The purpose of the Guidelines, which apply both to the private and public sector, is to specify the risks, the rules and the guarantees that should be respected on remote working and to define in more detail the rights of the individuals and the obligations of the employers arising from the data protection legislation.
1. Monitoring of employees
Of pivotal importance within the Guidelines is the monitoring of employees during teleworking. In this respect, the DPA states that employers are in principle allowed to monitor whether employees provide their work within the agreed working hours and in line with the terms of employment. Employers may request from employees an additional authentication that would certify that employees actually provide their services remotely.
On the other hand, the ongoing surveillance of employees by means of web cams, software recognising images and movements, the shared use of the employees’ screen, the installation and operation of a Keylogger or even the performance of certain activities on a regular basis for ascertaining that the employees are teleworking, are prohibited practices, because that they violate the proportionality principle and lead to an unjustified profiling of employees.
The DPA explains that any monitoring technique should be transparent to the employees, so employers are required to inform their employees before implementing these measures to their organisation.
2. Right to disconnect
The DPA stresses that employees have the right to disconnect and thus to refrain from work-related tasks and electronic communication outside working hours without facing any repercussions. The DPA explains that this right does not only derive from the labour law provisions governing teleworking, but also arises from the fundamental rights of privacy and protection of personal data of employees.
3. Security of personal data
A major part of the Guidelines deals with the integrity and the confidentiality of the personal data exchanged between employees and third parties in the context of teleworking. The DPA explains that the employer is primarily responsible for the safe processing of personal data that takes place through the use of hardware and software of the employer and VPN networks, including personal data which are stored in the terminal devices of users, irrespective of whether these devices are owned by the employer. As regards the obligations of employees, they should refrain from forwarding any business emails from their corporate account to their personal email address, especially when done without encryption, whereas printing of business-related materials outside the office premises, such as in the house of employees, should take place on the condition that the personal data contained in the printed files would not leak to unauthorised third parties.
On the wider topic of security of processing and the availability of the personal data, which is often under threat from ransomware attacks, the DPA reminds of the employers’ obligations to implement appropriate technical and organisational measures, such as efficient tools used for tracing malicious software, regular management of software updates in the employees’ devices and creation of back-up copies. It is also important that employees are trained to trace suspicious attacks and to be able to respond effectively to them.
Based on the data minimisation principle, employees should be allowed to participate in web-meetings only through their microphones and may reject the use of the camera, especially when there are important reasons to hide their background, such as for the protection of minors. Additionally, the recording of web-meetings should exceptionally be allowed provided that the employer has performed a relevant Data Protection Impact Assessment, whereas in cases that third parties are also joining the meeting, the prior consent of such persons should be required in advance of such recordings.
5. Bring for Own Device (BYOD) policy
Lastly, the use of personal devices for the performance of the duties of the employees should be allowed provided that the employers have assessed the relevant risks and have adopted adequate measures to mitigate them, while a B.Y.O.D. policy is required that shall set forth the conditions and restrictions on the use of personal devices. Among other measures, employers should proceed to the physical or logical separation of the personal devices aimed for professional use, control the remote access through a strong authentication of the user’s identity (such as through the use of digital certificates, smart cards and two-factor authentication codes) and set up encryption controls.
Article provided by INPLP member: Mary Deligianni (Zepos & Yannopoulos, Greece)
Dr. Tobias Höllwarth (Managing Director INPLP)