Hamburger
  • Legal system, currency, language

    Constitutional and civil law with certain application of case law. Pesos (ARS). Spanish.

     

  • Corporate presence requirements & payroll set-up

    A foreign entity cannot hire employees in Argentina without a local corporate presence.

    Employers must pay social security contributions (23% or 27% on top of salaries, depending on the company's activity and revenues). Employees must contribute 17% of their salaries to the social security system (to be withheld by the employer and subject to certain taxable limits). Income tax is also withheld by the employer when paying employees' salaries (maximum rate 35%, subject to a progressive scale).

    Collective bargaining agreements for certain activities provide payments to be made by the employer and/or the unionized employees to the relevant unions.

  • Pre-hire checks

    Required

    • Pre-hire medical checks are required pursuant to resolutions issued by the Occupational Hazard Superintendence. If an employee does not complete a pre-hire medical check, the employee will be deemed to have begun work in optimal health; therefore, any injuries or diseases which subsequently arise will be deemed to have happened during the employment relationship.
    • Criminal record checks are required for foreign employees to obtain a work visa.

    Permissible

    Where criminal checks are not required for work visa purposes, they are only permissible (and often done in practice) for specific roles (eg, high-level managerial positions). Reference and educational checks are common and permissible, provided applicant consent is previously obtained.

  • Immigration

    Foreigners from non-Mercosur countries must obtain a temporary residence permit that permits them to enter and work in Argentina. Temporary residency is granted for a maximum period of up to 1 year, extendable for periods of equal or shorter terms. After 3 consecutive years as a temporary resident, foreign employees are entitled to apply for permanent residence.

    Citizens of Mercosur countries can apply for temporary Mercosur residence in Argentina without the need to present a work contract to the authorities. Temporary Mercosur residence is granted for 2 years and enables the individual to work and to apply for permanent residence on expiry of the temporary residence.

  • Hiring options

    Employee

    Full-time, part-time, fixed-term, indefinite-term employees or trainees.

    The following factors tend to indicate a labor relationship: availability to work for his/her employer; an employer who directs and subordinates the individual; an employer who instructs the services and duties required and creates the individual's schedule. Courts will also look at the extent to which the worker depends economically on the employer.

    Independent contractor

    Contractors should only be engaged where there is no labor relationship, that is, no direction/subordination or economic dependence.

    Misclassification, that is failure to register an individual as an employee, or submission of an incomplete or defective registration, carries the risk of severe sanctions and fines from the authorities (including amounts owed to social security for unpaid contributions). In addition, steep fines are levied upon statutory severance, including the doubling of the amount of severance owed to a (misclassified) employee.

    Agency worker

    Employers can engage workers through agencies. Agencies must be authorized by the authorities to function as an agency.

    The employer will be jointly and severally liable with the agency for all labor obligations arising from the worker's employment.

  • Employment contracts & policies

    Employment contracts

    There is no general, legal requirement to execute employment contracts in a specific form – meaning that they can be in writing, made orally, etc. unless a specific law or collective convention applies and indicates otherwise. Notwithstanding, employers are advised to enter into a written employment contract.

    Probationary periods

    The maximum permitted duration of a probationary period is 3 months. After the end of the 3 month period, the employee will turn into an indefinite term employee.

    Policies

    The law does not require employers to have specific policies in place. Notwithstanding, there are some policies that are strongly recommended to prevent potential conflict, such as bonus policies.

    Third-party approval

    Third-party approval is not required for employment contracts or any policies.

  • Language requirements

    No statutory language requirements; however, in practice, employment contracts are drafted in Spanish.

  • Minimum employment rights

    Employees entitled to minimum employment rights

    The Employment Contract Law No. 20,744 (LCL) governs the minimum employment rights in Argentina.

    Pursuant to Article 3º of the LCL, the law governs everything related to the validity, rights and obligations of the parties, provided the employment contract is performed in Argentina, even if the contract was entered into abroad.

    The LCL applies to "workers" which covers not only employees working under an employment contract, but also other individuals who personally perform "work" or provide services for the employer.

    For this purpose, "work" should be understood as any legitimate activity that is provided in favor of someone who has the power to direct that work, through the payment of remuneration for those activities and/or services rendered.

    The main factors that will tend to indicate that an individual is an employee rather than a worker or self-employed worker, are:

    • The employee must be available to work for his/her employer
    • The employer will direct and subordinate the employee, appoint the services and duties required and order the employee to comply with a schedule

    Courts will also weigh the extent to which the worker depends economically on the income obtained from the alleged employer.

