New Ways of Working

Explore and keep track of key legal and compliance considerations for multinational employers as new ways of working become increasingly embedded as the pandemic begins to recede. Learn more about the response taken in specific countries or build your own report to compare approaches taken around the world.

Choose countries

 

Choose questions

Choose the questions you would like answering, or choose all for the full picture.

03. What are the limits on employer monitoring of worker activity in the context of a remote-working arrangement and what other factors should employers bear in mind when monitoring worker activity remotely?

03. What are the limits on employer monitoring of worker activity in the context of a remote-working arrangement and what other factors should employers bear in mind when monitoring worker activity remotely?

Flag / Icon

Argentina

  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua

Regarding any monitoring system designed to protect an employer’s goods and data, the home office framework states that union participation is required to protect employees’ right to privacy.

Such union participation will be guaranteed through joint audits that include professionals selected by the union and the company. The confidentiality of the data processing of the employees involved must be guaranteed. Union participation will be limited to preserving employees’ rights under the home office framework.

Employer must take corresponding measures, especially regarding the software used, to protect any data used and processed by employees who are under the home office framework. In addition, it is forbidden to use surveillance software that violates employee privacy.

Last updated on 21/09/2021

Flag / Icon

Australia

  • at People + Culture Strategies

As a starting point, it is lawful for Australian employers to monitor staff who are working from home and there are no strict limits prescribed by law on the monitoring of worker activity in the context of remote-working arrangements.

However, this does not mean that employers can monitor employee activity as they please. The mutual duty of trust and confidence that underpins the employment relationship could be breached by inappropriate or overly intrusive monitoring activities.

Employers contemplating carrying out monitoring activities should first review the employee’s individual employment contracts and identify any monitoring or surveillance clause and consider what contractual obligations the employer may have concerning monitoring in the remote-working context, and consult any relevant company policies which might also apply.

Generally speaking, employers should be up-front about how and why they will be monitoring employee activity and any employee information that may be collected by that process. For example, employers should make it clear to employees that monitoring of their work devices, emails and message applications will continue when they are working from home and that the information obtained by the monitoring process could be used in a disciplinary context.

Last updated on 21/09/2021

Flag / Icon

Austria

  • at Littler
  • at Littler
  • at Littler

Relevant here are first the restrictions on the employer's control of working time. Both the Working Time Act and the Rest Periods Act also apply to remote work and to work in a home office. However, section 26 paragraph 3 of the Working Time Act provides that in the case of work that is predominantly carried out in the home, only records of the duration (not the specific beginning and end) of the working time are to be kept. If the working hours are fixed, only deviations must be recorded.

The practical possibilities of monitoring work performance are manifold due to the IT tools that are now available (eg, log files, webcam). In contrast, in Austrian labour law, the employer's ability to control is subject to important restrictions. Control measures that affect human dignity require either the consent of the works council or – if such a council does not exist – the consent of the respective worker. Both attendance and performance or productivity controls can be relevant here. According to case law, the question of whether human dignity is affected must be assessed on a case-by-case basis. In addition to the employer's interest in monitoring, the way the monitoring is carried out is also decisive, so that the possibility of constant electronic monitoring (for example, by controlling keystrokes or screen duplication) certainly affects human dignity[1].

However, it is of course lawful to check the availability of employees during working hours.


[1] Huger in Huger (Hrsg), Home Office und mobiles Arbeiten [2021] Rechtliche Rahmenbedingungen.

Last updated on 21/09/2021

Flag / Icon

Belgium

  • at Van Olmen & Wynant

Articles 9.1 and 9.2 of CBA No. 149 state that employers may monitor the results or performance of employees appropriately and proportionately. Teleworkers must be informed of how such monitoring is carried out. If employers want to monitor the e-mail or internet activity of employees, they will have to follow the specific procedure laid down in CBA No. 81 for the protection of the privacy of employees, concerning the monitoring of electronic online communication data.

In addition, CBA No. 68 regulates the use of cameras in the workplace. Under this CBA, it is only permissible to use cameras to pursue a limited amount of objectives, including the control of the employee’s work. Yet, for this objective, only temporary monitoring activities are permitted. In any case, a proportionality test is necessary. It will never be proportionate to request that remote workers be permanently recorded by a camera in their homes. However, simply asking them to turn their webcam on during a meeting is not covered by CBA No. 68 and should be possible.

