CNIL FAQ on Remote Working


CNIL FAQ on Remote Working

The CNIL provides answers to the most frequent questions concerning remote working and reiterates certain principles common to the labour law and the GDPR. This is another addition to the CNIL’s remote working information centre available here.

Questions to which the CNIL gives answers are:

What is remote working?

Remote working is a form of work organization, which is carried out outside the employer's premises, as opposed to work carried out “on site”, using information and communication technologies.

It raises many questions that are not limited to data protection only - the right to disconnect and the thin life between personal and professional lives, the evolution of the managerial function and the evaluation of the work, or the place of the collective in the work.

These questions include the protection of employee personal data, but also how employees need to process personal data in the recourse of their work.

What are the conditions for setting up the remote working?

During “normal” times, remote working should be regulated by the labour contract (individual or collective) or even a Charter (article L. 1222-9 of the Labor Code).

However, if the remote working is imposed because of COVID-19, then the remote working can be mandated by the employer and it doesn’t have to be contained in the contract.

Can the employer monitor employees working remotely?

In principle as long as the monitoring does not infringe individuals’ rights and freedoms, it may be used. However, there are certain rules to abide by.

The monitoring must be proportionate to the objective pursued and it should always respect the individuals’ right to private life. The CNIL quotes article L. 1121-1 of the Labor Code: “No one may impose restrictions on the rights of individuals and on individual and collective freedoms which are not justified by the nature of the task to be accomplished or proportionate to the goal sought”.

The Employers must always bear in mind principle of fairness when rolling out the employee monitoring tools. Also, informing their employees, prior to implementing such monitoring tools is a must. The Employers might be held liable if they fail to do so.
Record of processing activities must be updated with such processing activity. The CNIL reminds that where processing of personal data is likely to cause a high risk for the rights and freedoms of data subjects must be subject to a data protect impact assessment. For processing activities intended to constantly monitor the activity of the employees the DPIA must be carried out. This is in accordance with the CNIL’s list of processing activities which qualify for the DPIA, available here.

Can the employer constantly monitor its employees?

In principle the answer is no. A system for monitoring working time or activities of employees, whether they work remotely or not must:

    •  have a clearly defined purpose and not be used for other purposes;
    • be proportionate and adequate for that purpose;
    • require prior information to the employees concerned.

The employer cannot place its employees under permanent supervision, except in exceptional cases justified in view of the nature of the task. Examples where permanent monitoring would not be allowed are:

    • constant surveillance using video (such as a webcam) or audio devices;
    • the permanent sharing of the screen and/or the use of "keyloggers";
    • requesting the employees to click every “x” amount of time within a certain app, or to take photos at regular intervals.

Such processes are particularly invasive and amount to permanent and disproportionate monitoring of employee activities.

As alternative the CNIL recommends to set up a control of the achievements by objectives, or to ask employees to submit reports at regular intervals.

What precautions should be taken when employees use their personal devices (mobile phones, computers, tablets, etc.)?

Data protection laws require to implement appropriate level of security and confidentiality, regardless of the device used. The employers remain responsible for the security of personal data entrusted to them by individuals, including when it is stored on devices, they do not have legal nor physical controller over.

Allowing the employees to use their own devices for business related purposes blurs the line between private and professional life and such decision must be made after weighing advantages and disadvantages of allowing personal devices to be used for work related purposes.

Video conferencing: can an employer force an employee to activate his camera during a meeting?

In general, the CNIL doesn’t recommend that the employers impose an obligation on employees to turn on their cameras during conference calls. This goes against the principle of the data minimization, as the use of the microphone would suffice.

In the circumstances where video calls could help restoring some sort of “humanity” in the interactions, video calls can still infringe right to private life of other people living with the employee. Furthermore, the employee should be able to refuse turning on a camera, while in a very limited number of cases employers can request their employees to be turn on video cameras. Further guidance is available here.

What tools are specifically dedicated to remote working?

The CNIL reminds employers that they are responsible for ensuring appropriate security safeguards when using tools to facilitate remote working. It has issued recommendations for employers available here and employees available here.

The CNIL offers further guidance on this in its resource centre dedicated to this matter available here and in its downloadable guide.

In addition, the National Information Systems Security Agency (ANSSI) has established a list of qualified ANSSI products and services based on the level of security they offer which can be accessed here.

What can the CNIL do in the event of a complaint?

The CNIL can carry out checks remotely, on site, through interviews or documents in the event of an employee's complaint or on its own initiative.

In the event of non-compliance with the GDPR or the law, for example if the employer sets up excessive surveillance of employees, the CNIL can:

    • instruct organizations to comply with the GDPR and the law;
    • issue a monetary penalty or not.

The FAQ are available here.

Photo by Pixabay from Pexels

The text is not legal advice. All recommendations are made by the CNIL. Although we always do our best to provide the most accurate information, this overview relies on the translate of the French text, and there could be some discrepancies. Visit their press release for full details.