Use the Lexology Navigator tool to compare the answers in this article with those for other jurisdictions.
Employment and privacy law issues
What employment issues must companies consider in deciding whether to switch to the bring your own device (BYOD) model?
Before implementing the BYOD model, an employer should first ensure that its BYOD policy is binding on it and its employees. Ideally, the policy should be incorporated into both employment contracts and internal work policies. Employment contracts should set out the general BYOD framework and confirm that each employee consents to the policy. For existing employees, employers should considering amending their employment contracts. Any BYOD provisions in internal work policies should provide a detailed synopsis of the related rules. In order for a BYOD policy to be implemented as a binding internal work policy, the Labour Code requires employers to ensure that employees using their own devices for work-related purposes are familiar with the company’s BYOD policy and that the policy is easily accessible.
The BYOD model typically entails a certain level of employee monitoring, whether in the form of device location monitoring or the monitoring or storage of emails, calls, logs or internet activity. The Labour Code allows employee monitoring, provided that:
- employees are informed of the monitoring before implementation;
- employee representatives (if established) are consulted in advance; and
- the monitoring is proportional to the privacy of employees (ie, not excessive).
The Labour Code requires employers to inform and consult employees and employee representatives about the scope, means and duration of monitoring. Although this requirement does not explicitly necessitate the consent of employees and employee representatives under the Labour Code, consent may be required under the Electronic Communications Act. Under the Electronic Communications Act, consent may be required in order to record or store messages or other related personal data. Therefore, it is recommended as a prudent step that employers obtain employees’ formal consent to the BYOD policy by, for example, including provisions in employment contracts.
Compensation for use of device
Generally, employers must bear all costs relating to employees’ work. Therefore, if an employee is using his or her own device for work-related purposes, the employer must provide compensation. However, the Labour Code does not provide for a specific means of compensation in relation to the BYOD model. As such, employers may:
- give employees a one-off contribution to purchase a device;
- pay some portion of the device’s operating costs; or
- pay a fixed compensation amount.
The employer and employee must agree on a specific means of compensation and specify this in the employment contract or collective agreement. BYOD rules should contain as much detail as possible, including as follows:
- What happens if the employee’s phone is disconnected due an unpaid bill?
- What happens if the data limit is exceeded?
- What happens if the employee loses the device? Will he or she be entitled to another one-off grant?
- Is the scheme subject to income tax?
Generally, grants or compensation provided to employees are exempt from income tax if the amount is set on a real costs basis.
The content of messages and related information (eg, the senders and recipients and traffic or location data) are considered telecommunications secrets. Anyone that learns of a telecommunications secret – including an employer – must keep it confidential and must not disclose it to unauthorised persons.
Criminal liability should also be considered when implementing the BYOD model. The Criminal Code identifies several applicable offences. For instance, anyone who intentionally breaches the secrecy requirements in relation to the transfer of electronic communications may be imprisoned for up to three years. On the other hand, criminal liability is triggered only for severe breaches or intrusions of privacy, where other penalties (eg, administrative penalties) are considered insufficient.
Are there any specific issues that organisations with a global presence, or those in highly regulated sectors, should bear in mind?
Drafting BYOD policy
Most global organisations have a single BYOD policy which is designed to comply with all respective local law requirements. Before implementing a global BYOD policy, employers should consult local counsel by, for example, distributing specifically designed questionnaires. Emphasis should be put on country-specific provisions. Once a draft BYOD policy is prepared based on the input from the questionnaire, it should be distributed to local counsel again for any further comments or changes to comply with local law. This process should be repeated if required. A team or committee (including legal, IT and HR experts) devoted solely to implementation of the BYOD policy should be established.
Location of data centres
Global organisations often outsource various IT services. As a result, data centres (servers) are often located outside the European Union. Communication between devices and data centres is considered a transfer of personal data. Generally, the transfer of personal data within the European Union and the European Economic Area (eg, Norway and Lichtenstein) is unproblematic. In addition, data may be freely transferred to countries which afford adequate levels of protection according to the European Commission’s decisions (eg, Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand or Uruguay). In October 2015 the European Court of Justice abolished the safe harbour regime in the United States, meaning that any transfer of data to the United States is now considered to be a transfer to a country with inadequate levels of protection.
If data centres are located in counties without adequate levels of protection, employers must adopt additional data security guarantees before transferring data. These guarantees can be contractual clauses or binding corporate rules approved by at least one EU national data protection authority. Without such guarantees, any cross-border transfers of employee personal data requires the Data Protection Office’s consent.
In addition, before transferring sensitive personal data to a country with inadequate levels of protection, the employee’s explicit consent is required.
Highly regulated sectors
In some sectors, the law affords additional protection to certain information. Should a BYOD policy allow access to or the processing of such information, the employer must ensure that its policy complies with the respective regulatory requirements. For example, additional requirements (mainly with regard to banking secrecy) apply to IT system security in the financial sector. These requirements are supervised by the National Bank. Further, implementation of the BYOD model may require the National Bank’s prior notification. In addition, healthcare providers must ensure that no third party has access to patients’ health documentation. Therefore, when implementing a BYOD policy in a regulated sector, specific regulatory requirements should always be consulted with local counsel.
Privacy and confidentiality
How do privacy laws, employment laws and protecting a company's confidential information overlap or intersect on this issue – and how can they be reconciled, given their disparate aims?
Proportionality and transparency are always key to reconcile the conflicting interests of employers and employees. BYOD policies should always seek to protect employees’ privacy. In order to protect employees’ privacy and any work-related data stored on an employee-owned device, work-related and private data should be kept completely separate. There are several ways that this can be achieved technically. Some manufacturers already offer mobile devices that separate private and work-related data.