    Working hours

    The general maximum number of hours is 8 hours per day or 48 hours per week for all employed workers in public or private enterprises. Each extra hour worked above these limits is deemed to be overtime.

    Notwithstanding the foregoing, Article No. 3 of Law No. 11,544, in its subsections a), b) and c) regulates exceptions to the abovementioned maximum limitation on working hours. The limitations do not apply to employees performing duties under the form of a "job team," that is, working in a special coordinating rotation system, nor to employees performing duties in high-level positions (main managers, directors etc.).

    Overtime

    Employees in Argentina are allowed to perform overtime. Overtime will be only compulsory in cases of danger or accidents or imminent force majeure, or by exceptional demands of the national economy or the company (Article No. 203 of the LCL).

    Overtime must be paid with a surcharge of 50%, calculated using the employee's usual salary if the overtime hours were worked during business days, and 100% on Saturday after 1pm, Sunday or holidays. In no event may employees work overtime of more than, 3 hours per day, 30 hours per month or 200 hours per calendar year.

    Wages

    The national minimum wage (NMW) is updated regularly by the National Council of Employment dependent of the Ministry of Production and Labor. The NMW rate as of December 2018 is AR$11,300.

    Most CBAs also provide for a specific minimum wage applicable to employees subject to the CBA.

    Vacation

    Employees with less than 5 years seniority are entitled to 14 calendar days after 6 months of work. This increases to 21 calendar days for employees with between 5 to 10 years of seniority; 28 days for employees with between 10 to 20 years of seniority, and 35 days for employees with more than 20 years of seniority. For employees with less than 6 months of service, employers must grant 1 day of vacation per worked month. Companies should grant vacation to their employees between October 1 to April 30 of the following year.

    Sick leave & pay

    Sick/accident leave of up to 3 months per year must be provided to employees with less than 5 years of seniority, while 6 months must be granted to employees with seniority of 5 years or longer. For employees with "family dependents" (generally understood to be the immediate family that economically depends on the employee’s wage and labor benefits), these periods are doubled, to 6 and 12 months, respectively.

    Maternity/parental leave & pay

    Pregnant employees may take leave of 45 days prior to giving birth and up to 45 days after giving birth. However, the employee may choose to reduce the leave prior to giving birth, but it may not be less than 30 days, and add those days to the maternity leave period after the birth of the child. In the event of premature birth, the period of the leave that has not been enjoyed before the birth will be added to the leave period after the childbirth. Further, the employee is entitled to earn her gross remuneration (without any withholding contributions made to the social security system), during maternity leave. The ANSES (as defined below) pays the remuneration of employees during maternity leave.

    Fathers are entitled to paid leave of 2 consecutive days for the birth of his child. There is no general regulation providing other parental leave after the birth of a child. 

  • Discrimination

    The law prohibits discriminatory acts or omissions based on race, religion, nationality, ideology, political or trade union opinion, sex, economic position, social condition or physical characteristics.

    In addition, Argentina has ratified international antidiscrimination conventions, such as the Convention of Belem do Pará and the Convention on the Elimination of All Forms of Discrimination against Women.

  • Benefits & pensions

    The Social Security National Administration (Administración Nacional de la Seguridad Social, hereinafter ANSES) is the authority in charge of the administration of the social security system in Argentina, called Sistema Integrado de Jubilaciones y Pensiones (SIJP). Employers and employees are required to make contributions to the SIJP which provides for old age pension and disability benefits.

    To qualify for a statefunded pension distribution, male employees must be 65 years old, while female employees must be 60 years old. In both cases, in order to qualify for pension the employee must have contributed to the SIJP for a minimum of 30 years.

    Employers do not have a legal obligation to provide a private pension scheme for employees, as the employees are entitled to state pensions.

  • Data privacy

    The Data Privacy Law No. 24,766 sets limits to the type of personal data that may be collected by prohibiting the collection of sensitive personal data, such as data that is related to political or religious opinions, and regulates the collection, use, processing and transfer of personal data.

    Employers are allowed to monitor employee's work devices, provided the employee is duly notified in advance, and personal information is safeguarded and not disclosed.

  • Rules in transactions/business transfers

    Where there is an asset transfer that qualifies as a business transfer, all obligations arising from the employment contracts that the transferor has executed with its employees will be taken on by the transferee after the transfer. Employment contracts will continue with the transferee and the employees will retain their seniority with the transferor and the rights arising from it. