Are you introducing remote work? Don’t forget about GDPR !

On April 7, 2023, an amendment to the Labor Code introducing provisions on remote work will come into effect. Until now, remote work has been regulated under the so-called COVID provisions, which were not sufficiently precise. If you intend to implement remote work in your company or if your employees are already working remotely, you need to ensure appropriate regulations regarding the protection of personal data during remote work.

Protection of personal data in remote work regulations

The rules for remote work are determined by the employer in agreement with the workplace trade unions, and if there is no such organization at the employer’s, in a regulation agreed upon with employee representatives. According to Article 6720 § 6 of the Labor Code, these documents specify, among other things, the rules for monitoring compliance with security and information protection requirements, including procedures for personal data protection. This means that regulations concerning the protection of personal data should be included in the regulations regarding remote work.

Lack of remote work regulations and personal data

However, some employers choose not to regulate remote work in internal provisions. In such cases, the arrangements regarding remote work are formulated in an employment contract or in a separate agreement or addendum with the employee. However, this does not mean that the employer can waive regulations regarding the protection of personal data. Both in the case of individual arrangements with the employee and occasional remote work, the employer has the right to control the employee in terms of security and information protection requirements. Such control is easier to conduct when there are clear legal frameworks and obligations. In such situations, it is advisable to create a separate Remote Work Personal Data Protection Policy.

What does the Remote Work Personal Data Protection Policy include?

Remote work entails slightly different risks than working in an office, particularly concerning the security of files and documents containing personal data that employees have access to in their remote workplaces. Employees should exercise increased vigilance when working in public places, such as cafes, by preventing unauthorized access to data, for example, by adjusting the monitor’s position and avoiding the use of public networks. Caution should also be exercised at home, as it is easy to imagine a situation in which an employee engaged in an important work conversation is unaware that their small child has caused havoc and destruction to the computer or documents.

In summary, the Remote Work Personal Data Protection Policy should indicate, among other things:

  1. How to ensure the security of personal data when using the internet;
  2. How to ensure appropriate safeguards for transmitted information;
  3. Rules for handling paper and electronic documents.