It is also possible to make arrangements with employees regarding the periods during which they need, and do not need, to be contactable by the employer (article 11.3 CBA No. 149).

Last updated on 21/09/2021

Flag / Icon

Brazil

  • at Pinheiro Neto
  • at Pinheiro Neto Advogados

Rules on employers’ ability to monitor employees’ activity tend not to vary from a regular to a remote-working arrangement – but rather depend on “who owns the device”. As a general rule, whenever companies grant electronic devices to employees for work purposes, the content and all data stored in such equipment belong to the company, as they are considered “work tools”. This means that there is no expectation of privacy – provided that employees are informed on such monitoring in advance. In the case of personal devices, it may ultimately lead to certain ambiguity as to employers’ right to have access or monitor activity because of the existence of both professional and personal information. If that is the case, monitoring should be limited to work-related information, apps and files, ensuring, as much as possible, that personal data is preserved and there is no violation of privacy.

Last updated on 21/09/2021

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

The rules for monitoring employees do not differ between teleworkers and office workers. Thus, like any employee, teleworkers must be informed in advance of the methods and techniques used to monitor his or her activity (article L. 1222-3 of the labour code).

The implementation of a device allowing the control of the employee's working time must be justified by the nature of the task to be performed and proportionate to the purpose (National Agreement of 26 November 2020).

The CNIL said in a Q/A on 12 November 2020 that the devices used to monitor employees’ activity must not be aimed at trapping employees and cannot lead to permanent surveillance of employees. Thus, audio or video devices, permanent screen-sharing or keyloggers must not be implemented.

If the employer exercises excessive surveillance on his employee, it may receive a financial penalty.

Finally, the CNIL advises employers to prioritise monitoring the completion of missions by setting objectives rather than monitoring the working time or the daily activity of employees.

Last updated on 21/09/2021

Flag / Icon

Germany

  • at CMS Hasche Sigle

Employers may have various legitimate reasons to scrutinise and monitor employees' performance or conduct during remote work (eg, productivity, to enforce company policies, protect business secrets, health and safety obligations). However, monitoring worker activity is only permitted in any given case if the employee's privacy interest does not outweigh the employer's legitimate interests. Therefore, employers must justify employee monitoring on a case-by-case basis.

As a result, while monitoring employees via webcam is generally not allowed, monitoring employees' browser history or emails might be possible if the employer prohibits private use of the laptop; there is cause for the monitoring; and the measure does not lead to permanent monitoring of the employee's digital behaviour. Irrespective of this, if a works council has been established, the employer also needs the consent of the employee representatives to use a technical device that monitors employees' performance or behaviour. This is the case with any software.

In any event, the use of a keylogger that continuously records an employee's activities is unlawful. The data cannot be used in a procedural dispute, as the German Federal Labour Court ruled in its judgment of 27 July 2017 (2 AZR 681/16). Employers must always bear in mind the need to comply with the principles of the GDPR and the BDSG, as the personal data that employers collect when monitoring remote work is sensitive data. Employers must therefore take all necessary measures to ensure data confidentiality and secure access to company servers. Monitoring of private emails or private browser history is only permitted if there are clear signs that the employee has committed a criminal offence, but even then, the investigation must be proportionate.

Last updated on 21/09/2021

Flag / Icon

Greece

  • at Kyriakides Georgopoulos Law Firm
  • at Kyriakides Georgopoulos Law Firm
  • at Kyriakides Georgopoulos Law Firm

Limits on employer monitoring of worker activity do not significantly change in the context of remote working, taking into account that corporate equipment and networks are mainly used, and corporate data is being processed by employees. However, even if personal equipment is being used by employees, the following considerations should be taken into account.