Another solution is to use a virtual work desktop or allow remote access to the employer’s network. While no work-related data is stored on the device, practical and technical questions nonetheless arise:
- Can private notifications interrupt work sessions or are they withheld?
- Will a work session still run in the background (and monitor employees) if not correctly terminated by the employee?
- How can the employee be contacted in an emergency if he or she is not running a work session?
- Should the employee receive work-related notifications if he or she is not running a work session?
Employers cannot access any private data stored on an employee-owned device without explicit consent from the employee. Employers can no longer rely on the statutory legal basis for processing employment-related personal data and must preserve and respect employees’ privacy.
For those that make the switch to BYOD, how can the confidentiality of both employer and employee be preserved?
Regardless of how work-related and private data is separated, as a data controller, the employer must ensure that all personal data processed within the BYOD model is secure. Employers must adopt sufficient security measures to protect data against:
- unauthorised access and disclosure;
- provision; and
While the Data Protection Act does not explicitly set out security measures, the following are considered standard practice:
- anti-virus software protection;
- password protection for the device;
- password protection for confidential information;
- automatic password resets;
- automatic locks or blocking of a device in case of repeated failed password attempts;
- regular back-ups of data; and
- a remote wipe function.
Depending on how the BYOD policy functions from a technical perspective, not all of these security measures may be necessary. Further, while employees may be offered these advanced security measures, any intrusion into employees’ privacy must be extensively communicated and employee consent must be obtained in advance of any intrusion.
Separation and ownership of data
How can companies separate out what information sent or received on the device is official and business related? Who owns this information – the employer or the employee? And how can employer access to information be assured?
Separation and access to data
Slovak law does not provide guidance on how to distinguish between work-related and private data. This is more a question of appropriate technical measures, which must ensure that work-related data is appropriately protected. As such, employers should adopt a BYOD policy which separates work-related and private data as much as possible.
For example, employees should not be allowed to use work email accounts for private communication. Further, the BYOD policy should set out that any private communications sent or received on a work email account must be flagged as private, deleted or transferred to a designated private folder. BYOD policies should hold employees partly responsible for separating work-related and private data. Employers cannot be tasked with this responsibility, as this would give them regular access to employees’ private data, which would constitute a breach of privacy. Thus, employers may monitor only work-related communications which have not been flagged as private or included in a private folder. Such information may be accessed by various mobile device management solutions available on the market.
Reliance on such rules mitigates a significant portion (albeit not all) of the risks that employers face with regard to privacy breaches. Employee consent is required for any form of interception or surveillance of private communications (eg, recording, wire-tapping and storing).
Employers can claim ownership of work-related data and communications on several grounds. These include:
- trade secrets;
- intellectual property;
- tangible assets included in communications; and
- other protected information or employer-owned property.
The employer may be seen as the originator of work-related data and communications, as the employee will not have created the work on his or her own. In addition, the data protection regulations require employers to protect work-related data from unauthorised access and disclosure. Therefore, arguably, employers have sufficient legal grounds to claim ownership of work-related data and communications, even if they are stored or transmitted via an employee-owned device.
Breach events and departing employees
Handling a breach
What happens in the event of a security breach? Is the employee protected from liability?
As data controllers, employers must adopt robust BYOD policies that:
- address all foreseeable security breaches;
- contain general guidelines for unforeseeable security breaches; and
- protect personal data processed for BYOD purposes.
As a rule, employers are liable for security breaches relating to data processed in the context of BYOD. However, employers may not be held liable for breaches of personal data stored in the appropriate way on the employee-owned device. That said, if a breach of work-related data results in a breach of personal data, the employer may be held liable due to its weak security policies.
Therefore, BYOD policies should offer employees the advanced security measures that are usually offered to protect work-related data in order to protect their private data. For example, if a device is lost, the employer should be able to wipe all work-related and private data on the device remotely. However, by default, remote wipes under a BYOD policy must be limited to work-related data. Consent is required to wipe private data.
Under the BYOD policy, employees should be required to notify their employers immediately of security breaches. In addition, the BYOD policy should serve as an internal IT security awareness tool. In this respect, security breaches can be avoided or mitigated by providing employees with regular reminders about how to identify and prevent breaches (eg, avoiding public Wi-Fi networks, as these can serve as gateways to mobile devices).
What steps can a company take to prevent an employee leaving the company from taking company confidential information via his personal device? And how can the employee's own personal information be safeguarded in the process?
If work-related and private data has not been separated on an employee’s device, it is almost impossible to do so when the employee leaves without significant intrusion into his or her privacy. If this is the case, the only sensible option is to ask the employee to backup, remove or save his or her personal data and then wipe the remaining content. This naturally raises concerns as to whether employers can legitimately require employees to undertake such actions.
To avoid this situation, BYOD policies should facilitate sufficient separation of work-related and private data, as in that case, removing work-related data from an employee-owned device should not pose a problem.
Employers should consider the possibility that some employees may be unwilling to cooperate. The ideal solution is to have the capability to wipe work-related data from devices remotely (eg, by using mobile device management tools). Some companies require employees to turn in their devices to the IT department for inspection before leaving the company. Regardless of whether this policy is adopted, employees should have a certain level of supervision over operations such as wiping a device. Employers should consider providing employees with a report about any data removed from their devices, as this can demonstrate that the data was removed in compliance with the BYOD policy and with the employee’s consent.