COVID-19 and protective measures put in place in response to the pandemic have compelled businesses in countries around the world – including Croatia – to adopt a new vision for employment. One such innovation is work from home.
Almost a year after the pandemic began, home-office remote work has proven so effective, it could become a fixture of our post-pandemic future. But remote work raises a host of legal and administrative challenges. This article – based on the 2 February 2021 webinar The Future is Now: The New World of Work in Croatia and hosted by Marija Zrno Prošić (a data protection expert) and Mia Kalajdžić (an employment expert) with CMS Croatia – explores the impact of homeworking on the traditional office environment for both workers and companies.
Remote work in Croatia
Home office vs. the traditional office in Croatia
According to CMS attorney and labour law expert Mia Kalajdžić, as soon as the pandemic struck, Croatian employees were forced to switch rapidly to a work-from-home system as well.
But like elsewhere, the leap to remote work was far from smooth. Outdated laws contained gaps, and as result – explains Kalajdžić – "the rights and obligations of employers and employees during this process remained unclear."
Over the past year, however, many of the questions surrounding remote work in Croatia have been ironed out. When it comes to implementing remote work in Croatia, the following is clear:
- Employees cannot be ordered home Employers do not have the right to impose remote work on employees. Consent must be obtained from all personnel, which necessitates either redrafting the employment agreement or adding an annex to the contract to include a work-from-home provision. Kalajdžić advises that any revisions to employment agreements include details on providing equipment to employees and reimbursement of work expenses, among other things.
- A schedule must be applied to home working The issues of how to schedule and supervise remote work – and communicate electronically in a way that is consistent with data-protection regulations – are still rife with "uncertainties", states CMS's Kalajdžić. One thing, however, is clear. From a legal point of view, all rights and protections afforded employees by Croatian employment law apply to the home-working environment. This includes the question as to whether home-working employees are to allowed to adopt a modified work schedule that better conforms to their home routines. Although it appears that a vast number of Croatian home workers have established independent working hours and some experts have argued that this is permissible, Kalajdžić states that the law does not back this up. For the present, the issue may be moot since Croatian labour inspectors do not appear to be investigating this issue.
- Compensation of expenses for home-working employees Businesses are obliged to compensate employees for all costs incurred while working at home. Applicable costs include the acquisition of equipment, supplies and utilities such as internet, telephone, electricity and heating. "The amounts [to be compensated] are legally not prescribed," cautions CMS's Kalajdžić, "and it is basically up to the employee and employer in their agreement to determine how high this amount will be". From a practical point of view, Kalajdžić admits that arriving at a compensation scheme for these myriad of costs is difficult, and – as a result – advises that employers simply negotiate and pay out a daily expense fee, especially for personnel working from home occasionally rather than permanently.
Changes expected to Croatian regulations
Many of the uncertainties and questions surrounding home working may be clarified with the new regulations that the Croatian parliament is expected to enact soon. The most important anticipated changes are likely to include:
- Granting employers and employees greater flexibility in concluding home-working agreements that fit their unique circumstances.
- Making a legal distinction between work-from-home that is 'permanent' or 'occasional', giving employers the right to impose occasional remote work when necessary, such as during a pandemic.
- A modification of the employer's responsibility for the health and safety of home-working employees.
- Better defining the home-working expenses that employees can be reimbursed for. According to the Croatian media, the government is considering 'lump-sum' payments for these costs, which Kalajdžić considers the most practical solution.
- Providing employers with tax benefits for many remote-working costs.
Monitoring and data protection
Because remote working makes managers and employees more reliant than ever on technology, communication, and data storage, an essential part of the work-from-home arrangement is data protection.
According to data protection and privacy expert Marija Zrno Prošić, a Partner with CMS Croatia, one of the most sensitive data-protection and privacy issues surrounding work-from-home is employee "monitoring" (i.e. the ability of managers to use electronic means to ensure that workers are on the job).
"Even if employers have a legitimate interest in monitoring, it doesn't mean that this can be done without limits", cautions Zrno Prošić, particularly in light of the intrusive means of digital monitoring that exists and must be avoided, including the ability to intercept and read employee emails and observe the Internet search-engine activity of workers.
When it comes to monitoring, Zrno Prošić states that employer interests must be balanced with the rights of employees, which include not only data protection, but also privacy rights.
In short, before implementing a monitoring system, an employer should:
- Conduct assessments (e.g. DPIA, LIA) to ensure that monitoring systems do not violate privacy and data protection rights;
- Consult with those offices and representatives with a vested interest in employee protection and data-protection rights (e.g. the company's works council, DPO, employees' data protection rep, etc.);
- Ensure employees are duly informed on the monitoring systems to be used and processing of their personal data;
- Seek other means for protecting its interests other than intrusive monitoring (e.g. instead of monitoring internet activity, employers can block access to certain problematic websites).
Cyber-security risks in the home office
One of the major concerns surrounding work-from-home is data security. Employees working from home run an increased risk of compromising company data (e.g. communications, financial information, sensitive information) if they do any of the following:
- Conduct company work over personal devices (e.g. privately owned tablets, laptops);
- Liaise with colleagues and team members using non-company communication tools (e.g. personal phones, social media conferencing systems, etc.);
- Remain unaware of cyber security risks and fail to implement security protocols.
