity as they please. The mutual duty of trust and confidence that underpins the employment relationship could be breached by inappropriate or overly intrusive monitoring activities.

Employers contemplating carrying out monitoring activities should first review the employee’s individual employment contracts and identify any monitoring or surveillance clause and consider what contractual obligations the employer may have concerning monitoring in the remote-working context, and consult any relevant company policies which might also apply.

Generally speaking, employers should be up-front about how and why they will be monitoring employee activity and any employee information that may be collected by that process. For example, employers should make it clear to employees that monitoring of their work devices, emails and message applications will continue when they are working from home and that the information obtained by the monitoring process could be used in a disciplinary context.

Last updated on 21/09/2021

Flag / Icon

Austria

  • at Littler
  • at Littler
  • at Littler

Relevant here are first the restrictions on the employer's control of working time. Both the Working Time Act and the Rest Periods Act also apply to remote work and to work in a home office. However, section 26 paragraph 3 of the Working Time Act provides that in the case of work that is predominantly carried out in the home, only records of the duration (not the specific beginning and end) of the working time are to be kept. If the working hours are fixed, only deviations must be recorded.

The practical possibilities of monitoring work performance are manifold due to the IT tools that are now available (eg, log files, webcam). In contrast, in Austrian labour law, the employer's ability to control is subject to important restrictions. Control measures that affect human dignity require either the consent of the works council or – if such a council does not exist – the consent of the respective worker. Both attendance and performance or productivity controls can be relevant here. According to case law, the question of whether human dignity is affected must be assessed on a case-by-case basis. In addition to the employer's interest in monitoring, the way the monitoring is carried out is also decisive, so that the possibility of constant electronic monitoring (for example, by controlling keystrokes or screen duplication) certainly affects human dignity[1].

However, it is of course lawful to check the availability of employees during working hours.


[1] Huger in Huger (Hrsg), Home Office und mobiles Arbeiten [2021] Rechtliche Rahmenbedingungen.

Last updated on 21/09/2021

Flag / Icon

Belgium

  • at Van Olmen & Wynant

Articles 9.1 and 9.2 of CBA No. 149 state that employers may monitor the results or performance of employees appropriately and proportionately. Teleworkers must be informed of how such monitoring is carried out. If employers want to monitor the e-mail or internet activity of employees, they will have to follow the specific procedure laid down in CBA No. 81 for the protection of the privacy of employees, concerning the monitoring of electronic online communication data.

In addition, CBA No. 68 regulates the use of cameras in the workplace. Under this CBA, it is only permissible to use cameras to pursue a limited amount of objectives, including the control of the employee’s work. Yet, for this objective, only temporary monitoring activities are permitted. In any case, a proportionality test is necessary. It will never be proportionate to request that remote workers be permanently recorded by a camera in their homes. However, simply asking them to turn their webcam on during a meeting is not covered by CBA No. 68 and should be possible.

It is also possible to make arrangements with employees regarding the periods during which they need, and do not need, to be contactable by the employer (article 11.3 CBA No. 149).

Last updated on 21/09/2021

Flag / Icon

Brazil

  • at Pinheiro Neto
  • at Pinheiro Neto Advogados

Rules on employers’ ability to monitor employees’ activity tend not to vary from a regular to a remote-working arrangement – but rather depend on “who owns the device”. As a general rule, whenever companies grant electronic devices to employees for work purposes, the content and all data stored in such equipment belong to the company, as they are considered “work tools”. This means that there is no expectation of privacy – provided that employees are informed on such monitoring in advance. In the case of personal devices, it may ultimately lead to certain ambiguity as to employers’ right to have access or monitor activity because of the existence of both professional and personal information. If that is the case, monitoring should be limited to work-related information, apps and files, ensuring, as much as possible, that personal data is preserved and there is no violation of privacy.

Last updated on 21/09/2021

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

The rules for monitoring employees do not differ between teleworkers and office workers. Thus, like any employee, teleworkers must be informed in advance of the methods and techniques used to monitor his or her activity (article L. 1222-3 of the labour code).

The implementation of a device allowing the control of the employee's working time must be justified by the nature of the task to be performed and proportionate to the purpose (National Agreement of 26 November 2020).

The CNIL said in a Q/A on 12 November 2020 that the devices used to monitor employees’ activity must not be aimed at trapping employees and cannot lead to permanent surveillance of employees. Thus, audio or video devices, permanent screen-sharing or keyloggers must not be implemented.

If the employer exercises excessive surveillance on his employee, it may receive a financial penalty.

Finally, the CNIL advises employers to prioritise monitoring the completion of missions by setting objectives rather than monitoring the working time or the daily activity of employees.

Last updated on 21/09/2021

Flag / Icon

Germany

  • at CMS Hasche Sigle

Employers may have various legitimate reasons to scrutinise and monitor employees' performance or conduct during remote work (eg, productivity, to enforce company policies, protect business secrets, health and safety obligations). However, monitoring worker activity is only permitted in any given case if the employee's privacy interest does not outweigh the employer's legitimate interests. Therefore, employers must justify employee monitoring on a case-by-case basis.

As a result, while monitoring employees via webcam is generally not allowed, monitoring employees' browser history or emails might be possible if the employer prohibits private use of the laptop; there is cause for the monitoring; and the measure does not lead to permanent monitoring of the employee's digital behaviour. Irrespective of this, if a works council has been established, the employer also needs the consent of the employee representatives to use a technical device that monitors employees' performance or behaviour. This is the case with any software.

In any event, the use of a keylogger that continuously records an employee's activities is unlawful. The data cannot be used in a procedural dispute, as the German Federal Labour Court ruled in its judgment of 27 July 2017 (2 AZR 681/16). Employers must always bear in mind the need to comply with the principles of the GDPR and the BDSG, as the personal data that employers collect when monitoring remote work is sensitive data. Employers must therefore take all necessary measures to ensure data confidentiality and secure access to company servers. Monitoring of private emails or private browser history is only permitted if there are clear signs that the employee has committed a criminal offence, but even then, the investigation must be proportionate.

Last updated on 21/09/2021

Flag / Icon

Greece

  • at Kyriakides Georgopoulos Law Firm
  • at Kyriakides Georgopoulos Law Firm
  • at Kyriakides Georgopoulos Law Firm

Limits on employer monitoring of worker activity do not significantly change in the context of remote working, taking into account that corporate equipment and networks are mainly used, and corporate data is being processed by employees. However, even if personal equipment is being used by employees, the following considerations should be taken into account.

According to applicable privacy and data protection legislation, HDPA decisions and the approach adopted by the European Court of Human Rights in Barbulescu v Romania in 2017, an employer may lawfully access and process personal data (emails and other documents) stored in employees' computers in cases where this processing is necessary for the overriding legitimate interests pursued by the employer or by a third party (legal basis of article 6 (1)(f) GDPR). Such legitimate interest of the employer may comprise the need to ensure the smooth running of the business by establishing mechanisms for checking that its employees are performing their professional duties adequately and with the necessary diligence, as well as the need to protect its business and property from significant threats, such as hindering the leaking of confidential information to a competitor or providing evidence of employee's criminal activities. In the latter case, the employer should, however, ensure that it does not enter into the exercise of investigative actions which, by law, are executed exclusively by the competent judicial-prosecutorial authorities.

Particular emphasis should be paid to ensuring the necessity and proportionality of the planned measure and the employer should be able to demonstrate that no less onerous and invasive measures exist to achieve the goal. In this context, excessive and constant monitoring of employees’ computers and communications cannot be justified. In addition, access should not extend to all communications and their content, but only to those necessary under the proportionality principle.

Employees have a legitimate expectation of privacy in the workplace, which is not altered by the fact that they use equipment, communication devices or any other professional facilities and infrastructure of the employer, even more so if they use their personal equipment. Even if employees have been explicitly informed beforehand of a relevant internal regulation that prohibits the personal use of company computers, this alone does not legally justify monitoring or control of the personal data processed by the employee;  a more specified notice is required. In particular, employers should inform employees beforehand, in clear and plain language, of the implementation of monitoring methods and their purpose, extent, nature, circumstances, etc, as required under articles 13 and 14 of the GDPR. In addition, employees should be provided with internal regulations on the proper use of company resources.  Lastly, employees’ representatives should also be informed of and express their opinion before the establishment of any monitoring systems in the workplace.

Last updated on 14/07/2022

Flag / Icon

Hong Kong

  • at Lewis Silkin
  • at Lewis Silkin
  • at Lewis Silkin

There are no specific statutory limits on employers monitoring employees’ activity in remote-working arrangements, as long as the employer complies with the PDPO. However, employers mustn't collect employees’ personal data (ie, browser history) without having notified them in advance of the personal data that they intend to collect and the purpose for which it is being collected, under the PDPO. This can be done in a PICS, where monitoring of an employee’s use of telephone, email, internet and video for performance-related and other reasons is likely to be included.