According to applicable privacy and data protection legislation, HDPA decisions and the approach adopted by the European Court of Human Rights in Barbulescu v Romania in 2017, an employer may lawfully access and process personal data (e-mails and other documents) stored in employees' computers in cases where this processing is necessary for the overriding legitimate interests pursued by the employer or by a third party (legal basis of article 6 (1)(f) GDPR). Such legitimate interest of the employer may comprise the need to ensure the smooth running of the business by establishing mechanisms for checking that its employees are performing their professional duties adequately and with the necessary diligence, as well as the need to protect its business and property from significant threats, such as hindering the leaking of confidential information to a competitor or providing evidence of employee's criminal activities. In the latter case, the employer should, however, ensure that it does not enter into the exercise of investigative actions which, by law, are executed exclusively by the competent judicial-prosecutorial authorities.

Particular emphasis should be paid to ensuring the necessity and proportionality of the planned measure and the employer should be able to demonstrate that no less onerous and invasive measures exist to achieve the goal. In this context,  excessive and constant monitoring of employees’ computers and communications cannot be justified. In addition, access should not extend to all communications and their content, but only to those necessary under the proportionality principle.

Employees have a legitimate expectation of privacy in the workplace, which is not altered by the fact that they use equipment, communication devices or any other professional facilities and infrastructure of the employer, even more so if they use their personal equipment. Even if employees have been explicitly informed beforehand of a relevant internal regulation that prohibits the personal use of company computers, this alone does not legally justify monitoring or control of the personal data processed by the employee;  a more specified notice is required. In particular, employers should inform employees beforehand in clear and plain language of the implementation of monitoring methods, and their purpose, extent, nature, circumstances, etc, as required under articles 13 and 14 of the GDPR. In addition, employees should be provided with internal regulations on the proper use of company resources.  which shall include Lastly, employees’ representatives should also be informed of and express their opinion before the establishment of any monitoring systems in the workplace.

Last updated on 21/09/2021

Flag / Icon

Hong Kong

  • at Lewis Silkin
  • at Lewis Silkin
  • at Lewis Silkin

There are no specific statutory limits on employers monitoring employees’ activity in remote-working arrangements, as long as the employer complies with the PDPO. However, employers mustn't collect employees’ personal data (ie, browser history) without having notified them in advance of the personal data that they intend to collect and the purpose for which it is being collected, under the PDPO. This can be done in a PICS, where monitoring of an employee’s use of telephone, email, internet and video for performance-related and other reasons is likely to be included.

The privacy commissioner has released guidance about monitoring and personal data privacy at work. This includes guidelines on the monitoring of telephone, email, internet and video. These monitoring practices should serve a legitimate purpose that relates to the function and activity of the employer and should be necessary for that purpose. If an employer does not believe it can adhere to these guidelines, it may prefer to find less invasive ways of ensuring that employees are adhering to their job duties when working from home (eg, regular check-ins or asking them to complete timesheets).

Last updated on 11/10/2021

Flag / Icon

India

  • at Nishith Desai
  • at Nishith Desai

Employers in India largely rely on their policies regarding the monitoring of worker activity, in absence of codified laws. As a result of the covid-19 pandemic and resultant lockdown, employers were not fully prepared to shift to remote working and hence faced challenges vis-à-vis ethics and the legalities of monitoring employee activity. Incidentally, there was an employee protest in one case when the employer’s client required the employees providing services remotely to keep their cameras on.

While there is no legal requirement of time tracking specifically in the context of remote working in India, employers are generally required to track the working hours of employees (largely from an overtime perspective) and to comply with certain recordkeeping requirements under applicable labour laws. In this context, employers should bear in mind that their records do not falsely show an employee working beyond the stipulated daily and weekly working hours prescribed under applicable labour laws, which may trigger overtime requirements thereunder.

The law on the protection of women from sexual harassment applies to employees while they are working from home, given the expanded definition of “workplace” that includes “a dwelling place or a house”. Employers need to be careful to ensure that there is no abuse of the online means of communication, such as video calls, in the process of monitoring their employees that may lead to workplace sexual harassment-related claims. 

Last updated on 18/11/2021

Flag / Icon
Ireland

Ireland

  • at Littler

Employers must have regard to an employee’s right to privacy and data protection rights. They must have a legal basis under GDPR for processing employee personal data in that manner and must also be able to demonstrate that the monitoring in question is a necessary and proportionate action to achieve a legitimate aim; and that there is no less intrusive alternative way of achieving that purpose.

