Remote work during the COVID-19 pandemic and personal data protection under the GDPR

COVID-19 pandemic has completely changed our lives. The restrictions and limitations that have come with it forced us to introduce new solutions or renew interest in those already known to reduce the risk of the virus spreading. One of those solutions turned out to be remote work, to which, if only feasible, companies started to switch very quickly after the pandemic outbreak, becoming a new norm of performing employee duties.

However, it is worth remembering that remote working involves certain risks and its implementation should be accompanied by appropriate procedures aimed at both improving the processes used by the entities and protecting them against possible threats. One of such risks is the violation of data security, including the personal data of both employees and persons whose data are processed by employees while performing their work duties. Unfortunately, however, many companies underestimate this problem, as evidenced by an increasing number of complaints concerning the processing of personal data during remote work submitted to data protection authorities around the world.

Remote work under the so-called Anti-Crisis Shield

Until the outbreak of the COVID-19 pandemic, Polish law did not regulate the issue of remote working. The Polish Labour Code contained provisions concerning only so-called teleworking (i.e., work performed regularly outside the workplace, using electronic means of communication), while the remote working, which often involves occasional and irregular work from a place other than the permanent workplace (e.g., from home), was permitted only based on internal regulations or arrangements between the employer and the employee. The epidemic hazard state announced in March 2020 changed this situation, forcing the introduction of appropriate regulations in this area.

The possibility of instructing the employee to perform remote work was introduced by the Act of 2 March 2020 on special solutions related to the prevention, prevention, and combating of COVID-19, other infectious diseases, and crises caused by them (“the COVID-19 Act”). According to Article 3 sec. 1 of the said Act, to prevent COVID-19, the employer could order the employee to perform, for a fixed period, the work specified in the employment contract, outside the place of its permanent performance.

This provision, in the aforementioned wording, expired 180 days after the entry into force of the said Act, i.e., on 4 September 2020. And then, the next day, this provision has been reintroduced (and redrafted) by the Act of 24 July 2020 amending an act on posting of employees within the framework of providing services and certain other acts. As a result, the current version of Article 3 sec. 1 of the COVID-19 Act provides that the employer may commission remote work to an employee „until the end of a state of epidemic emergency or state of epidemic announced due to COVID-19” and „within 3 months after their cancellation”.

The provisions regulating remote work were also introduced under the Act of 4 June 2020 on interest rate subsidies on bank loans granted to provide financial liquidity to entrepreneurs affected by the effects of COVID-19, i.e., the so-called Anti-crisis Shield 4.0. The said Act imposed on employers many obligations related to remote work.
First of all, it states that the employer should check whether the employees have the technical and premises conditions to perform work outside the office, as well as whether the employee can perform remote work and has the skills to use the IT system. This means that before instructing an employee to perform his/her duties remotely, the employer should check both the skills of the employee and the conditions under which the remote work will be performed.

At the same time, the employer is obliged to provide the employees with the means and materials needed for remote work as well as logistical support. At the same time, the employees have been allowed the employees to use their own resources under the condition of keeping the secrets, confidentiality, and personal data protection. Additionally, an obligation was introduced to train employees in remote work, including personal data protection and related issues.

Remote work and personal data protection under GDPR
Since May 2018, the General Regulation on Personal Data Protection (the „GDPR”) has been in force, introducing a number of new obligations, including the analysis of internal data processing and the preparation of necessary documentation. In light of the new regulations, the personal data controller must adjust the level of security of personal data to the applicable guidelines and check it regularly.
Considering these issues in the context of remote work, it is necessary to determine first what personal data processing is. According to Article 4 point 2 of the GDPR, ‘processing’ means “any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. Then, the extent to which an employee may process the data must be determined, as it may be different from the one associated with on-site work. In this context, the employer needs to assess whether the employee in question has all the necessary authorizations to carry out the activities in question and, if needed, change their scope.

Another issue that has to be tackled is the introduction of appropriate technical and organizational safeguards, as referred to in Article 32 of the GDPR. For this purpose, one should follow the general principles that can be found in Article 5 of the GDRP, in particular:

It is also important to keep a meticulous record of who, when, to what extent, and on what basis processes the personal data. This not only ensures that the principle of accountability is respected but also allows to fulfill the obligation that rests on the administrator under Article 32(4) of the GDPR. According to this provision, “the controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller unless he or she is required to do so by Union or Member State law”.
The above shows that the issue of personal data protection associated with remote work is much more complicated than it might seem. However, the most important thing is that remote work is properly controlled to avoid any subsequent problems. Adequate data protection serves to protect the interests of not only the data subjects but also of the employer in terms of legal liability. If the rules and procedures are not written down, it may be difficult for the employer to demonstrate that, as a data controller, its actions have met the standards provided under the GDPR.

It is worth adding here thath2. employees should also be instructed on how to perform remote work and the risks it entails so that they also feel responsible for protecting the data. Therefore, it is recommended for companies who adopt remote work to inform their employees about the rules and procedures associated with this mode of work, including information about security and data protection. Also, after accepting the instruction to work remotely, each employee should sign a GDPR compliance statement.

The article is for information purposes only and under no circumstances constitutes a legal opinion or advice. For more detailed information or legal assistance, contact DT’s lawyer.

Contact:

2020-12-18 09:44

© 2021 Drzewiecki, Tomaszek i Wspólnicy sp.j.

website created by: Legion