The privacy commissioner has released guidance about monitoring and personal data privacy at work. This includes guidelines on the monitoring of telephone, email, internet and video. These monitoring practices should serve a legitimate purpose that relates to the function and activity of the employer and should be necessary for that purpose. If an employer does not believe it can adhere to these guidelines, it may prefer to find less invasive ways of ensuring that employees are adhering to their job duties when working from home (eg, regular check-ins or asking them to complete timesheets).

Last updated on 11/10/2021

Flag / Icon

India

  • at Nishith Desai
  • at Nishith Desai

Employers in India largely rely on their policies regarding the monitoring of worker activity, in absence of codified laws. As a result of the covid-19 pandemic and resultant lockdown, employers were not fully prepared to shift to remote working and hence faced challenges vis-à-vis ethics and the legalities of monitoring employee activity. Incidentally, there was an employee protest in one case when the employer’s client required the employees providing services remotely to keep their cameras on.

While there is no legal requirement of time tracking specifically in the context of remote working in India, employers are generally required to track the working hours of employees (largely from an overtime perspective) and to comply with certain recordkeeping requirements under applicable labour laws. In this context, employers should bear in mind that their records do not falsely show an employee working beyond the stipulated daily and weekly working hours prescribed under applicable labour laws, which may trigger overtime requirements thereunder.

The law on the protection of women from sexual harassment applies to employees while they are working from home, given the expanded definition of “workplace” that includes “a dwelling place or a house”. Employers need to be careful to ensure that there is no abuse of the online means of communication, such as video calls, in the process of monitoring their employees that may lead to workplace sexual harassment-related claims. 

Last updated on 08/07/2022

Flag / Icon
Ireland

Ireland

  • at Littler

Employers must have regard to an employee’s right to privacy and data protection rights. They must have a legal basis under GDPR for processing employee personal data in that manner and must also be able to demonstrate that the monitoring in question is a necessary and proportionate action to achieve a legitimate aim; and that there is no less intrusive alternative way of achieving that purpose.

Guidance from the Data Protection Commissioner has focused on employers being transparent regarding the measures they adopt, including the purpose of collecting any personal data; minimising the amount of data that is processed; and preserving the confidentiality of any such data.

Last updated on 21/09/2021

Flag / Icon

Italy

  • at Toffoletto De Luca Tamajo

Employee monitoring is governed by article 4 of the Law no. 300/1970.

According to this article if tools that potentially enable employee remote monitoring are needed for the performance of work, employers may be able to collect information from them without a trade union agreement or administrative authorisation. However, information collected through those tools can be lawfully used for all purposes connected with employment, including disciplinary reasons, only if: (i) a company policy is in place adequately detailing the expected use of the tools and the nature of possible checks carried out by the employer; and (ii) the above is done in compliance with data protection legislation. 

No specific guidance or legal provisions have been issued for remote working, so employers should firstly ensure that they are able to monitor their employees in compliance with the above rules. Moreover, the individual agreement signed with the employee working remotely needs to include a reference to how the employer will exercise its monitoring power.

Last updated on 14/07/2022

Flag / Icon

Mexico

  • at Marván, González Graf y González Larrazolo
  • at Marván, González Graf y González Larrazolo
  • at Marván, González Graf y González Larrazolo

According to article 330-I of the amended FLL; the mechanisms employed to monitor teleworkers must be proportional to their purpose; employers must always guarantee the employees’ right to privacy; and the legal framework for protecting personal data must be complied with.

Additionally, activity monitoring must be limited to employees’ working hours and digital connectivity, be transparent, and the employer must respect the employees’ right to disconnect, meaning that they need to respect employees’ time off and must never expect their availability outside of working hours. Further, webcams are not mandatory, and employees have the right to refuse to turn them on.

Last updated on 21/09/2021

Flag / Icon

Netherlands

  • at Rutgers & Posch
  • at Rutgers & Posch

The use of equipment to monitor employees is subject to strict conditions under article 8 of the European Convention on Human Rights, the General Data Protection Regulation (GDPR) and Article 7:611 of the Dutch Civil Code (DCC).

In practice, we see several types of ICT software being used to remotely monitor employees’ activities on computers used by the employee at home (e.g., logging in- and out, the number of keystrokes, usage of e-mail and internet, screenshots or photos of the workplace at home can be taken via the webcam). These methods of monitoring are invasive to the privacy of employees and should be treated with much caution. It seems that these forms of monitoring cannot easily be considered necessary, since employees who work at the office are not being permanently supervised or monitored either.

Last updated on 08/03/2022

Flag / Icon

Poland

  • at Bird & Bird
  • at Bird & Bird

The general provisions regarding employee monitoring also apply to remote workers. According to the provisions of the Polish Labour Code that were introduced regarding GDPR, the scope, manner and aim of any form of employee monitoring (in particular, monitoring the IT or GPS of remote workers’ equipment) must be specified in detail in workplace regulations.

Therefore, the use of monitoring and its legal compliance is conditional on appropriate provisions being introduced by the employer upon agreement (consent required) with the trade unions or, in their absence, with employee representatives. The introduction of monitoring should be announced two weeks before monitoring begins.

Employee monitoring conducted without such regulations in place or in an excessive manner may be deemed illegal (eg, a court may reject it as evidence of employee fraud or other non-compliance in the case of a disciplinary action brought by the employer).  

Last updated on 21/03/2022

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

In terms of privacy, the teleworking regime establishes that employers must respect employees’ privacy and time with their families, as well as provide them with good working conditions, both physically and psychologically. This was made even clearer with the new teleworking law.

Whenever remote working is carried out at an employee's home, visiting the workplace should only be necessary to check work performance or equipment and can only take place during the employees’ working hours, in the presence of the employee or a person designated by the employee, with prior notice of at least 24 hours and the employee’s consent.

Regarding limits on employers monitoring employee activity, the Portuguese Labour Code prohibits the use of remote surveillance in the workplace to monitor the professional performance of employees.

Especially during the pandemic, when remote working and teleworking, in particular, were normalised, concerns arose regarding the limits of monitoring and how to adequately safeguard employees’ privacy.

On 17 April 2020, the National Data Protection Commission (CNPD) issued guidelines on remote control during teleworking, especially the need for monitoring working time and the fact that, in several companies, employees were using their own devices to work.

In these guidelines, the National Data Protection Commission clarified that, regardless of who owns the work equipment, under the teleworking regime employers retain powers to direct and control the execution of work by employees. However, since there are no special provisions on remote control during teleworking, the National Data Protection Commission believes that the general rule prohibiting the use of remote surveillance fully applies.

Therefore, technological solutions for remote monitoring of employee performance are not allowed. For example, software that, in addition to tracking working times, records websites visited; tracks equipment locations in real-time; monitors the use of peripheral devices; captures screenshots; records when access to applications is initiated; controls the document being worked on; or records the time spent on each task are all prohibited.

Please note that, during the pandemic, when remote working was most widespread, the National Data Protection Commission and Trade Unions reported a significant increase in employees’ complaints about illegal monitoring taking place.

Also, since Portuguese labour law imposes an obligation to register working time (eg, start, pauses, end of work time), in teleworking this can be done through technological solutions. Applications specially designed for this purpose are allowed provided data protection principles are respected.

Concerns regarding these technological solutions were partially addressed by the new teleworking law, which states that when controlling the performance, the employer must respect the principles of proportionality and transparency, notably the employer cannot impose a permanent connection on employees through image or sound.  Also, it is forbidden to capture and use images, sound, keystrokes, browsing history, or other information that may affect the employee's right to privacy.

Last updated on 13/07/2022

Flag / Icon

Qatar

  • at Clyde & Co
  • at Clyde & Co

Qatar has an established legislative framework pertaining to data protection and personal rights to privacy. By way of background, the Qatar government enacted Law No. 13 of 2006 relating to the protection of personal data (PDPL) in 2017, which imposes obligations on natural and legal persons processing data related to identifiable individuals using electronic means. Additionally, the Qatar data protection authority, the Compliance & Data Protection Department (CDP), issued 14 guidelines in November 2020 to clarify obligations under the PDPL (the Guidelines).

The PDPL and the Guidelines guarantee the rights of data subjects, including the right to information and access to their personal data; the right to rectification; the right to erasure; the right to restriction of processing; the right to object; and the right to not be subjected to automated individual decision-making.

The CDP was established in 2020, and now serves as an independent, effective and impartial oversight system that guarantees compliance with the PDPL. An individual whose privacy rights have not been respected can complain directly to the CDP.

The Qatar Penal Code (11/2004, as amended) also establishes criminal offences concerning intercepting or disclosing correspondence or telephone conversations.

In addition to the Qatari Constitution, the International Covenant on Civil and Political Rights (ICCPR) and the Arab Charter on Human Rights (ACHR), to which Qatar is a party, all enshrine the rights to privacy, freedom of speech and the right of access to a court. All three legal texts apply equally to Qataris and non-Qataris.

