On April 7, amended provisions of the Labor Code introducing remote work came into effect. Until now, the so-called COVID Act provided the basis for performing work outside the employer's office space.
It's worth noting, however, that the introduction of remote work generates additional obligations related to personal data protection. Employers act as data controllers for their employees, contractors, and clients, and, at the same time, due to the performance of contracts, may act as data processors.
The processing of personal data by an employee through remote work should be considered an additional personal data processing activity. Therefore, it is mandatory to record such a process in the register of processing activities, as well as to conduct a risk analysis and verify assets that may pose a high risk to the rights and freedoms of natural persons.
It's important to note that employees, due to their responsibilities and positions, process different types of data, to varying degrees and scope. HR, payroll, health and safety, and analytical positions, which rely on data rather than aggregates, may involve large-scale processing or processing of special categories of data, as defined in Article 9(1) of the GDPR, particularly health-related data. In such cases, it is necessary to adopt an adequate level of security, aimed at ensuring a higher level of security than for employees and positions not primarily involving personal data processing.
A necessary, yet often overlooked, aspect is the employer's review of contracts in which it acts as a processor. A data controller sometimes imposes on a data processor the obligation to process personal data in a specific location, for example, by limiting processing activities to the processor's office space. In such cases, such a contract will need to be renegotiated, or the processes covered by the data processing of a specific controller will need to be conducted on-site to avoid violating the provisions of the data processing agreement between the parties.
The data controller is obligated to ensure technical and organizational measures to ensure an adequate level of data security. These measures will require additional verification, as the employer's existing procedures for protecting personal data on-site may prove insufficient if the work environment changes to the employee's place of residence or stay. Therefore, the personal data protection policy will need to be updated, taking into account the organization of remote work, or the creation of internal regulations regarding remote work specifying personal data protection requirements will be mandatory.
The employer is also obliged to retrain employees and, in accordance with the principle of accountability, have confirmation that this has been done.
The training should, in particular, emphasize the following issues:
- distinguishing and responding appropriately to phishing;
- basics of data processing;
- data retention periods;
- data processing security;
- reporting violations;
- data processing principles;
- penalties for violations of personal data protection;
- data processing locations, i.e. in particular, indicating that performing remote work in public places (including places where the employee is monitored in a public place directed at a computer screen) may result in the disclosure of confidential information as well as personal data.
The information obligations arising from Article 13(1) and (2) of the GDPR, which apply to newly hired employees and employees already employed and applying for remote work, will also change. It is important to note that the purpose of personal data processing has changed, expanding to include remote work and the ability to conduct related inspections. It is essential to take into account the principle of data minimization referred to in Article 5(1)(c) of the GDPR, which, however, can easily be exceeded due to the nature of remote work, which is highly intertwined with the employee's private life. Therefore, it is crucial to define the specific scope of personal data processing, limiting it to only the data necessary to carry out the inspection while respecting the privacy of the employee and other cohabitants. It is therefore worth considering creating a form specifying the scope of data processing in connection with the inspection, which will provide the basis for its lawful conduct.
It is worth pointing out that an employee who controls the remote work of an employee belonging to privileged groups referred to in Article 6719 § 6 of the Labor Code must have appropriate authorization under Article 29 of the GDPR to process data, including special category data, solely for the purposes of carrying out the control.
It's important to emphasize the importance of raising employee awareness of security incidents and personal data breaches. Identifying a breach is the responsibility of the administrator. However, it's impossible for those responsible for data security to be able to verify all risks or events that could lead to the disclosure, loss, or disintegration of data while working remotely. Employees should be adequately trained to identify a similar incident, or possess the knowledge to develop a reasonable suspicion that a personal data breach may have occurred. Therefore, employers must review their internal procedures regarding breach reporting and conduct ongoing employee awareness initiatives, particularly through training and brief information outlining the appropriate steps an employee should take if a personal data breach is identified.
It is important that the employee is obliged not to use private equipment while performing work duties or to use public Wi-Fi networks - the device or network may have been previously infected with malware, which may consequently lead to the infection of the entire IT infrastructure of the employer, encrypting the data held, mixing it or permanently deleting it.
Similarly, employers should provide training to employees on how to properly identify phishing scams. Typically, such communications are conducted in a manner that indicates urgency or by individuals impersonating top management or accounting/HR personnel. This is a common tactic that emotionally impacts employees, instilling a sense of responsibility for carrying out official orders, even though the sole purpose of these activities is to cause the employee to disclose login details to the employer's IT systems or online banking in order to obtain information or funds for an unauthorized recipient.
Employers should consider multi-level risk mitigation, particularly by identifying the risks associated with employee manual data manipulation. Therefore, it's crucial to appropriately manage assigned permissions to IT resources, particularly regarding portal logins, SharePoint access, and network drives. It's crucial to emphasize that an employee with access rights only to the resources they need will not copy, disclose, or otherwise use a wide range of data relevant to the administrator in any unauthorized way.
Remote work should also not involve private activities. Therefore, it is necessary to properly separate data and protect it from co-residents who are not authorized to process the administrator's data. Employees are therefore required to prepare their workstation in a way that allows them to ensure the protection of personal data and confidential information, in particular through appropriate desk positioning and monitor screen properties. It is also essential to limit the creation of paper copies, which are much more difficult to secure than electronic copies. Furthermore, it is important to remember that employees likely do not have the tools to destroy paper documents in a way that prevents re-reading.
This article is for informational purposes only and does not constitute legal advice.
Legal status as of May 9, 2023.
author:
