Data protection in teleworking context. Romanian perspective
Work from home (WFH) was adopted in Romania since 1972. Under this framework, the employee works entirely from home during his/her self-established schedule, and not necessarily by using technology.
Telework on the other hand was introduced in 2018 (via Law no. 81/2018 - Teleworking Law) and was intended to address a combination of WFH and work from the company premises, being perceived by both parties (employer and employee) rather as a benefit awarded to the employee.
As everywhere in the world, the pandemic amplified the use of telework and, apart from triggering various changes in the practice of the Romanian companies, and a more flexible approach of the Romanian labor authorities (e.g. telework was and still can be implemented unilaterally by the employer during the ongoing state of alert), it also has lead to legislative changes.
Currently, based on very recent legislative amendments, Telework fully becomes a remote work concept: (i) there is no longer a requirement to combine the two categories of work place, specifically the employee may work 100% of his/her working time remotely, (ii) the work location may be the domicile, the residency or any other address and (iii) there is no need to identify anymore the exact locations in the employment contract.
Since Telework involves the usage of information and communication technology, it obviously comes with additional risks concerning privacy and security of personal data. This article enunciates the most relevant topics.
Technical and Organizational Measures
If one takes a look at the sanctions issued by the Romanian DPA, the technical and organizational measures seem to be under constant scrutiny by the regulator, most of the sanctions being somehow linked to the non-observance of such measures.
Needless to say that the data protection and the information security risks (especially data breaches/leakage) are the most obvious and commonly encountered risks when a company allows its employees to work from wherever. Companies therefore need to enhance their efforts in applying the necessary measures (both technical and organizational) in order to ensure that, on the one hand, the processing of personal data is legally carried out in the teleworking context and, on the other hand, that their employees continue to process personal data in compliance with GDPR.
When it comes to organizational measures, the implementation of state-of-the-art internal policies is a key tool available to employers. On the same level of importance are the effective communication of such policies and the periodical trainings for raising employee awareness. In this manner, a company can make sure that its employees continue to process personal data while observing the GDPR and company’s internal rules on data protection, while also maintaining a safe conduct in the performance of their professional duties within the teleworking context.
When it comes to technical measures, while allowing employees to connect to corporate IT assets, companies should ensure secure and stable remote connections (e.g. VPN) and manage and protect both corporate and personal devices from both external and internal threats (e.g. cyber-attacks). If, on the other hand, employees use their own devices during the performance of their work, further security measures should be applied in order to protect the processed personal data (e.g. mobile device management).
Information and Transparency
Obviously, transparency towards employees and mutual trust are essential in a teleworking relation. Companies must inform employees on the processing of their personal data and the conditions of such processing, under both applicable legal frameworks (GDPR and Telework Law).
Control and Monitoring
The exercise of the employer's right to control the activity performed by the employee is equally more challenging when an employee is not working within the employer’s premises.
Based on the Teleworking Law, the employment agreements of the employees performing telework must include specific provisions regarding the schedule under which the employer is entitled to check the activity of its employee, as well as the practical means of carrying out the check.
The employer should therefore make a right balance between the privacy of the employees and its right to control the employees' activity. It is important to note that the Romanian DPA has identified in its Decision no. 174/2018 that large-scale processing of personal data of vulnerable subjects, such as employees, by automatic means of monitoring, requires a data protection impact assessment.
Moreover, the Romanian Data Protection Law (i.e. Law no.190/2018) includes specific rules on the processing of personal data of employees carried out in order to achieve the legitimate interest of the employer, when electronic monitoring and/or video surveillance systems are used at the workplace. Specifically, employers may use these systems to process employee personal data only if:
- the employer's legitimate interests are duly justified and prevail over employees' interests or rights and freedoms;
- the employer has carried out the mandatory, complete and explicit information of the employees, as data subjects;
- the employer has consulted the trade union or, as the case may be, the employees' representatives before implementing the monitoring systems and
- other less intrusive means to achieve the same goal pursued by the employer have not proven their effectiveness before.
As concerns the duration of the data storage, the Romanian Data Protection Law rules that such duration must be proportional with the purpose of the processing, but in any event, not longer than 30 days, except for cases expressly provided in the law or other solidly grounded situations. In case that any compliance or disciplinary process will not be finalized within 30 days, the employers will need to document the need to keep the data for longer periods.
Cross-border Telework and Privacy Risks
The Romanian Teleworking Law does not prohibit (nor regulate) the cross-border telework, which is certainly a reality already. Apart from the tax implications in terms of taxation regime (including social contributions) and risks of permanent establishment for corporate income tax/VAT purposes, the cross-border telework will most likely raise further concerns on the risks of illegal processing of personal data, of more severe data breaches and of various conflicts of laws and conflicts of jurisdiction (of courts and relevant DPAs).
Article provided by: Adelina Iftime Blagean and Nina Lazar (Wolf Theiss, Romania)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)