Remote work: how to comply from a data privacy standpoint?

Under the French Labor Code, remote work refers to any form of work organisation within a company in which work that could have been performed on the employer’s premises is carried out by employees outside those premises using information and communication technologies.

Due to the COVID-19 pandemic and/or as part of their internal digitalisation policy, many companies are getting organised to set up remote work for their employees.

However, the implementation of remote work tools implies compliance with applicable rules not only in terms of labor law but also in terms of data privacy.

The security of IT systems, respect for employees’ privacy and compliance to GDPR are key elements in the implementation of remote work.

The reality check

• Have the remote work tools been properly evaluated? Are they data privacy by design compliant?
• Do the agreements concluded with the relevant IT service providers include the appropriate Data Processing and/or Data Sharing Agreements?
• Are employees’ personal data transferred outside the European Union? Are safeguards relating to these transfers implemented?
• Have the employee privacy policy and other internal documentation and procedures been updated? Is the information provided to employees complete?
• Are the technical and organisational security measures implemented sufficient?
• Have employees been informed of the terms and conditions of use of the IT resources made available to them by the employer?

How we can help

• Audit your specific situation and implement a pragmatic action plan.
• Conduct risks assessments of your tools (ie Data Privacy Impact Assessments, assessment of the data processing activities’ proportionality etc).
• Draft, review and negotiate agreements or amendments to existing agreements with your IT service providers (including data processing and data sharing agreements).
• Assess your data transfers outside the European Union.
• Draft and update internal documentation (ie employee’s information notices, IT charter, internal politics, technical and organisational measures etc) and so much more.