Guidance from the Data Protection Commissioner has focused on employers being transparent regarding the measures they adopt, including the purpose of collecting any personal data; minimising the amount of data that is processed; and preserving the confidentiality of any such data.

Last updated on 21/09/2021

Flag / Icon

Italy

  • at Toffoletto De Luca Tamajo

Employee monitoring is governed by article 4 of the Law no. 300/1970.

According to this article if tools that potentially enable employee remote monitoring are needed for the performance of work, employers may be able to collect information from them without a trade union agreement or administrative authorisation. However, information collected through those tools can be lawfully used for all purposes connected with employment, including disciplinary reasons, only if: (i) a company policy is in place adequately detailing the expected use of the tools and the nature of possible checks carried out by the employer; and (ii) the above is done in compliance with data protection legislation. 

No specific guidance or legal provisions have been issued for remote working, so employers should firstly ensure that they are able to monitor their employees in compliance with the above rules. Moreover, the individual agreement signed with the employee working remotely needs to include a reference to how the employer will exercise its monitoring power.

©Toffoletto De Luca Tamajo, ©Ius Laboris

Last updated on 21/09/2021

Flag / Icon

Mexico

  • at Marván, González Graf y González Larrazolo
  • at Marván, González Graf y González Larrazolo
  • at Marván, González Graf y González Larrazolo

According to article 330-I of the amended FLL; the mechanisms employed to monitor teleworkers must be proportional to their purpose; employers must always guarantee the employees’ right to privacy; and the legal framework for protecting personal data must be complied with.

Additionally, activity monitoring must be limited to employees’ working hours and digital connectivity, be transparent, and the employer must respect the employees’ right to disconnect, meaning that they need to respect employees’ time off and must never expect their availability outside of working hours. Further, webcams are not mandatory, and employees have the right to refuse to turn them on.

Last updated on 21/09/2021

Flag / Icon

Netherlands

  • at Rutgers & Posch
  • at Rutgers & Posch

The use of equipment to monitor employees is subject to strict conditions under article 8 of the European Convention on Human Rights, the General Data Protection Regulation (GDPR) and Article 7:611 of the Dutch Civil Code (DCC).

In practice, we see several types of ICT software being used to remotely monitor employees’ activities on computers used by the employee at home (e.g., logging in- and out, the number of keystrokes, usage of e-mail and internet, screenshots or photos of the workplace at home can be taken via the webcam). These methods of monitoring are invasive to the privacy of employees and should be treated with much caution. It seems that these forms of monitoring cannot easily be considered necessary, since employees who work at the office are not being permanently supervised or monitored either.

Last updated on 08/03/2022

Flag / Icon

Poland

  • at Bird & Bird
  • at Bird & Bird

The general provisions regarding employee monitoring also apply to remote workers. According to the provisions of the Polish Labour Code that were introduced regarding GDPR, the scope, manner and aim of any form of employee monitoring (in particular, monitoring the IT or GPS of remote workers’ equipment) must be specified in detail in workplace regulations.

Therefore, the use of monitoring and its legal compliance is conditional on appropriate provisions being introduced by the employer upon agreement (consent required) with the trade unions or, in their absence, with employee representatives. The introduction of monitoring should be announced two weeks before monitoring begins.

Employee monitoring conducted without such regulations in place or in an excessive manner may be deemed illegal (eg, a court may reject it as evidence of employee fraud or other non-compliance in the case of a disciplinary action brought by the employer).  

Last updated on 21/03/2022

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

In terms of privacy, the teleworking regime establishes that employers must respect employees’ privacy and time with their families, as well as provide them with good working conditions, both physically and psychologically. This was made even clearer with the new teleworking law.

Whenever remote working is carried out at an employee's home, visiting the workplace should only be necessary to check work performance or equipment and can only take place during the employees’ working hours, in the presence of the employee or a person designated by the employee, with prior notice of at least 24 hours and the employee’s consent.

Regarding limits on employers monitoring employee activity, the Portuguese Labour Code prohibits the use of remote surveillance in the workplace to monitor the professional performance of employees.

Especially during the pandemic, when remote working and teleworking, in particular, were normalised, concerns arose regarding the limits of monitoring and how to adequately safeguard employees’ privacy.