It is increasingly commonplace for employers to monitor the use of the internet and communications systems, especially email; however, an employer's ability to monitor employees' activities must be carefully managed and employers should obtain prior employee consent. Employers must observe the legislative framework set out above and ensure that their employees have provided their express consent to any monitoring – this could be captured under the data protection clause of the employee’s contract of employment.

Last updated on 08/11/2021

Flag / Icon

Saudi Arabia

  • at Clyde & Co
  • at Clyde & Co

Until recently, the legislative framework in KSA regarding data protection and personal rights to privacy was a patchwork, with discrete obligations and requirements contained in a variety of laws, as there was no comprehensive data protection law or specific legislation dealing with monitoring worker activity remotely. However, in September 2021 KSA published its first comprehensive national data protection law to regulate the collection and processing of personal information. The Personal Data Protection Law (PDPL) was implemented by Royal Decree M/19 of 9/2/1443H (16 September 2021) approving Resolution No. 98 dated 7/2/1443H (14 September 2021).  It will be effective from 23 March 2022. The executive regulations supplementing the Law should also be issued before it comes into force.

The PDPL is designed to protect “personal data”(ie, any information, in whatever form, through which a person may be directly or indirectly identified). This expressly includes an individual’s name, identification number, addresses and contact numbers, photographs and video recordings of the person. The PDPL applies to any processing by businesses or public entities of personal data performed in Saudi Arabia by any means whatsoever, including the processing of the personal data of Saudi residents by entities located outside the Kingdom. The PDPL does not apply to the processing of personal data for personal and family use.

Individuals (data subjects), will, subject to some exceptions, have the right to be informed of personal data processing and the legal basis of such processing, the right to access their personal data (including to obtain a free of charge copy of the same), the right to correct or update their personal data, and the right to request its destruction if no longer needed. Data subjects may also file complaints relating to the application of the PDPL with the regulatory authority. Organisations that collect personal data and determine the purpose for which it is used and the method of processing (controllers) will be required to register on an electronic portal that will form a national record of controllers. Controllers must also ensure the accuracy, completeness and relevancy of personal data before processing it, to maintain a record of processing for a period that will be prescribed by the executive regulations, and to ensure that staff are suitably trained in the PDPL and data protection principles.

Data subjects may withdraw their consent to the processing of personal data at any time and consent must not be a pre-requisite for the controller to offer a service or benefit (unless the service or benefit is specifically related to the processing activity for which consent is obtained).

There are also additional laws in KSA that safeguard the rights of the individual to privacy. These include:

  • shariah law – its principles protect an individual’s right to privacy;
  • the Basic Law of Governance (Law No. A/90), which protects the privacy of individuals by safeguarding telegraphic, postal, telephone and other means of communication and making it unlawful to confiscate, delay, read or breach;
  • the Telecommunications Act (Council of Ministers Resolution No. 74/2001) restricts the disclosure of information or content that is intercepted in the course of its transmission; and
  • the Anti-Cyber Crime Law (Royal Decree No. M/17 makes it an offence to spy, intercept or receive data that is transmitted through an information network without consent, breach privacy through the use of camera-equipped and mobile phones, unlawfully access computers to delete, erase, destroy, leak, damage, alter or redistribute personal information, and defame or inflict damage on a person through the use of electronic devices.

While it is increasingly commonplace for employers to monitor the use of the internet and communications systems, especially email, before doing so – and to limit the risk of a potential breach of any of the above legislative provisions – employers should ensure that the employee has provided their express consent to any monitoring – this could be captured under the data protection clause of the employee’s contract of employment.

Last updated on 15/03/2022

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas

In general terms, there are no substantial differences between remote and on-site workers.

Any digital program or software to monitor workers must guarantee their privacy and the protection of their personal data under the Organic Law on Personal Data Protection and Digital Rights Guarantees.

Article 17.2 of the Law on Remote Working provides that the employer cannot force employees to install programs or apps on their private devices, or to use their private devices for work.

Regarding workers who travel regularly to carry out their duties, under article 90 of the Organic Law on Personal Data Protection and Digital Rights Guarantees, any geolocation system must comply with the requirements mentioned above (ie, be necessary, appropriate and proportional), and employers must inform the workers and their legal representatives specifically, clearly and unambiguously of the existence and characteristics of such systems in advance. Besides, the employer must inform them that they may exercise their rights to access, rectification, erasure and restriction of the processing of data.

Collective bargaining agreements may provide additional information on this topic.

Last updated on 21/09/2021

Flag / Icon

Sweden

  • at DLA Piper
  • at DLA Piper
  • at DLA Piper

From a privacy perspective, employers must consider the GDPR and other privacy-related legislation. The GDPR states, inter alia, that the processing of personal data must be adequate, relevant and limited to what is necessary concerning the purposes for which they are processed (ie, the data minimisation principle). This means that the employer’s monitoring of employees cannot be too intrusive – it must be proportionate for the purpose. Furthermore, employers must be able to demonstrate that the purpose of the processing cannot be fulfilled by other, less-intrusive, means. Employers must also adhere to other GDPR requirements, eg, providing employees with information about the data processing in advance. Further, employers must always act in accordance with good practices in the Swedish labour market.

When it comes to employees’ use of email and the internet, the Swedish Authority for Privacy Protection recommends that employers have guidelines for internet use and e-mail. The guidelines should clearly state what type of private use is permitted, and also when the employer may consider controlling employees’ internet or e-mail use. Depending on the situation, it may be lawful to carry out inspections of an employee’s online usage. If there is a concrete suspicion that an employee is acting in breach of his or her employment contract, it may be lawful to monitor that employee, subject to complying with the GDPR and other privacy legislation. Employees must be informed about inspections or monitoring that may take place.

In terms of time tracking, the Swedish Working Hours Act also applies to remote working, meaning that the same limits on overtime and provisions on minimum daily rest periods must be observed. In some circumstances, however, such as when the work is performed without employer supervision or control, the Working Hours Act may not apply. There are no general guidelines on when the exemption is applicable, but it should be applied restrictively and is rarely applicable in the case of remote working. Employers should therefore engage in dialogue with employees on their working time to ensure compliance with the Working Hours Act.

Last updated on 24/01/2022

Flag / Icon

Switzerland

  • at Lenz & Staehelin

According to Swiss legislation, control or surveillance systems that are primarily intended to monitor the behaviour of employees are prohibited if they are detrimental to the health or well-being of employees. Health is understood in its broad sense and also includes mental health. There are no strict limits as to what surveillance is, but measures must always be proportional.

The European Court of Human Rights, whose Convention has been ratified by Switzerland, has laid down seven guiding principles for contracting states concerning legal surveillance of employees. These principles relate to information, the scope of surveillance, legitimacy of the reasons for surveillance, use of the least intrusive means, the consequences of surveillance, guarantees offered to employees and the principle of trust.

As an example, the Swiss Federal Supreme Court, which is the highest judicial authority in Switzerland, has ruled that it is unlawful for employers to install spyware without employees' knowledge to check whether they are using the internet for private purposes. In that case, the court held that the system was capable of exerting control over employees' behaviour, which is prohibited. It also held that the surveillance was disproportionate since the employer simply could have blocked access to certain websites.

The above-mentioned principles must also be complied with when it comes to remote working, which does not differ fundamentally from onsite working.

Last updated on 30/09/2021

Flag / Icon

Turkey

  • at Gün + Partners
  • at Gün + Partners
  • at Gün + Partners

One way to monitor employee activity in the context of remote working could be to control employees’ use of servers, e-mail accounts and internet while using the employer’s equipment. In Turkey, it is generally accepted that employers are authorised to control employees’ use of servers, e-mail accounts and internet from their equipment within the scope of their right to manage, and there are no particular rules or exceptions as to remote working.

However, even though employers are entitled to such control, monitoring should be proportional to the legitimate purposes of the employer, such as controlling productivity and quality, or providing security. Employers should inform their employees about monitoring on the equipment and servers as well as the reasons for it. Furthermore, employers must provide necessary information about the scope of their monitoring activities to employees under the DPL. Otherwise, there is a risk of an administrative fine.

Employers should also bear in mind that, during such monitoring, they must avoid violating privacy rights. The Constitutional Court recently held that if employees are informed that their e-mails are monitored, the secrecy of private life and freedom of communication must not be violated. The Constitutional Court also stated that the conflicting interests of the employer and employees should be balanced fairly and any intervention by monitoring e-mail accounts should be evaluated on the grounds of proportionality and the legitimate purposes of the employer.

