31.03.2020
The Covid 19 pandemic is keeping companies busy in terms of employment law – not least because of the effort to avoid infections in the workplace, working at home (“home office” or “teleworking”) has become[1]) is currently on everyone's lips and is being introduced by many companies almost across the board. Of course, working from home is not (yet) required by law, and there are no clear, generally applicable legal frameworks.
I. While a much stricter formulation was originally planned (“[…] Workplaces may only be entered if the professional activity cannot be carried out outside the workplace“[2]) provides for the “Ordinance of the Federal Minister for Social Affairs, Health, Care and Consumer Protection pursuant to Section 2 No. 1 of the COVID-19 Measures Act“[3] only that “to respect [is]that a professional activity preferably outside the workplace should take place if this is possible and the employer and employee agree on it."
The general rule therefore remains (as of 31 March 2020) that work can be carried out from home in principle (although special regulations apply for certain groups of employees)[4]) requires an agreement between employer and employee. Individual collective agreements sometimes provide framework provisions for the agreement on teleworking.
II. Because there is no "special regime" under labor law for teleworking, the general labor law provisions apply insofar as they are applicable in content - in particular the regulations on working hours, vacation and certain employee protection provisions. If agreements on teleworking are to include regulations on flexitime (which often seems obvious), in companies with a works council, this is necessary in accordance with Section 4b Paragraph 2 AZG.[5] a works agreement is necessary.
In principle, the employer must therefore provide the employee with all work equipment (computer, software, paper, printer, electricity) for teleworking; this follows from the nature of an employment contract, which consists precisely in the employee providing (only) his work performance, but no operating resources.
In practice, however, the employee will regularly (also) use infrastructure for which he or she will receive compensation from the employer (this includes increased electricity and internet costs, but also (of course) office furniture with which the employee works), which also requires contractual arrangements, although a flat rate is generally permissible.
III. One area that deserves special attention is the protection of data (processed by employees when working from home). The employer, as the controller of the data processed in his company (wherever!), is subject to the provisions of the GDPR[6] and the DSG[7], as well as many other special regulations.
III.1. The GDPR generally requires controllers to implement appropriate data security measures. One of the principles of the GDPR is that personal data should be processed “in a way […]which ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures" (Article 5 paragraph 1 letter f GDPR), whereby the controller must be able to demonstrate compliance with this provision. Article 32 GDPR requires, in a mirror image, that appropriate measures must be taken to ensure the security of the processing of personal data, taking into account (among other things) the risk of data processing.
Working from home usually creates a much higher risk of data processing than working in a company, for example if the employee's private devices are used or if sensitive paper documents are not kept locked in the employee's home. Organizational data security measures are therefore required - as an absolute minimum, e.g. by giving precise instructions to the employee to ensure that certain rules of conduct are observed in the home office that minimize the risk of a data protection breach (no printing of documents, protection of documents from inspection, etc.). It is also advisable to use special software solutions that ensure, for example, encryption of data stored on end devices (laptops, smartphones, etc.), and to only grant employees external access to company networks to the extent that this is absolutely necessary to perform their work.
III.2. The explicit regulation of Section 6 Paragraph 3 of the Data Protection Act requires (regardless of whether teleworking is agreed) that employees be informed of the transmission instructions that apply to them (i.e., to put it simply, of the places to which personal data may be transmitted). Last but not least, it is also advisable to expressly instruct employees to report any breaches of the protection of personal data to their employer immediately, because in certain circumstances a report to the data protection authority and to "data subjects" may be necessary (Article 33 f GDPR); in any case, such incidents must be documented by the controller. All of these measures must be documented in the register of processing activities (Article 30 GDPR).
III.3. If even rudimentary data protection measures are missing in connection with home office, this can constitute a violation of the principles for the processing of personal data (Article 83 paragraph 5 letter a GDPR) and result in high fines. The extent to which - possible and appropriate - technical and organizational data security measures have been taken is taken into account when imposing fines (Article 83 paragraph 2 GDPR).
III.4. Because the employer, as the controller, also has storage and deletion obligations with regard to data processed by the employee, an exact separation between professional data and the employee's private data with no reference to the work must be ensured. If professional data ends up in a private folder belonging to the employee as part of the use of the employee's private IT infrastructure, which the employer cannot access and of whose existence the employer is also unaware, it is impossible for the employer, as the controller, to comply with its obligations to store, correct or delete this data - it also becomes impossible for the controller to fully and correctly answer requests for information from those affected (Article 15 GDPR) - the employer loses control over data sets that are processed under its responsibility. If data is stored on the employee's private devices for professional reasons, the employer will also not be able to claim that this is no longer within the scope of its responsibility under data protection law - it has decided on the purpose of the data processing by issuing work orders to the employee. Insufficient control over the Medium The data processing does not release a controller from his responsibility; the employee who carries out the data processing remains integrated into the operational structures of the controller, even if he carries out his work at home.
Therefore, precise instructions must be given to employees regarding the storage of personal data when working from home and it must be ensured that the employer can comply with its data protection obligations.
IV. Regardless of the protection of from the When processing personal data of employees, it must be noted that the protection of the employee’s privacy (hence the protection of personal data of employee) at the teleworking location deserves just as much importance as under normal conditions. The (even merely possible) monitoring of the activity of employees must always be measured against the right to respect for the private and family life of the employee (Article 8 ECHR), and therefore any use of certain technical systems requires a works agreement (Section 96 Paragraph 1 Item 3 ArbVG[8]) or individual agreement (§ 10 AVRAG[9]) with the employee; this is relevant, for example, when using software that enables the monitoring of the employee's activities - even if only theoretically.[10]
v. In summary, in connection with the home office agreement, a specific regulation must be made for data protection at the home workplace. Employees must be given precise instructions on how to avoid data protection violations at the teleworking location. If possible, the employer must provide employees with the IT infrastructure and ensure technical data protection through the use of suitable software. Finally, regulations must be made regarding the storage location of personal data, and a strict separation of the employee's private data and company data must be ensured.
[1] Not to be confused with the separately regulated and hardly practically relevant “home work” according to the Home Work Act 1960, Federal Law Gazette No. 105/1961 as amended Federal Law Gazette I No. 61/2018.
[2] Federal Law Gazette II 107/2020.
[3] BGBl II 98/2020, in the form BGBl II 108/2020.
[4] For example, in civil service law, see Section 36a of the Civil Service Law 1979.
[5] Federal Act of 11 December 1969 on the Regulation of Working Hours (Working Hours Act) (AZG), Federal Law Gazette No. 461/1969 as amended Federal Law Gazette I No. 100/2018.
[6] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
[7] Federal law on the protection of natural persons with regard to the processing of personal data (Data Protection Act – DSG).
[8] Labour Constitution Act. Federal law of 14 December 1973 on labour constitution (ArbVG) Federal Law Gazette No. 22/1974 as amended Federal Law Gazette I No. 16/2020.
[9] Employment Contract Law Adjustment Act – AVRAG, Federal Law Gazette No. 459/1993 as amended Federal Law Gazette I No. 16/2020.
[10] If the level of surveillance is particularly high, it can even be assumed that such control measures are absolutely inadmissible, cf. binder in Tomandl (ed.), Labour Constitution Act (11th edition 2013) to Section 96 ArbVG Rz 81 mwN.