COVID 19 - Telework in light of the labour and data protection law
- Articles and memoranda
- Posted 20.04.2020
Due to the coronavirus pandemic, the Luxembourg Government invited all companies, if and where possible, to implement teleworking. Teleworking is a form of organising and/or performing work, using information and communications technology, in the context of an employment contract, where work is carried at the home of the employee. Specific rules apply thereto1 .
In principle, teleworking should be mutually agreed in writing between both the employer and the employee. This agreement shall include mandatory information, such as the place of work, the description of the functions and tasks to be achieved by the employee during hours of teleworking, the working hours during which the teleworker must be available to the employer, the contact person for the teleworker, the description of the equipment used by the teleworker, the insurance coverage for loss of damage to equipment, etc.
In the context of the COVID-19 outbreak, teleworking may be implemented by employers on the basis of their statutory obligation to ensure the health and safety of their employees2 . Employees may also request permission from their employer to telework. In such a case, the Employer may only refuse if justified by operational needs.
Teleworking shall be organised during the normal working hours as provided in the employment contract/addendum to the employment contract, in compliance with the legal limits relating to weekly and daily working time. The parties must agree on the arrangements for overtime which shall comply with the legal provisions and correspond as far as possible to the company’s internal procedures. Recent case law has recognised a right to disconnect for employees3 . The employer must also respect the teleworker’s privacy.
In the context of the COVID-19 crisis, specific tax and social security arrangements have been negotiated with the French, Belgian and German authorities to facilitate teleworking for cross-border workers. Notwithstanding the provisions of the existing double tax treaties, as of 14 March 2020 and until further notice, days of presence of a worker at home, in particular to carry out telework, will not be taken into account in the calculation of the tax exempted period of 29 days for France, 24 days for Belgium and 19 days for Germany. In addition, there should be no change in status of cross-border workers in connection with the applicable social security scheme even if the threshold of performance of substantial activities (i.e. 25%) from their country of residence is met due to teleworking during the period of confinement.
Whether at home or at the office, employees are continually accessing confidential and personal data as part of their daily tasks. Working remotely comes with an increased risk and vulnerability of the company and the data processed by employees. Telework presents a challenge towards compliance with existing confidentiality and data protection rules such as the EU General Data Protection Regulation (“GDPR”). Many companies and businesses have to respond to the current situation by setting up secured Virtual Private Network or safe internet connections. Remote workers are still required to control the devices they use. At the same time, organisations have to maintain, or if necessary extend, existing data protection standards. In that context, the CSSF has reiterated that it is the responsibility of each entity to define the conditions, including security conditions, for the use of the computer system. The company may also use computer systems in which it allows one or more of its employees to work from home, in proportion to the risks to which it is exposed4 . Finally, in terms of data transfer towards third countries, organisations and businesses have to satisfy the expected confidentially level.
Article 32 of the GDPR requires that controllers and processors implement technical and organisational measures to ensure a high level of security, appropriate to the risk. This includes, among the ongoing confidentiality of processing systems, the pseudonymisation and encryption of personal data, the ability to restore the processed data in the event of a physical or technical incident, such as an external cyber attack or the loss of the device by the teleworker and a regular testing and evaluation system to assess the effectiveness of the technical and organisational measures. From a practical standpoint, this may require companies to review and update company policies and codes of conduct regarding the protection of personal and confidential data in times of remote working. They may establish approved codes of conduct5 or certification mechanism6 as an element by which they demonstrate compliance with the requirements set out in Article 32 of the GDPR. Companies may occasionally organise compulsory training programmes for their employees in order to keep data security standards constantly up to date.
Because of the demanding technical requirements in enabling employees to work from home, companies may have to rethink their IT standards, by upgrading the contractual arrangements they have with their IT suppliers or, if necessary, change supplier. In that context, Article 28 of the GDPR requires that the binding contract between the controller and the processor includes specific provisions obliging the processor to take all security measures necessary to meet the requirements of Article 32 GDPR. Companies may therefore have to set up adequate and updated data protection agreements with existing or new IT suppliers. As a result, internal procedures regarding the notification of data breaches may also need to be updated towards the renewed risk that remote working implies.
The implementation of teleworking by maintaining GDPR-compliant data protection standard clearly demands close collaboration between different stakeholders within a business organisation and external contractors such as IT suppliers. Not only the privacy and personal data of all employees must be protected, but they must also protect that of the persons they interact with.
All the above GDPR-related matters will apply under all circumstances of teleworking, thus also outside the context of COVID-19.
This may also interest you :
- COVID 19 - Validity and legal effect of electronic signatures under Luxembourg law
- COVID 19 - Legal principles and CNPD Best Practices in relation to processing by employers of health data
1 | Collective bargaining agreement concluded on 21 February 2006, and renewed on 15 December 2015 between labour relation partners which was declared of general obligation by Grand Ducal Regulation dated 15 March 2016. | |||
2 | Article L.312-1 Labour Code. | |||
3 | Luxembourg Court of Appeal 2 May 2019, n°45230: first time that a Luxembourg Court recognised the right to disconnect for the employees during annual leave. Extension of such case law is to be expected. | |||
4 | CSSF, COVID FAQ, 2 April 2020; http://www.cssf.lu/fileadmin/files/FAQ/FAQ_Covid_19_fr.pdf | |||
5 | Article 40 GDPR. | |||
6 | Article 42 GDPR. | |||