From a data privacy perspective, employers firstly should determine what personal data needs to be processed to if employers have a legitimate interest to monitor employees’ activities, whether the processing of such data may potentially harm employees considering their rights, and whether employers have any options other than processing such personal data when trying to achieve this legitimate interest. Employers must apply a balance test to determine whether its legitimate interest overrides the personal rights and interests of their employees. Otherwise, employers cannot depend on legitimate interest as a legal ground for processing and will need the explicit consent of their employees to apply the relevant monitoring tool. In any case, if any monitoring requires the processing of sensitive personal data, consent will be required as per the DPL. Even if consent is given to employers, this does not mean that they can use monitoring tools to process any personal data that is not required to achieve the legitimate purposes of the monitoring. Any processing in contravention of the DPL (including the general principles applicable to data processing) may impose a risk of an administrative fine.

In light of the above, each monitoring tool considered by employers must be evaluated on a case-by-case basis for determining which legal ground is applicable and to what extent.

Last updated on 21/09/2021

Flag / Icon

UAE

  • at Clyde & Co
  • at Clyde & Co

Until recently the legislative framework in the UAE regarding data protection and personal rights to privacy was a patchwork, with discrete obligations and requirements contained in a variety of laws, as there was no comprehensive federal data protection law or specific legislation dealing with monitoring worker activity remotely. However, the UAE announced in November 2021 a new Federal Data Protection Law, Law No. 45 of 2021 (Data Protection Law), which came into effect on 2 January 2022. The Data Protection Law creates a framework to ensure confidentiality and to protect the privacy of individuals (ie, data subjects) by requiring organisations that fall within the scope of the Data Protection Law to implement appropriate governance for the management and protection of personal data. The Data Protection Law is designed to protect “personal data”, which is “any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data”. This expressly includes an individual’s name, voice, image, identification number, electronic identifier and geographical location. It also includes sensitive personal data and biometric data.

Law applies to the processing of all personal data by controllers and processors located in the UAE, whether or not the personal data processing relates to data subjects in the UAE or abroad, and prohibits the processing of personal data without the consent of the individual (ie, the data subject), unless an exception applies. Controllers (a person or entity that determines the method and criteria for processing personal data and the purpose for the processing) will need to be able to establish the consent of the data subject where consent is used as the lawful basis for processing the data subject’s personal data. The following laws are also likely to apply:

  • The UAE Constitution;
  • The Criminal Law (Federal Law No. 31/2021, as amended); and
  • The Cyber Crime Law (Federal Law No. 34/ 2021, as amended).

An employer's ability to monitor employees' activities must be carefully managed and employers should obtain prior employee consent. The UAE Constitution contains a general right to privacy for individuals and guarantees freedom of communication by post, telegraph, or other means of communication. The Criminal Law also establishes criminal offences concerning intercepting or disclosing correspondence or telephone conversations and the Cyber Crimes Law likely extends this to IT communications. 

It is increasingly commonplace for employers to monitor the use of the internet and communications systems, especially email. However, in light of the above, employers should ensure that the employee has provided its express consent to any monitoring – this could be captured under the data protection clause of the employee’s contract of employment.

Last updated on 15/03/2022

Flag / Icon

United Kingdom

  • at Littler

Monitoring worker activity generally (whether remote-working or non-remote working) is possible but must be handled with caution and appropriate safeguards. As a general rule, employers are entitled to monitor worker activity to some extent, but they must undertake an impact assessment before doing so (which is an internal assessment of the impact of the proposed monitoring on data privacy), tell workers in advance about the monitoring and only monitor workers to the minimum extent reasonably feasible to achieve the employer’s goals.

The monitoring must be necessary, justified and proportionate. In other words, any monitoring must have a legal basis under GDPR for processing employee personal data in that manner (the legal basis may vary depending on the specific purpose of the monitoring), and the employer must also be able to demonstrate that: (a) the monitoring in question is a necessary and proportionate action to achieve a legitimate aim; and (b) that there is no less intrusive alternative way of achieving that purpose. There are also separate obligations in relation to data security and retention.

The more intrusive and extensive the monitoring, the greater the risk that employer monitoring may breach the UK’s data protection legislation, the Data Protection Act 2018 (and the UK’s implementation of the EU’s GDPR).

The ICO has previously published extensive guidance on how employers should implement a monitoring system. See here from page 58. This guidance was published before the pandemic, but is equally applicable. Recently, the ICO has also published specific guidance on monitoring employees using surveillance cameras, to check for compliance with pandemic health & safety obligations: see here.

Last updated on 21/09/2021

Flag / Icon

United States

  • at Littler
  • at Littler
  • at Littler

Monitoring and surveillance laws vary from state to state, and there are also, potentially, tort and criminal laws regarding invasion of privacy that must be considered where the employee has an expectation of privacy.  While audio or key-stroke monitoring may be minimally intrusive, video surveillance is almost always problematic. Some states require only one-party consent for audio monitoring, but others require that all the parties to a conversation consent to such monitoring.

Up-to-date information on the USA’s response to the pandemic, including State-level news and developments, can be found at Littler’s covid hub here.

Last updated on 21/09/2021

06. Do employers have any scope to reduce the salaries and/or benefits of employees who work remotely?

06. Do employers have any scope to reduce the salaries and/or benefits of employees who work remotely?

Flag / Icon

Argentina

  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua

The home office framework establishes that teleworking employees have the same rights and duties as those working at an employer’s main offices (including union rights), and their salary must not be less than what they would receive if they worked at an employer’s offices. Therefore, once employees are assigned to remote working, their compensation cannot be reduced due to this change.

In general terms, employers have the right to redesign or reassign job responsibilities. Such a right is known as an employer’s right to modify labour conditions (Ius Variandi). In this sense, local laws allow unilateral amendments to terms and conditions of the employment contract provided they do not adversely affect essential labour conditions and do not cause any moral or material damage to the employee and the changes are reasonable.

As a result, if an employer unilaterally decides to reduce the salaries or benefits of remote workers, and the change is considered to be unreasonable, resulting in material or moral damage to the employee involved, he or she can file an injunction to restore the original conditions of employment. If the employer refuses to do so, the employee may claim constructive dismissal and file for severance compensation and any applicable fines.

Last updated on 13/07/2022

Flag / Icon

Australia

  • at People + Culture Strategies

An employee’s salary and contractual benefits are entitlements that are contractual and employers cannot unilaterally vary such entitlements. Similarly, an employee’s remuneration may reflect the minimum rate of pay provided for in an industrial instrument such as a Modern Award and employers will not be able to reduce the remuneration or benefits without running the risk of undermining the minimum entitlements provided in the instrument.

Employers can consult with staff about a proposal to restructure their hours and pay, but generally, no such changes can be implemented without employees being given an opportunity to consider the proposed changes and agreeing to those changes.

The minimum wage order provides that an employee cannot be paid less than the national minimum wage.

Last updated on 21/09/2021

Flag / Icon

Austria

  • at Littler
  • at Littler
  • at Littler

Employers cannot unilaterally reduce employees' salaries because of remote work. A salary reduction is only possible either by mutual agreement or through a dismissal, with the option of re-employment on altered conditions.

Regarding benefits, we believe that a distinction must be made according to whether they were granted with working on office premises in mind and whether the employer has reserved a right to revoke them. In the latter case, employers may reduce or revoke benefits unilaterally. In addition, it can also be argued that, for example, meal vouchers for the company canteen are no longer issued and are not reimbursed. Such and other “social benefits by the company” can be limited to use at the company’s workplace.

Last updated on 21/09/2021

Flag / Icon

Belgium

  • at Van Olmen & Wynant

In general, this would be considered a unilateral modification of the employment contract, which can be seen as an irregular termination of the employment contract by the employer, who will have to pay in lieu of notice if an employee claims this. However, the employer will no longer have to pay any agreed commuting expenses (but if the employer pays for a public transport subscription, this would just continue).

Last updated on 21/09/2021

Flag / Icon

Brazil

  • at Pinheiro Neto
  • at Pinheiro Neto Advogados

Employers cannot reduce the salaries or benefits of employees solely because they work remotely. Note that the federal government has introduced certain measures to help companies survive through the pandemic and avoid layoffs (eg, reducing employees’ working hours and salaries, suspending employment contracts temporarily, remote working (with fewer requirements than those set forth by the CLT), and delaying the collection of certain labour charges). These alternatives apply to all employees regardless of their work arrangement (ie, remote workers or not). Therefore, it may be the case that employees were shifted to a remote model and have had their working hours and salaries reduced. Other than that, salary reductions would depend on prior negotiation with the applicable union.

Last updated on 21/09/2021

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

Teleworkers have the same rights as employees who work from a company's premises (article L. 1222-9 III of the Labor Code).

Employers cannot modify employees’ remuneration without obtaining agreement.[5] This rule also applies to teleworkers.

In some countries such as the United States, employers can adjust the remuneration of teleworking employees to the cost of living in the employee's place of residence. This practice is not prohibited in France but the employer must be careful in doing so as it could constitute discrimination based on the place of residence, which is prohibited by the labour code[6]if it is not justified by objective elements. 