According to Zrno Prošić, breaches in cyber security can also represent a legal or financial liability for a company, given that penalties for data-protection breaches due to lack of adequate security measures can be onerous, as in the case of an UK airline that received a fine of up to EUR 23 million.
To make sure it is compliant with local data-protection laws and the EU's General Data Protection Regulation (GDPR), each Croatian company is advised to:
- Inspect all information systems for weaknesses and ensure that strong security measures are in place;
- Keep detailed records of inspections and all measures put in place to safeguard data; and
- Ensure that employees are kept up to date on the data-protection protocols that must be followed.
Even before the crisis, many Croatian companies required employees to work abroad. Although COVID-19 put a temporary stop to employee travel – an interruption that is likely to continue throughout 2021 – Kalajdžić says that when staff mobility resumes in the post-pandemic future, companies will have to contend with new laws, which include:
- The Posting of Workers Act – that guarantees workers posted in Croatia are not subject to minimum wages, but can enjoy "the mandatory elements of remuneration". In addition, postings can be organised through foreign job agencies, and in the case of long-term postings, foreign employees can be protected entirely under Croatian law. Simply put, it will be easier to post employees to Croatia from another EU country.
- The Foreigners Act – that tackles some of the unique circumstances of the digital age, such as third-country nationals who are working remotely for a foreign company (i.e. digital nomads). These nomads are eligible to work in Croatia for up to one year and received certain tax benefits. This law abolishes quotes for foreign workers and relaxes the conditions for a prolonged or permanent stay.
- The Act on EEA members state nationals – that regulates the possibility for UK nationals to live and work in Croatia post-BREXIT.
The resumption of staff mobility will also bring data-protection concerns. Firstly, companies should assess the roles of all parties involved (i.e. the companies and agencies involved in the postings) and ensure that adequate contractual arrangements are made, where needed. In case of transfers of personal data outside the EU and EEA, a company must comply with the GDPR's specific transfer requirements including determining if the European Commission issued an adequacy decision for a certain state and ensuring that appropriate safeguards are in place, such as in standard contractual clauses.
Health and Safety
As stated above, employers are now responsible for the health and safety of their remote workers, but this obligation and any connected liability are likely to be reduced as a result of legislation currently being drafted by Croatian lawmakers.
Employers, however, currently face other liability risks: the most prominent being, is an employer liable if a worker is infected with COVID-19 on the job? According to CMS labour-law expert Kalajdžić, an employer can insulate itself from liability if it adheres to the rules. As long as companies initiate and follow all government-prescribed measures for combatting the pandemic (e.g. workplace social distancing, educating employees on safe practices, providing protective equipment, disinfecting the workplace and ensuring non-entry of infected inpiduals), then the employer cannot be found at fault.
But unfortunately, health and safety is not the only risk employers face these days. A company's anti-pandemic measures also raise data-protection issues, particularly concerning the processing of employee medical or health data, which represent a special category (i.e. "sensitive data"). When dealing with personal medical data, companies can protect themselves and employees by remembering the following:
- All decisions concerning the processing of medical data should be proportional and based on necessity.
- An appropriate legal basis should be established before medical data is collected, stored or shared; the health and safety obligations of employers do not justify all actions; similarly, companies cannot violate data-protection regulations even if they believe they are doing so to assist an ailing employee or customer. If a company determines it has a legitimate interest to engage in the relevant processing of personal data, it should first conduct a legitimate interest assessment (LIA).
- Employers should always opt for less intrusive measures.
- Companies should fully inform personnel of their policies and practices for processing medical data, and take note of any new public measures related to the health and safety, which might affect their current policies and regulations.
Digitalisation and the future
With the institution of work on the verge of change, how can companies best prepare for a future in which remote work figures prominently? The answer, states Kalajdžić, will be found in digitalisation since work-from-home systems will most certainly depend on technology – technology that is growing more advanced by the year.
To prepare now for the digital challenges of the post-pandemic workplace, companies are advised to:
- Assess how widespread remote work could become in their industries or sectors, and determine the digital equipment they'll need to sustain a remote workforce;
- Share the results of each assessment with employees and educate staff on how roles and responsibilities may change in the future;
- Begin acquiring the IT equipment necessary to support a remote digitalised staff;
- Begin training employees on how to work remotely and protect themselves from cyber threats;
- Make sure the company drafts internal policies on how to conduct on-line meetings and best practices for conducting work on-line.
But before any new technology is introduced, a company should conduct thorough assessments to determine impact and risks (e.g. a DPIA); consult with all parties concerned (e.g. the company's works council, the DPO, employees' data protection rep, etc.) on implementation of the technology; and keep employees duly informed of any processing of their personal data.
The threat of bias in advanced systems
New forms of technology, such as artificial intelligence (AI) and algorithms, can greatly assist companies and employees in their operations. But digitalisation carries hidden risks, particularly in the case of AI systems that may be used to make decisions regarding employees. This is especially important because systems can sometimes process data in such as way that unwittingly reflects bias and could include the “hidden” processing of sensitive data categories (e.g. race or ethnicity based on someone's a name). Great care should be made when using algorithms for HR decisions and real people should be included in the processing of relevant data and any decision-making. Needless to say, all other "general" requirements under the GDPR should be complied with as well.
For more information and detailed advice on implementing remote working in Croatia, contact your CMS partner or local CMS expert: Marija Zrno Prošić, Partner CMS Croatia, Mia Kalajdžić, Attorney-at-Law, CMS Croatia.