On 17 April 2020, the National Data Protection Commission (CNPD) issued guidelines on remote control during teleworking, especially the need for monitoring working time and the fact that, in several companies, employees were using their own devices to work.

In these guidelines, the National Data Protection Commission clarified that, regardless of who owns the work equipment, under the teleworking regime employers retain powers to direct and control the execution of work by employees. However, since there are no special provisions on remote control during teleworking, the National Data Protection Commission believes that the general rule prohibiting the use of remote surveillance fully applies.

Therefore, technological solutions for remote monitoring of employee performance are not allowed. For example, software that, in addition to tracking working times, records websites visited; tracks equipment locations in real-time; monitors the use of peripheral devices; captures screenshots; records when access to applications is initiated; controls the document being worked on; or records the time spent on each task are all prohibited.

Please note that, during the pandemic, when remote working was most widespread, the National Data Protection Commission and Trade Unions reported a significant increase in employees’ complaints about illegal monitoring taking place.

Also, since Portuguese labour law imposes an obligation to register working time (eg, start, pauses, end of work time), in teleworking this can be done through technological solutions. Applications specially designed for this purpose are allowed provided data protection principles are respected.

Concerns regarding these technological solutions were partially addressed by the new teleworking law, which states that when controlling the performance, the employer must respect the principles of proportionality and transparency, notably the employer cannot impose a permanent connection on employees through image or sound.  Also, it is forbidden to capture and use images, sound, keystrokes, browsing history, or other information that may affect the employee's right to privacy.

Last updated on 07/03/2022

Flag / Icon

Qatar

  • at Clyde & Co
  • at Clyde & Co

Qatar has an established legislative framework pertaining to data protection and personal rights to privacy. By way of background, the Qatar government enacted Law No. 13 of 2006 relating to the protection of personal data (PDPL) in 2017, which imposes obligations on natural and legal persons processing data related to identifiable individuals using electronic means. Additionally, the Qatar data protection authority, the Compliance & Data Protection Department (CDP), issued 14 guidelines in November 2020 to clarify obligations under the PDPL (the Guidelines).

The PDPL and the Guidelines guarantee the rights of data subjects, including the right to information and access to their personal data; the right to rectification; the right to erasure; the right to restriction of processing; the right to object; and the right to not be subjected to automated individual decision-making.

The CDP was established in 2020, and now serves as an independent, effective and impartial oversight system that guarantees compliance with the PDPL. An individual whose privacy rights have not been respected can complain directly to the CDP.

The Qatar Penal Code (11/2004, as amended) also establishes criminal offences concerning intercepting or disclosing correspondence or telephone conversations.

In addition to the Qatari Constitution, the International Covenant on Civil and Political Rights (ICCPR) and the Arab Charter on Human Rights (ACHR), to which Qatar is a party, all enshrine the rights to privacy, freedom of speech and the right of access to a court. All three legal texts apply equally to Qataris and non-Qataris.

It is increasingly commonplace for employers to monitor the use of the internet and communications systems, especially email; however, an employer's ability to monitor employees' activities must be carefully managed and employers should obtain prior employee consent. Employers must observe the legislative framework set out above and ensure that their employees have provided their express consent to any monitoring – this could be captured under the data protection clause of the employee’s contract of employment.

Last updated on 08/11/2021

Flag / Icon

Saudi Arabia

  • at Clyde & Co
  • at Clyde & Co

Until recently, the legislative framework in KSA regarding data protection and personal rights to privacy was a patchwork, with discrete obligations and requirements contained in a variety of laws, as there was no comprehensive data protection law or specific legislation dealing with monitoring worker activity remotely. However, in September 2021 KSA published its first comprehensive national data protection law to regulate the collection and processing of personal information. The Personal Data Protection Law (PDPL) was implemented by Royal Decree M/19 of 9/2/1443H (16 September 2021) approving Resolution No. 98 dated 7/2/1443H (14 September 2021).  It will be effective from 23 March 2022. The executive regulations supplementing the Law should also be issued before it comes into force.