However, employers can withdraw a few benefits from teleworking employees. Indeed, even if the Ministry of Labor says in a Q&A that the telecommuting employee must receive lunch vouchers like other employees, some jurisdictions believe that the employer can stop paying these vouchers to teleworkers because they are not in a comparable situation to employees who work from a company's premises.[7]

As for transportation costs, the employer must cover half of the cost of the transportation pass used to travel to the office and to return home from the office (article L. 3261-2 of the labour code). If the employee does not have to travel to work during the month, the employer does not have to pay transportation costs.


[5] Cass. Soc, 18 oct. 2006, n°05-41.644

[6] Article L. 1132-1 Labour code

[7]TJ Nanterre, 10 mars 2021, n° 20/09616

 

Last updated on 21/09/2021

Flag / Icon

Germany

  • at CMS Hasche Sigle

The employer is required to pay remuneration based on an employment contract or collective bargaining agreement. Normally, there are no clauses in that contract that provide for a reduction in salary if the employee works remotely. However, special allowances for the reimbursement of expenses that become obsolete due to working from home (such as meal allowances or reimbursement of travel expenses) may no longer apply in individual cases.

Last updated on 21/09/2021

Flag / Icon

Greece

  • at Kyriakides Georgopoulos Law Firm
  • at Kyriakides Georgopoulos Law Firm
  • at Kyriakides Georgopoulos Law Firm

Equal treatment between employees working remotely and those working at the company’s premises are guaranteed. Any reduction of salaries may be implemented only following the employee’s consent (ie, by signing an amendment of the employment agreement).

Last updated on 14/07/2022

Flag / Icon

Hong Kong

  • at Lewis Silkin
  • at Lewis Silkin
  • at Lewis Silkin

Unless the employee has a clear policy or a contractual provision that permits it to reduce salaries or benefits in this situation, it is unlikely that the employer could lawfully make such reductions without the employee’s consent. Where an employee has elected to work remotely and there is such a policy or contractual provision in place, the reduction in salary or benefits is unlikely to be challenged by the employee. Where an employee has been forced to work remotely by their employer (due to covid-19 or otherwise), such a reduction may be challenged as the remote working has not occurred at the employee’s request.

Generally, if an employer changes an employee’s salary or benefits unilaterally, an employee could bring potential claims against it for unlawful deduction from wages, unreasonable variation of employment terms or constructive dismissal.

Last updated on 11/10/2021

Flag / Icon

India

  • at Nishith Desai
  • at Nishith Desai

“Wages including the period and mode of payment”, “contribution paid, or payable, by the employer to any provident fund or pension fund or for the benefit of the workmen under any law for the time being in force”, “compensatory and other allowances”, “hours of work and rest intervals”, “leave with wages and holidays” and “withdrawal of any customary concession or privilege or change in usage” are some of the protected conditions of service under the Indian labour law. For changing any such service conditions to the detriment of the workers, the employer is required to provide 21 days’ prior notice and inform the labour authorities in a prescribed format.

Additionally, the payment of salary and benefits is largely a matter of contract between the parties, beyond the minimum requirements under the labour laws in terms of wages, bonus, social security, insurance, overtime, etc. Hence, the terms of the individual employment contract and policies also need to be considered while reducing wages or removing benefits. These are generally sensitive matters and could also lead to HR issues for the employer, especially if the employees are unionised.

Last updated on 08/07/2022

Flag / Icon
Ireland

Ireland

  • at Littler

Any unilateral reduction of salary or benefits by an employer without the consent of an employee can be challenged by way of a breach of contract claim, an unlawful deduction of wages claim, or a claim of constructive dismissal on the part of an employee. However, such a reduction could be agreed upon between the parties as part of an agreement, for example, to permit the employee to work remotely permanently.

Last updated on 21/09/2021

Flag / Icon

Italy

  • at Toffoletto De Luca Tamajo

Under Smart Working regulations, employees who work remotely are entitled to receive an overall economic treatment equal to that paid to employees working at the company’s premises. Therefore, generally speaking, employers cannot reduce salaries/benefits of employees working remotely. Nonetheless, recent Italian case law considered it possible for employers to revoke meal tickets from remote workers (except in the case of specific contractual obligations), as it is not part of the normal salary of the employee.

Last updated on 14/07/2022

Flag / Icon

Mexico

  • at Marván, González Graf y González Larrazolo
  • at Marván, González Graf y González Larrazolo
  • at Marván, González Graf y González Larrazolo

No, any reductions to employees’ salaries or benefits are considered a unilateral modification to employment conditions, and therefore are grounds for justified rescission of the employment contract with total responsibility attributed to the employer. If this were to happen, severance will have to be paid as if it were an unjustified dismissal.

Last updated on 21/09/2021

Flag / Icon

Netherlands

  • at Rutgers & Posch
  • at Rutgers & Posch

In principle, this is not the case unless the individual employee provides his consent therewith. However, special allowances for the reimbursement of expenses that become obsolete due to working from home (e.g, travel expenses) may no longer apply in individual cases.

Last updated on 08/03/2022

Flag / Icon

Poland

  • at Bird & Bird
  • at Bird & Bird

No. Any such action could be considered as discrimination or other unequal treatment. Remote workers must be remunerated based on the same rules as all other staff, including in terms of their access to other benefits. 

Likewise, within the principles adopted for all staff, remote workers may visit their employer’s office or premises, communicate with other employees, use the employer’s rooms, facilities and company social facilities, and may benefit from social activities organised by the employer.

Last updated on 21/03/2022

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

Teleworking employees have the same rights and obligations as any other employees, which implies that no reduction in salaries or benefits is admissible, in principle. Under Portuguese labour law, employers cannot reduce basic remuneration unless there is a demotion, which must be, in any case, expressly authorised by both the employee and the Authority for Working Conditions (ACT).

Reducing or cancelling any other payments to remote workers would be deemed discriminatory, and therefore illegal, except for situations where valid grounds could justify it.

Moreover, concerning reducing or suppressing benefits, the fact that benefits have been granted regularly over the years may lead to their qualification as acquired rights of the employees and part of employees’ remuneration, which would mean restrictions on the termination, reduction or alteration of such payments.

During the beginning of the covid-19 pandemic, there was debate over whether employees were still entitled to a meal allowance if they were teleworking, since the cause for payment would cease to exist (ie, employees would no longer be forced to spend money on out-of-home meals). However, the government clarified that, under the special compulsory teleworking regime (whenever the nature of the functions being performed was compatible with it), employees retain the right to a meal allowance, based on the principle of equal rights for on-site employees and teleworkers. It is now fairly and widely accepted that such meal allowances cannot be withdrawn based on the circumstances of teleworking employees.

Last updated on 13/07/2022

Flag / Icon

Qatar

  • at Clyde & Co
  • at Clyde & Co

Any reduction in contractual salary or benefits cannot be unilaterally imposed and will need to be mutually agreed upon with the employee.  There may be scope to unilaterally amend non-contractual benefits depending on how they have been structured.

Last updated on 08/11/2021

Flag / Icon

Saudi Arabia

  • at Clyde & Co
  • at Clyde & Co

Any reduction in contractual salary or benefits cannot be unilaterally imposed and will need to be mutually agreed with the employee. There may be scope to unilaterally amend non-contractual benefits depending on how they have been structured.

Last updated on 29/11/2021

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas

Article 4 of the Law on Remote Working provides equal rights for remote and on-site workers, so they receive equal pay and are entitled to the same schedule, breaks and work-life balance, and they are expressly included in equality plans and harassment prevention protocols.

Last updated on 21/09/2021

Flag / Icon

Sweden

  • at DLA Piper
  • at DLA Piper
  • at DLA Piper

The employer is not entitled to unilaterally reduce the employee’s salary or other employment benefits unless provided for in the individual employment agreement or a collective bargaining agreement. Hence, such a measure would require an agreement between the employer and the employee. If the employer implements unilateral salary deductions, the employer may be held liable to pay damages for a breach of contract. Moreover, there is a risk that the employee can claim that the deductions imply an unlawful termination of employment, which could make the employer liable to pay both compensation for losses sustained (capped at 32 months’ salary) as well as general damages.

Last updated on 24/01/2022

Flag / Icon

Switzerland

  • at Lenz & Staehelin

The payment of salary constitutes one of the employers' main obligations under an employment contract. This obligation exists even in the case of remote working and, therefore, it is not possible to reduce salary due to remote working.

Regarding benefits, a distinction must be made between different types. For example, it could be considered that employers who provide a car or a transport pass to employees could waive this benefit or reduce it proportionally if employees carry out all, or part, of their professional activity from home. However, if employees are paid meal allowances, it may be more difficult to justify removing this benefit, although the situation is less clear in situations in which employers provides employees with free meals.

Last updated on 30/09/2021

Flag / Icon

Turkey

  • at Gün + Partners
  • at Gün + Partners
  • at Gün + Partners

As per article 14 of the TLA, remote workers cannot be treated differently from a comparable worker solely due to the nature of their employment contract. Employers cannot reduce the salaries or benefits of employees who work remotely merely on grounds of remote working. However, if there is other justification, such treatment may be acceptable.

