Under the Law No. 81 of 22 May 2017 on “Measures for the protection of non-entrepreneurial self-employment and measures aimed to facilitate flexibility in regard to locations and times of subordinate work”, remote working has been recently regulated in the Italian legal regime for the first time. This is a flexible style of working, regulated within the employment relationship and characterised by the absence of time- and workplace constraints and by forms of organisation of work by stages, cycles and objectives.
When implementing remote working in their company, employers must take personal data protection regulations into account.
Regulation (EU) 2016/679 on the protection of personal data (the “GDPR”) introduced the principle of accountability, namely the requirement for the data controller (in our case the employer) to take proactive steps to show that concrete measures have been put in place to ensure the implementation of this Regulation. Essentially, the employer is obliged to identify and manage risks associated with the data processing carried out, in accordance with the principle of data protection “by design” (involving the protection of specific data processing operations) and “by default”.
This means that, in the case of remote working, the employer must carry out a proper risk assessment and, where necessary, an impact assessment in order to analyse all existing and potential risks and identify the technical and organisational data security measures that are required in order to guarantee secure data protection operations. The employer, accordingly, must adopt Regulations, Policies or Guidelines which set out the conduct that smart workers must adopt in order to ensure the confidentiality, integrity and availability of data processed in the course of their duties.
The employer must also ascertain and verify that remote controls are not invasive in nature, in contravention of Article 4 of Law 300/1970. This means that the systems that allow continuous monitoring of employees’ use of work tools and the company network must be subject to detailed scrutiny.
For this very reason, remote workers must receive detailed information on the various ways in which the employer exercises its power of control, and on what forms of conduct could potentially trigger or attract disciplinary sanctions.
Beyond this, the employer must train remote workers so that they are fully cognisant of and familiar with the tools available to them, the various risks, and the measures to be adopted while remote working.