The PDPL is designed to protect “personal data”(ie, any information, in whatever form, through which a person may be directly or indirectly identified). This expressly includes an individual’s name, identification number, addresses and contact numbers, photographs and video recordings of the person. The PDPL applies to any processing by businesses or public entities of personal data performed in Saudi Arabia by any means whatsoever, including the processing of the personal data of Saudi residents by entities located outside the Kingdom. The PDPL does not apply to the processing of personal data for personal and family use.

Individuals (data subjects), will, subject to some exceptions, have the right to be informed of personal data processing and the legal basis of such processing, the right to access their personal data (including to obtain a free of charge copy of the same), the right to correct or update their personal data, and the right to request its destruction if no longer needed. Data subjects may also file complaints relating to the application of the PDPL with the regulatory authority. Organisations that collect personal data and determine the purpose for which it is used and the method of processing (controllers) will be required to register on an electronic portal that will form a national record of controllers. Controllers must also ensure the accuracy, completeness and relevancy of personal data before processing it, to maintain a record of processing for a period that will be prescribed by the executive regulations, and to ensure that staff are suitably trained in the PDPL and data protection principles.

Data subjects may withdraw their consent to the processing of personal data at any time and consent must not be a pre-requisite for the controller to offer a service or benefit (unless the service or benefit is specifically related to the processing activity for which consent is obtained).

There are also additional laws in KSA that safeguard the rights of the individual to privacy. These include:

  • shariah law – its principles protect an individual’s right to privacy;
  • the Basic Law of Governance (Law No. A/90), which protects the privacy of individuals by safeguarding telegraphic, postal, telephone and other means of communication and making it unlawful to confiscate, delay, read or breach;
  • the Telecommunications Act (Council of Ministers Resolution No. 74/2001) restricts the disclosure of information or content that is intercepted in the course of its transmission; and
  • the Anti-Cyber Crime Law (Royal Decree No. M/17 makes it an offence to spy, intercept or receive data that is transmitted through an information network without consent, breach privacy through the use of camera-equipped and mobile phones, unlawfully access computers to delete, erase, destroy, leak, damage, alter or redistribute personal information, and defame or inflict damage on a person through the use of electronic devices.

While it is increasingly commonplace for employers to monitor the use of the internet and communications systems, especially email, before doing so – and to limit the risk of a potential breach of any of the above legislative provisions – employers should ensure that the employee has provided their express consent to any monitoring – this could be captured under the data protection clause of the employee’s contract of employment.

Last updated on 15/03/2022

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas

In general terms, there are no substantial differences between remote and on-site workers.

Any digital program or software to monitor workers must guarantee their privacy and the protection of their personal data under the Organic Law on Personal Data Protection and Digital Rights Guarantees.

Article 17.2 of the Law on Remote Working provides that the employer cannot force employees to install programs or apps on their private devices, or to use their private devices for work.

Regarding workers who travel regularly to carry out their duties, under article 90 of the Organic Law on Personal Data Protection and Digital Rights Guarantees, any geolocation system must comply with the requirements mentioned above (ie, be necessary, appropriate and proportional), and employers must inform the workers and their legal representatives specifically, clearly and unambiguously of the existence and characteristics of such systems in advance. Besides, the employer must inform them that they may exercise their rights to access, rectification, erasure and restriction of the processing of data.

Collective bargaining agreements may provide additional information on this topic.

Last updated on 21/09/2021

Flag / Icon

Sweden

  • at DLA Piper
  • at DLA Piper
  • at DLA Piper

From a privacy perspective, employers must consider the GDPR and other privacy-related legislation. The GDPR states, inter alia, that the processing of personal data must be adequate, relevant and limited to what is necessary concerning the purposes for which they are processed (ie, the data minimisation principle). This means that the employer’s monitoring of employees cannot be too intrusive – it must be proportionate for the purpose. Furthermore, employers must be able to demonstrate that the purpose of the processing cannot be fulfilled by other, less-intrusive, means. Employers must also adhere to other GDPR requirements, eg, providing employees with information about the data processing in advance. Further, employers must always act in accordance with good practices in the Swedish labour market.