Last updated on 21/09/2021

Flag / Icon

UAE

  • at Clyde & Co
  • at Clyde & Co

Any reduction in contractual salary or benefits cannot be unilaterally imposed and will need to be mutually agreed upon with the employee. There may be scope to unilaterally amend non-contractual benefits depending on how they have been structured.

Last updated on 08/11/2021

Flag / Icon

United Kingdom

  • at Littler

No, unless they implement the reductions formally with the agreement of the employee or (if relevant) the union.

Any unilateral reduction of salary or benefits by an employer without the consent of an employee can be challenged by way of a breach of contract claim, an unlawful deduction of wages claim, or a claim of constructive dismissal on the part of an employee.

However, it is possible that such a reduction could be agreed between the parties as part of an agreement, for example, to permit the employee to work remotely on a permanent basis.

Last updated on 21/09/2021

Flag / Icon

United States

  • at Littler
  • at Littler
  • at Littler

Most jurisdictions in the US have at-will employment, so that with appropriate advance notice, salaries and benefits of at-will employees can be reduced without issue (ie, assuming no contract and the pay does not fall below the threshold for minimum wage or to maintain any particular exemption).  However, as with any workplace policy, the law mandates that selection for wage reduction be without regard to protected status such as race, age or disability. Thus, there may be an exposure to risk of claims to the extent that those who work remotely are seeking an accommodation or there is a potential for disparate impact.  Thus, employers should ensure that there is no "disparate impact" on any protected status that is required to work remotely.

Up-to-date information on the USA’s response to the pandemic, including State-level news and developments, can be found at Littler’s covid hub here.

Last updated on 21/09/2021

17. To what extent have employers been able to make changes to their organisations during the pandemic, including by making redundancies and/or reducing wages and employee benefits?

17. To what extent have employers been able to make changes to their organisations during the pandemic, including by making redundancies and/or reducing wages and employee benefits?

Flag / Icon

Argentina

  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua

Employers were limited in making changes to their organisations until 31 December 2021 because since the covid-19 outbreak, terminations without cause, regular terminations, terminations based on a scarcity of work, and suspensions due to force majeure or scarcity of work were forbidden since 31 March 2020. Such measures are not in force anymore, because Decree No. 413/2021expired at the end of 2021. Therefore, since 1 January 2022, employers have the power to dismiss and suspend employees without fair cause.

In addition, the Government established the obligation to pay an increase of the severance compensation in cases where an employee was dismissed without fair cause or claims constructive dismissal, but this measure is not in force anymore as of 1 July 2022. (This is due to the fact that Decree No. 886/2021 was not extended; it was valid through 30 June 2022.)

Last updated on 13/07/2022

Flag / Icon

Australia

  • at People + Culture Strategies

Employers are entitled to consider ways their business can be restructured to maximise efficiency, including where this may involve redundancies and changes to how remuneration is structured. This basic right has not changed during the pandemic, and for many Australian employers impacted by covid-19 it has been necessary to consider making such changes to their business to ensure they have the most optimal structure in place to manage the impacts of covid-19 and are best placed to meet the changed economic environment.

However, the pandemic has not seen any “relaxing” of the rules that govern how an employer must go about introducing changes that affect employees. In relation to redundancies, employers must have a genuine business case and are required to consult with employees before making any decision. In relation to reducing employee wages and salaries, employers will still generally need to obtain an employee’s consent before making such changes in the normal manner.

Last updated on 21/09/2021

Flag / Icon

Austria

  • at Littler
  • at Littler
  • at Littler

Regarding changes in the organisational structure itself, large employers, in particular, are relying heavily on home offices and are already planning for a time after the pandemic. Desk-sharing models are increasing0 being considered and actively implemented. This is accompanied by a (partial) return of leased property. In the internal organisation, there is a noticeable departure from rigid hierarchies and a shift towards increased network thinking, in which decision-making processes take place jointly using digital work equipment.

The government and legislature have been very careful to minimise layoffs as much as possible and at least to counteract pandemic-related redundancies. This was achieved, on the one hand, through direct support of the economy in the form of aid packages (compensation for loss of sales, subsidies for monthly fixed costs, etc) and, on the other hand, through the widespread use of short-time work, which was largely financed through state aid. The short-time work subsidy is accompanied by a retention obligation placed on employers, so that there have been relatively few redundancies during the pandemic so far, as the companies have accepted this aid well.

 
Last updated on 21/09/2021

Flag / Icon

Belgium

  • at Van Olmen & Wynant

In the Belgian legal system, employers can use the system of “temporary unemployment due to force majeure” during the pandemic. This is a simplified procedure to ensure that employees whose work has become impossible or redundant during the pandemic can receive temporary unemployment compensation. When the job becomes viable again, for example, because of the reopening of restaurants, employees can resume their activities, without redundancy.

Furthermore, working hours can be temporarily reduced in the context of the pandemic. The Act of 27 March 2020 added a new section 8/1 in the Programme Act (I) of 24 December 2002, regarding measures for companies facing financial difficulties in the context of the pandemic. Specifically, the option was given to companies to reduce the working time of employees, thus reducing wage costs without having to terminate employees, with the reduction in social security contributions acting as compensation. Furthermore, the reduction in working hours implies a pro-rata reduction in gross pay. Therefore, a collective labour agreement (or work regulation) must provide for salary compensation. It should be noted, however, that even after the introduction of a reduction in working hours, full-time workers will remain full-time workers. The minimum wages set out in CBA No. 43, as well as sectoral minimum wages, must still be respected.

Last updated on 21/09/2021

Flag / Icon

Brazil

  • at Pinheiro Neto
  • at Pinheiro Neto Advogados

Employers have adopted different approaches to tackle Covid-19, including by terminating employees, shifting to a remote-working model or adopting one (or more) of the measures implemented by the Federal Government to help companies survive through the pandemic and avoid, to the most extent possible, layoffs. Examples of such measures would include: reducing employees’ working hours and salaries, suspending employment contracts temporarily, shifting to a remote model (with less requirements than those outlined in the CLT) and delaying the collection of certain labour charges. The union’s involvement in the implementation of these measures would depend on the measure itself (as some of them would not require the union’s ratification or participation). 

Last updated on 21/09/2021

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

During the pandemic, employers were able to carry out reorganisations involving collective redundancies for economic reasons (subject to justifying a real and serious economic reason as defined by article L.1233-3 of the labour code).

They were also able to negotiate collective performance agreements to meet the needs linked to the operation of the company or to preserve or develop employment by adjusting the working hours of employees, remuneration, and determining the conditions of professional or geographical mobility within the company.

Employers may also have to negotiate or renegotiate agreements or charters on remote status or review their organisation by developing a co-working space, different from the company’s premises, on a regular or occasional basis or in case of exceptional circumstances or force majeure.

Last updated on 21/09/2021

Flag / Icon

Germany

  • at CMS Hasche Sigle

Termination for operational reasons requires the absence of a permanent need for employment. If this is only temporary, in general, this does not justify terminating the employee's employment. This also applies to temporary closures ordered by the authorities. Termination for operational reasons should be a last resort, even in times of a pandemic. The employer must introduce short-time work or a reduction in vacation days before giving notice.

Short-time work can temporarily shorten working hours and reduce the employee's entitlement to remuneration. The aim of ordering short-time work is to prevent redundancies and to preserve jobs. The employer has a unilateral right to order short-time work if it is permitted to do so by a collective-bargaining agreement, works council agreement or employment contract. Due to the covid-19 pandemic, various special regulations apply in the area of short-time work. That includes the payment of social security contributions. Special regulations in force for short-time allowance allow the employer to be reimbursed for 100% of their social security contributions up to 30 September 2021.

The employer cannot unilaterally reduce salaries just because workers cannot be employed during the crisis outside of short-time work. The employer bears the risk of employing workers even in a crisis and is required, if necessary, to pay the full salary even without employment.

Last updated on 21/09/2021

Flag / Icon

Greece

  • at Kyriakides Georgopoulos Law Firm
  • at Kyriakides Georgopoulos Law Firm
  • at Kyriakides Georgopoulos Law Firm

Companies that made use of the government’s state aid measures could not proceed with redundancies or salary reductions for as long as the measures were applied. Companies that did not make use of said measures were able to proceed with redundancies or agree on salary reductions with their employees.

Last updated on 14/07/2022

Flag / Icon

Hong Kong

  • at Lewis Silkin
  • at Lewis Silkin
  • at Lewis Silkin

During the peak of the pandemic in Hong Kong (mid-2020), as many businesses were forced to suspend services for covid-19-related reasons, the government introduced the Employment Support Scheme (ESS). The ESS gave all eligible employers in the city the right to claim a subsidy of 50% of their employees’ wages for up to six months (with a cap of 9,000 Hong Kong dollars per employee per month). Employers who received subsidies under the ESS were prevented from making redundancies during the subsidy period, or else the subsidies would be clawed back.

