Remote work vs. personal data processing
The upcoming amendment to the Labour Code on remote work is expected to comprehensively regulate a number of issues and relationships between employer and employee, significantly changing the existing legal landscape for performing work from home. The amendment also touches on issues of processing of personal data. Although work on the bill is still underway, it appears unlikely that the provisions discussed below will change significantly, so it is already worth taking a closer look at them.
Procedures for protecting personal data during remote work
The proposed amendment to the Polish Labour Code provides that for the purposes of remote work, the employer will be required to set internal procedures for personal data protection. Therefore, while preparing for the amendment to take effect, employers should develop and implement an appropriate procedure, addressing issues relevant to remote work such as:
- The employee’s need to use a secure internet connection
- Requirements for use of business hardware and software by the employee
- The need for the employee to maintain the confidentiality of business information and prevent disclosure to outsiders, such as household members.
As referred to in Art. 32 of the General Data Protection Regulation, such procedures will constitute one of the employer’s organisational measures for protection of personal data. Therefore, these procedures must be developed in accordance with the requirements of Art. 32, including consideration of:
- The state of technical knowledge
- Implementation costs
- Nature, scope, context and purpose of personal data processing
- Risks of violation of the rights or freedoms of natural persons, reflecting the varying probability of occurrence and severity.
Implementation of the procedure for protection of personal data during remote work should also be noted in the employer’s internal records of personal data processing (if maintained).
Since similar data protection and information protection challenges also apply to telework, when developing procedures for protecting personal information during remote work employers can follow their procedures for telework (if they have implemented them).
Further, the draft amendment provides that where necessary, the employer should provide instruction and training to employees on protection of personal data when working remotely. Although the provision indicates that conducting training is not absolutely required and should only be conducted “as needed,” in most cases it seems that given the significant yet specific data protection risks associated with remote work, training (or even repeated training) will probably be warranted. But if the employer decides not to provide training, it should consider developing an appropriate justification for such a decision (due e.g. to the principle of accountability under the GDPR) for internal purposes.
Further, the amendment foresees that employees who are to perform remote work will confirm to the employer in paper or electronic form that they have reviewed the data protection procedures for remote work. Therefore, employers should prepare model documents in which employees will confirm that they have reviewed the relevant procedures, taking into account the need to collect confirmations from employees, e.g. regarding onboarding. On this occasion, it is also worth reviewing the information on processing of personal data provided to the employee in connection with employment (for fulfilling the obligation under Art. 13–14 GDPR), as it may turn out that introduction of new internal regulations or undertaking of practical actions by the employer in connection with remote work makes it necessary to update such information clauses.
Information necessary for remote contact
Under the proposed provisions, an employee performing remote work and the employer would have to keep each other informed through direct remote communications or other agreed means. Although these provisions do not expressly refer to personal data, in practice they will also be relevant in this area, as the information necessary for direct remote communication may include the employee’s personal data, e.g. the employee’s contact details. Notably, the proposed provisions do not specify whether an employer may obtain an employee’s private contact details for the purpose of communicating remotely with an employee. It is doubtful whether acquiring private data for this purpose would be permissible in light of the data processing principles under the GDPR, in particular the principle of data minimisation.
In any event, it is worthwhile to regulate internally how an employer can use an employee’s contact data (e.g. who can access and use such data, and under what circumstances), especially if it is private data, as processing of this type of data should be consistent with the purpose of acquiring the data by the employer (who is solely to contact the employee in the course of the employee’s performance of remote work) and must not violate the principle of data minimisation under the GDPR.
Monitoring performance of remote work
According to the proposed provisions, the employer will have the right to oversee the performance of remote work by the employee, including compliance with information security and protection requirements and data protection procedures. The detailed rules for conducting inspections will be established separately in agreements or work regulations. Irrespective, the draft amendment provides that inspections must be carried out in consultation with the employee at the place of remote work during the employee’s working hours. The employer will have to tailor the method in which it conducts inspections to the location of the remote work and the type of work. Further, the draft amendment provides that the performance of inspection activities must not violate the privacy of the worker performing remote work or other persons, or impede the ordinary use of home premises.
In practice, as the explanatory memorandum to the bill indicates, given the requirements indicated, in principle the inspection of remote work will usually be carried out using means of direct remote communication (e.g. phone, email, chat). However, the bill would also allow inspections to be conducted at the employee’s place of work. If an employer wishes to conduct an inspection at the place where the employee performs remote work, it should ensure that the inspection is carried out in an appropriate manner and in accordance with requirements of the Labour Code and the general requirements for processing personal data. Therefore, it would be reasonable to prepare internal instructions or procedures for conducting such inspections, including the method of documentation, to minimise the risk of violating the privacy of the worker performing remote work or other persons during the inspection.
The bill also provides that if an employer in the course of an inspection identifies deficiencies e.g. in compliance with requirements for information security and protection, including procedures for protection of personal data, the employer must oblige the employee to cure the identified deficiencies within a specified period, or withdraw permission for that employee to perform remote work. It should be noted that identification of such irregularities may also give rise to implications under data protection regulations, primarily the GDPR. For example, it may be necessary to report a data protection breach to the president of the Personal Data Protection Office (for example if it compromises the confidentiality of personal data processed by an employee for which the employer is the data controller).
For these reasons, the amendment to remote work provisions in the Polish Labour Code will require employers to take certain actions regarding the processing of employees’ personal data. It is worth planning for these measures before the new provisions take effect, to avoid surprises later.
Karolina Romanowska, Łukasz Rutkowski