When it comes to employees’ use of email and the internet, the Swedish Authority for Privacy Protection recommends that employers have guidelines for internet use and e-mail. The guidelines should clearly state what type of private use is permitted, and also when the employer may consider controlling employees’ internet or e-mail use. Depending on the situation, it may be lawful to carry out inspections of an employee’s online usage. If there is a concrete suspicion that an employee is acting in breach of his or her employment contract, it may be lawful to monitor that employee, subject to complying with the GDPR and other privacy legislation. Employees must be informed about inspections or monitoring that may take place.

In terms of time tracking, the Swedish Working Hours Act also applies to remote working, meaning that the same limits on overtime and provisions on minimum daily rest periods must be observed. In some circumstances, however, such as when the work is performed without employer supervision or control, the Working Hours Act may not apply. There are no general guidelines on when the exemption is applicable, but it should be applied restrictively and is rarely applicable in the case of remote working. Employers should therefore engage in dialogue with employees on their working time to ensure compliance with the Working Hours Act.

Last updated on 24/01/2022

Flag / Icon

Switzerland

  • at Lenz & Staehelin

According to Swiss legislation, control or surveillance systems that are primarily intended to monitor the behaviour of employees are prohibited if they are detrimental to the health or well-being of employees. Health is understood in its broad sense and also includes mental health. There are no strict limits as to what surveillance is, but measures must always be proportional.

The European Court of Human Rights, whose Convention has been ratified by Switzerland, has laid down seven guiding principles for contracting states concerning legal surveillance of employees. These principles relate to information, the scope of surveillance, legitimacy of the reasons for surveillance, use of the least intrusive means, the consequences of surveillance, guarantees offered to employees and the principle of trust.

As an example, the Swiss Federal Supreme Court, which is the highest judicial authority in Switzerland, has ruled that it is unlawful for employers to install spyware without employees' knowledge to check whether they are using the internet for private purposes. In that case, the court held that the system was capable of exerting control over employees' behaviour, which is prohibited. It also held that the surveillance was disproportionate since the employer simply could have blocked access to certain websites.

The above-mentioned principles must also be complied with when it comes to remote working, which does not differ fundamentally from onsite working.

Last updated on 30/09/2021

Flag / Icon

Turkey

  • at Gün + Partners
  • at Gün + Partners
  • at Gün + Partners

One way to monitor employee activity in the context of remote working could be to control employees’ use of servers, e-mail accounts and internet while using the employer’s equipment. In Turkey, it is generally accepted that employers are authorised to control employees’ use of servers, e-mail accounts and internet from their equipment within the scope of their right to manage, and there are no particular rules or exceptions as to remote working.

However, even though employers are entitled to such control, monitoring should be proportional to the legitimate purposes of the employer, such as controlling productivity and quality, or providing security. Employers should inform their employees about monitoring on the equipment and servers as well as the reasons for it. Furthermore, employers must provide necessary information about the scope of their monitoring activities to employees under the DPL. Otherwise, there is a risk of an administrative fine.

Employers should also bear in mind that, during such monitoring, they must avoid violating privacy rights. The Constitutional Court recently held that if employees are informed that their e-mails are monitored, the secrecy of private life and freedom of communication must not be violated. The Constitutional Court also stated that the conflicting interests of the employer and employees should be balanced fairly and any intervention by monitoring e-mail accounts should be evaluated on the grounds of proportionality and the legitimate purposes of the employer.

From a data privacy perspective, employers firstly should determine what personal data needs to be processed to if employers have a legitimate interest to monitor employees’ activities, whether the processing of such data may potentially harm employees considering their rights, and whether employers have any options other than processing such personal data when trying to achieve this legitimate interest. Employers must apply a balance test to determine whether its legitimate interest overrides the personal rights and interests of their employees. Otherwise, employers cannot depend on legitimate interest as a legal ground for processing and will need the explicit consent of their employees to apply the relevant monitoring tool. In any case, if any monitoring requires the processing of sensitive personal data, consent will be required as per the DPL. Even if consent is given to employers, this does not mean that they can use monitoring tools to process any personal data that is not required to achieve the legitimate purposes of the monitoring. Any processing in contravention of the DPL (including the general principles applicable to data processing) may impose a risk of an administrative fine.

In light of the above, each monitoring tool considered by employers must be evaluated on a case-by-case basis for determining which legal ground is applicable and to what extent.