In March 2022, the government announced that a new round of ESS will be launched in response to the fifth wave of covid outbreak in Hong Kong. Based on the government’s announcement, unlike the ESS in 2020, certain industries which are deemed to be less affected by the pandemic (such as supermarket and pharmacy chains, banks and financial institutions), would be excluded from participating in this round of ESS. The full details of this new around of ESS are yet to be announced, though it is expected that it will be open for application in April 2022.

The government has often reiterated that employers should try to avoid making redundancies during this difficult period, and that employers may wish to consider alternative options such as unpaid leave or reduced working hours instead. That said, the government has not legislated to prevent redundancies or changes to employees’ terms and conditions during covid-19, and so employers have had relative freedom to make such changes, subject to the normal rules regarding needing employee consent to make contractual changes (other than immaterial ones where the contract contains a right to make changes).

Last updated on 06/04/2022

Flag / Icon

India

  • at Nishith Desai
  • at Nishith Desai

There were certain central and state government restrictions on employment termination in the form of government advisories during the first and second phases of covid-19-induced lockdown in India. Orders were passed by state and central governments on mandatory payment of wages to all employees during the period of such lockdown. As a result, several employers were left with no choice but to restructure their workforces through redundancies. Owing to the same, based on certain government orders as aforesaid (the constitutional validity of which are debatable and currently sub judice), employee unions in some Indian states such as Maharashtra (Mumbai and Pune) and Karnataka (Bangalore) have been actively taking up the cause of employees who have been retrenched or whose working conditions such as wages have been adversely impacted by employers during the pandemic. However, courts have upheld the employer’s rights in certain cases to deduct wages or pay reduced compensation to employees during lockdown in case of any default attributable to the employee (such as an employee’s inability to attend the workplace in an operating establishment, owing to any voluntary action) or with employee consent.

Last updated on 08/07/2022

Flag / Icon
Ireland

Ireland

  • at Littler

There has been no change to underlying employment legislation or rights, save for the suspension of the right of an employee who has been temporarily laid off for more than four weeks to claim an entitlement to a redundancy payment. This suspension, introduced as part of a suite of emergency measures at the outset of the pandemic, has now come to an end.

Any unilateral reduction of salary or benefits by an employer without the consent of an employee can be challenged by way of a breach of contract claim, an unlawful deduction of wages claim, or a claim of constructive dismissal on the part of an employee.

Last updated on 18/11/2021

Flag / Icon

Italy

  • at Toffoletto De Luca Tamajo

During the pandemic and up to 30 June 2021 (and in some circumstances, until 31 December 2021) a dismissal ban was in force under which neither collective nor individual redundancies were possible.

On the other hand, in some cases, employers were able to reach agreements with their employees – mostly executives – for a reduction, or a deferral of the payment of the bonus due.

The main organizational changes that have been largely implemented are linked to (i) the implementation of a new working model base on the remote working and (ii) the massive use of the new social shock absorbers that has been granted by the Italian Government to the employers. Specifically, employers, through the so-called social shock absorbers, could suspend the activity of their employees without paying them and the employees received an indemnity from INPS (the Italian Social Security Body).

Last updated on 14/07/2022

Flag / Icon

Mexico

  • at Marván, González Graf y González Larrazolo
  • at Marván, González Graf y González Larrazolo
  • at Marván, González Graf y González Larrazolo

The federal government have reinforced the protective labour laws that prohibit redundancies and salary reduction as a general rule, stating that that the pandemic would not give legal cause for suspension of employment or dismissal. However, many employers managed to negotiate directly with unions or employees and introduced reduced temporary terms and conditions of employment that enabled companies to remain in business.

Last updated on 21/09/2021

Flag / Icon

Netherlands

  • at Rutgers & Posch
  • at Rutgers & Posch

In principle, regular rules on redundancy due to business or economic reasons remain applicable during the pandemic. However, if an employer has been applying for one or more of the different tranches of the Temporary Emergency Bridging Measure to Preserve Employment (the NOW scheme), which provide a payroll subsidy in a given period and is based on the employer’s (expected) loss of revenue, making redundancies could have consequences for the total amount of subsidies received. For each tranche of the NOW-scheme, different rules apply. Under the most recent NOW 6.0, which could be applied for until 13 April 2022, employers can reduce their loan costs (e.g., by reducing a maximum of 15% of its payroll) without affecting the subsidy received. However, this cost-saving method must be determined in consultation with employees or the works council or staff representation.

Employers can, in principle, only reduce employees’ wages and benefits with the consent of the employee, as this would concern a unilateral amendment of their employment conditions. Employers, furthermore, cannot unilaterally force employees to take unpaid leave or vacation days.

More information on NOW 6.0 can be found here

Last updated on 08/03/2022

Flag / Icon

Poland

  • at Bird & Bird
  • at Bird & Bird

At the beginning of the pandemic in 2020, an employer could decrease working time by 50% and salaries by 20% and receive state aid to protect employees from redundancies; there was also temporary relief from paying contributions to the Social Security Institution (health and rent contributions). These programmes are no longer in force.

Last updated on 21/03/2022

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

During the pandemic, the government created a special and simplified lay-off system, aimed at maintaining jobs in companies that were totally or partially closed due to the imposition of the law. Under this system, employers could, in short, reduce the normal working time (daily or weekly) or suspend employment contracts.

Within this system, employers could reduce remuneration within certain limits: employees could earn at least two-thirds of their regular monthly remuneration, with a minimum amount of 635 euro in 2020 and 665 euro in 2021 and a maximum limit of 1,905.00 euro in 2020 and 1,995.00 euro in 2021.

Payments to employees were made by the employer, who received aid from Social Security corresponding to 70% of the costs. Employers were also exempt from social security contributions regarding employees under the simplified lay-off regime.

Other measures allowed for the reduction of salaries, namely extraordinary support for the progressive resumption of activity for companies with a temporary reduction of normal working times, which applied to companies not subject to facility closures, but that still had losses of 25% or more in a calendar month prior to the calendar month of the initial application or extension, compared with the same month of the previous year or 2019, or compared with the six-month average prior to that period.

Regarding the hours not worked under this scheme, employees were entitled to compensation of 80% of their gross pay paid by employers. If this sum represented a monthly amount lower than the employee's normal gross pay, the amount paid by Social Security would increase to cover the difference, capped at 1,995 euro.

Seventy per cent of the said compensation was borne by Social Security, with the employer responsible for the remaining 30%. Where the reduction in working time was more than 60%, Social Security support corresponded to 100% of compensation.

Please note that accessing these and other state support measures – not only labour and social security-based relief, but also some tax measures and tenancy benefits – meant employers could not terminate employment contracts based on collective or individual dismissal during the period they availed of said benefit and within 60 or 90 days after its end. Some support measures also forced employers to maintain current employment levels and limited, among other things, the right to terminate employment contracts by agreement (ie, in such cases, employers would have to repay the benefit that they were granted, either partially or entirely, depending on the situation).

Last updated on 13/07/2022

Flag / Icon

Qatar

  • at Clyde & Co
  • at Clyde & Co

Generally, employers have the right under the Qatar Labour Law to terminate employment contracts. Any termination must be carried out in compliance with the terms of the Qatar Labour Law and the employment contract (including the notice period if applicable and the payment of all pending entitlements).  At the start of the pandemic, the MADLSA published guidance notes on their website that reiterated this and also stated that employers may mutually agree that workers take unpaid leave or use their annual leave if the business has been halted and the worker is not assigned any work. In such instances, employers were required to continue to provide all other benefits.

Last updated on 08/11/2021

Flag / Icon

Saudi Arabia

  • at Clyde & Co
  • at Clyde & Co

On 6 April 2020, Ministerial Resolution 142906 was published amending the implementing regulations to the Labour Law (last issued in January 2019) by adding a new clause 41 providing for the following:

  • In the event the Kingdom adopts measures as recommended by an international organisation to provide for adjusted working hours or to avoid a situation falling under article 74(5) of the Labour Law, which provides for termination of employment because of force majeure, an employer will be able to agree to any of the following measures with an employee for a six-month period following the introduction of such measures:
    • reducing the employee's salary in correspondence with a reduction in the employee's working hours;
    • putting the employee on annual leave as part of his annual leave entitlement;
    • putting the employee on exceptional leave under Article 116 (unpaid leave) of the Labour Law.
       
  • Termination of employment following the implementation of such measures will not be justified if the employer received assistance from any government programmes during this period (ie, furlough programme). Furthermore, nothing in this resolution prevents or inhibits employees' rights to terminate their employment contract.

The Ministry of Human Resources and Social Development further issued an explanatory memorandum providing that the employer may unilaterally implement the measures introduced by article 41.  The above measures came to an end in January 2021.

