Occasionally, the employer allows the employees to use papel trails containing personal data during remote working.
However, there is a high risk to breach data security and its need for their security – UODO says.
In this epidemiologic period in Polonia, employers must organize work in order to limit contact between staff, in particularly, when it is possible, they should order to the employees the distancing, according to article 3 of the legislation of 20th March 2020 on special solutions related to prevention and elimination of the COVID-19, other infectious illness and crisis situations.

UODO presents a list of principles that should be followed in case of remote work and the possibility of using paper trails by employees.
Employers as controllers of data processing during the remote work phases must ensure the compliance with data processing rules, including guarantee of their security, keeping in mind the highest risk associated with such activities. This applies to both data processing using electronic means of communication and data contained in paper trails.

Employees can, during remote work, process personal data only for their official function purpose by respecting internal policy and other procedures concerning the employer. They also have to take care of their workplace in terms of data protection.

Employees can not take out, in an unauthorized way, a paper trail from a data processing area authorized by the employer.

While the Labour Code regulates questions about personal data protection, in the remote work system, there is not a specific provision about the data protection. Consequently, the employer must guarantee the respect of the GDPR dispositions related to the personal data protection and security.

He should implement appropriate procedures and organizational and technical measures so that employees have sufficient awareness and tools to comply with the provisions on the protection of personal data.

When the employer decides to allow employees to use paper trail during remote work, he must take measures to reduce the risk of loss of data availability, integrity and confidentiality.

The employer must assess the necessity of using paper trail during remote work, keeping in mind the nature of the data, the purposes for which they are processed and the available resources.

First of all, an employee should assess if he/she needs to have access to that data or if he/she can use anonymized documentation.

Working on paper trail will not be justified if the employer:

– implemented the electronic circulation of documents, and the employee has secure access to personal data necessary for work by means of electronic communication;
– has the ability to quickly, efficiently and securely implement electronic documentation flow;
– may provide the employee with properly secured (including encrypted) electronic copies of necessary documents.
If is not possible use solutions mentioned before, it is better considering working on copies of necessary documents.

This situation minimizes the risk of data breaches and the loss of their availability. However, it should be remembered that the employee must protect the data contained in such documents, as well as in the original documentation.

When deciding whether employees may use paper trail during remote work, the employer must:
– ensure that documents containing personal data issued to employees are recorded;
– ensure that shared documents will be kept by the employee for the period necessary to perform a specific task during remote work (storage restriction);
– limit the number of documents taken from the administrator’s office in relation to the purpose of processing personal data by the employee as part of remote work;
– oblige the employee to properly secure personal data when taking the documentation (e.g. taking documents in a secured briefcase, moving documents e.g. in such a way that they are invisible to third parties);
– oblige the employee to properly secure data in the place of remote work (e.g. storage of documents in lockable drawers of desks or cabinets, compliance with the principle of a clean desk, secure documents against access by unauthorized third parties, including family members);
– ensure that the employee will use the personal data obtained only for the purpose for which it would be used at the premises of the workplace;
– specify the procedure related to the destruction of documents (prohibition of throwing documents into the bin at home. If the employee does not have a shredder at home, he should store the documents in a safe manner, and destroy them in the office after remote work);
– ensure that the employee will report to the employer any security incident in accordance with the procedure for dealing with data breaches, so that the controller can comply with the obligation imposed by art. 33 item 1 GDPR.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA POLONIA – UODO