Last updated on 21/09/2021

Flag / Icon

UAE

  • at Clyde & Co
  • at Clyde & Co

Until recently the legislative framework in the UAE regarding data protection and personal rights to privacy was a patchwork, with discrete obligations and requirements contained in a variety of laws, as there was no comprehensive federal data protection law or specific legislation dealing with monitoring worker activity remotely. However, the UAE announced in November 2021 a new Federal Data Protection Law, Law No. 45 of 2021 (Data Protection Law), which came into effect on 2 January 2022. The Data Protection Law creates a framework to ensure confidentiality and to protect the privacy of individuals (ie, data subjects) by requiring organisations that fall within the scope of the Data Protection Law to implement appropriate governance for the management and protection of personal data. The Data Protection Law is designed to protect “personal data”, which is “any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data”. This expressly includes an individual’s name, voice, image, identification number, electronic identifier and geographical location. It also includes sensitive personal data and biometric data.

Law applies to the processing of all personal data by controllers and processors located in the UAE, whether or not the personal data processing relates to data subjects in the UAE or abroad, and prohibits the processing of personal data without the consent of the individual (ie, the data subject), unless an exception applies. Controllers (a person or entity that determines the method and criteria for processing personal data and the purpose for the processing) will need to be able to establish the consent of the data subject where consent is used as the lawful basis for processing the data subject’s personal data. The following laws are also likely to apply:

  • The UAE Constitution;
  • The Criminal Law (Federal Law No. 31/2021, as amended); and
  • The Cyber Crime Law (Federal Law No. 34/ 2021, as amended).

An employer's ability to monitor employees' activities must be carefully managed and employers should obtain prior employee consent. The UAE Constitution contains a general right to privacy for individuals and guarantees freedom of communication by post, telegraph, or other means of communication. The Criminal Law also establishes criminal offences concerning intercepting or disclosing correspondence or telephone conversations and the Cyber Crimes Law likely extends this to IT communications. 

It is increasingly commonplace for employers to monitor the use of the internet and communications systems, especially email. However, in light of the above, employers should ensure that the employee has provided its express consent to any monitoring – this could be captured under the data protection clause of the employee’s contract of employment.

Last updated on 15/03/2022

Flag / Icon

United Kingdom

  • at Littler

Monitoring worker activity generally (whether remote-working or non-remote working) is possible but must be handled with caution and appropriate safeguards. As a general rule, employers are entitled to monitor worker activity to some extent, but they must undertake an impact assessment before doing so (which is an internal assessment of the impact of the proposed monitoring on data privacy), tell workers in advance about the monitoring and only monitor workers to the minimum extent reasonably feasible to achieve the employer’s goals.

The monitoring must be necessary, justified and proportionate. In other words, any monitoring must have a legal basis under GDPR for processing employee personal data in that manner (the legal basis may vary depending on the specific purpose of the monitoring), and the employer must also be able to demonstrate that: (a) the monitoring in question is a necessary and proportionate action to achieve a legitimate aim; and (b) that there is no less intrusive alternative way of achieving that purpose. There are also separate obligations in relation to data security and retention.

The more intrusive and extensive the monitoring, the greater the risk that employer monitoring may breach the UK’s data protection legislation, the Data Protection Act 2018 (and the UK’s implementation of the EU’s GDPR).

The ICO has previously published extensive guidance on how employers should implement a monitoring system. See here from page 58. This guidance was published before the pandemic, but is equally applicable. Recently, the ICO has also published specific guidance on monitoring employees using surveillance cameras, to check for compliance with pandemic health & safety obligations: see here.

Last updated on 21/09/2021

Flag / Icon

United States

  • at Littler
  • at Littler
  • at Littler

Monitoring and surveillance laws vary from state to state, and there are also, potentially, tort and criminal laws regarding invasion of privacy that must be considered where the employee has an expectation of privacy.  While audio or key-stroke monitoring may be minimally intrusive, video surveillance is almost always problematic. Some states require only one-party consent for audio monitoring, but others require that all the parties to a conversation consent to such monitoring.

Up-to-date information on the USA’s response to the pandemic, including State-level news and developments, can be found at Littler’s covid hub here.

Last updated on 21/09/2021