Last updated on 15/03/2022

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas

Since March 2020, under article 2 Royal Law-Decree 9/2020, employers cannot dismiss employees because of the covid-19 situation, and it is assumed that any dismissal since then is due to the pandemic. This means that employers must have strong reasons to justify dismissals to avoid them being somehow associated with covid-19. This prohibition is still in force.

The law does not specify whether breaching this prohibition should lead to the dismissal being deemed null or unfair. This has resulted in dissimilar high court resolutions: on the one hand, some have deemed dismissals null (forcing the employer to reinstate the worker and pay accrued salaries since the dismissal); and, on the other hand, some resolutions have deemed dismissals unfair (the employer can choose to pay severance for unfair dismissal or reinstate the employee and pay the salaries accrued since the dismissal). Until the Supreme Court rules on this matter, the consequences of breaching this prohibition are not clear.

Unlike dismissals, no other regulations specifically limit or prevent employers from changing employees’ labour conditions due to covid-19. Therefore, to implement any changes, employers should follow the ordinary procedure, which consists of justifying the change on business-related grounds and, if the decision affects at least 10 employees in companies employing less than 100 people; 10% of employees in companies employing between 100 and 300 people; or 30 employees in companies employing more than 300 people, then they must schedule a 15-day negotiation period with the workers’ representatives, although it is not mandatory to reach an agreement.

Most companies, however, have not made changes to their staff’s labour conditions, except for contract suspensions or recoverable paid leave.

Additionally, the government has passed several regulations since March 2020 (eg, Royal Law-Decrees 8/2020, 24/2020, 30/2020, 2/2021 and 11/2021) to provide specific and easier temporary contract suspensions for force majeure due to covid. These new regulations have mainly eased the ordinary procedure on temporary contract suspensions, and they have also allowed certain companies to obtain social security exemptions or reductions, subject to their commitment to not dismiss any employees whose contracts were suspended for six months after they resume work.

The Spanish government also passed Royal Law-Decree 10/2020, entitling certain employees to a recoverable paid leave between 30 March and 9 April 2020, which was the worst period of the pandemic. Workers were exempt from working without any impact on their salary, but they had to make up that time between the end of the state of alert and the end of the year.

Last updated on 21/09/2021

Flag / Icon

Sweden

  • at DLA Piper
  • at DLA Piper
  • at DLA Piper

In April 2020, new legislation enabled employers affected by temporary and serious financial difficulties that could not reasonably have been foreseen or avoided (eg, due to the coronavirus situation) to reduce their employees' working hours and receive financial support from the Swedish government. The government covered three-quarters of the cost for the reduced working hours and the employer and employee shared the cost of the remaining quarter. For employers to receive support, the employer must have made use of other available measures for reducing labour costs, such as terminations of personnel not permanently employed and not regarded as being critical to business operations. The  possibility of receiving financial support under this legislation ceased to exist in September 2021.

New legislation on financial support has been proposed to apply from December 2021 to March 2022 for employers that have lost at least 30% in revenue. Affected employers will be able to receive support of 70% or 90 % (depending on the size of the company) of their fixed costs, such as salaries and rent, that they are unable to cover.  

The rules for termination of employment are the same regardless of the covid-19 situation. To terminate an “employment until further notice” under Swedish law, "just cause" is required. Just cause can either be related to personal reasons (eg, poor performance and misconduct) or redundancy. It is significantly more difficult to terminate an employee due to personal reasons (reasons relating to the individual employee) than due to redundancy. In general, termination due to personal reasons is considered a last resort by the courts. Redundancy on the other hand is deemed, as a main rule, to constitute just cause for termination of employment and there is no general obligation under the Employment Protection Act (EPA) to justify the redundancy (eg, with financial information or similar). The employer, however, must observe material and formal rules laid down by the EPA concerning redundancy terminations (as well as termination due to personal reasons).

Last updated on 24/01/2022

Flag / Icon

Switzerland

  • at Lenz & Staehelin

Regarding wages, authorities have extended the use of pre-existing "reduced working hour allowances". This measure is intended to avoid dismissals following a brief but unavoidable absence from work. According to the system now in place, under certain conditions, employers have the right to (fully or partially) reduce the working hours of their employees and apply for allowances for reduced working-hour allowances. Those allowances cover up to 80% of wages related to the reduced hours. The hours effectively worked still are fully remunerated by the employer.

The Swiss Federal Council has decided to keep in place a procedure for a simplified calculation of the allowances for reduced working-hour allowances until 31 December 2022.

In addition, employees infected by covid-19 and unable to work due to illness are entitled to the payment of their salary under the same conditions as for any other illness-related incapacity. In particular, the salary would not be paid if an employee voluntarily travels to an area at risk or disregarded basic rules of caution and hygiene. If employees are stranded abroad because the authorities ordered a quarantine or return flights were cancelled, employers may refuse to pay their salary.

Last updated on 20/01/2022

Flag / Icon

Turkey

  • at Gün + Partners
  • at Gün + Partners
  • at Gün + Partners

In the scope of covid-19-related measures, the termination of employment contracts by employers was prohibited for three months from 17 April 2020, with certain exceptions. With further extensions, this ban was extended to 30 June 2021. Therefore, redundancies have been prohibited from 17 April 2020 to 30 June 2021, and any breach of this ban has been met with a fine. On the other hand, employers have been granted the authority to impose unpaid leave (without employee consent), partially or in full, on employees during this period. Up until the end of the termination ban, employees on unpaid leave have received a daily allowance from the Unemployment Insurance Fund.

Also, many companies chose to introduce salary reduction due to the economic pressure arising from covid-19 at the beginning of the pandemic by obtaining the written consent of employees.

In addition to the above, certain arrangements have been introduced to facilitate the requirements of short-time working applications, filed on the grounds of circumstances arising from covid-19.

Last updated on 21/09/2021

Flag / Icon

UAE

  • at Clyde & Co
  • at Clyde & Co

In general, the UAE Labour Law does not recognise the concept of redundancy and as such where an employee is terminated for reasons of redundancy, this could give rise to a claim of arbitrary dismissal. However, in response to the covid-19 pandemic, in March 2020 the Ministry of Human Resources and Emiratisation issued Resolution No. 279/2020 concerning employment stability in private sector establishments. The resolution encouraged employers to implement a range of measures to mitigate the financial impact of covid-19 to avoid or reduce the need for layoffs and mutually agree the following measures gradually and in turn with their non-UAE national employees:

  • remote working;
  • paid leave;
  • unpaid leave;
  • temporary reduction of salary; and
  • permanent reduction of salary.

Consistent with normal contractual principles, the resolution required that, in all cases, employee consent to the arrangement is obtained, which should be recorded in writing by way of an addendum to the contract signed by the employer and the employee. In the case of a permanent salary reduction, the resolution required that permission be obtained in advance from the Ministry of Human Resources and Emiratisation.   

The resolution encouraged many employers to implement alternatives to termination where possible.  

While the resolution is no longer being enforced by the Ministry, nevertheless it is a helpful reminder of the possible alternatives to redundancy that an employer ought to consider.

However, termination of an employee’s employment in the UAE is a unilateral decision (meaning the employer and the employee do not need to agree to the termination for it to be effected), and as such an employee’s employment can be terminated at any time by the employer. Notwithstanding this, where the employee’s employment is terminated for a reason considered unfair or arbitrary by a court, the court can award compensation as a result.

Last updated on 08/11/2021

Flag / Icon

United Kingdom

  • at Littler

There has been no change to underlying employment legislation or rights relating to redundancies.

In theory, any unilateral suspension from duties, reduction in hours and/or any reduction in pay by an employer, without employee or union agreement (or a pre-existing employer right to make such changes), can be challenged by the employee or a relevant union. Such a challenge would most likely be by way of a breach of contract claim, an unlawful deduction of wages claim, and/or a claim of constructive dismissal (by the employee) or some form of industrial dispute (by a union). In practice, with the alternative to such action often being outright redundancy, legal claims by affected employees or unions have been relatively rare.

There are no special restrictions on employers being able to implement redundancies, in line with existing laws and subject to the usual safeguards of employees’ rights.

In early 2020, the UK government introduced a paid furlough scheme – called the Coronavirus Job Retention Scheme (CJRS) – allowing employers temporarily to suspend employees from work but still receive payment of part of their wages (supported by a government allowance to the employer). The scheme has now closed (it ended on 30 September 2021). Details of the scheme (now of historic relevance only) can be found here.

Last updated on 13/01/2022

Flag / Icon

United States

  • at Littler
  • at Littler
  • at Littler

The pandemic has caused many companies to have to re-evaluate employee salaries and wages, and to make staffing changes. Where required by collective-bargaining agreements, these changes have resulted in bargaining with unions.

Up-to-date information on the USA’s response to the pandemic, including State-level news and developments, can be found at Littler’s covid hub here.

Last updated on 21/09/2021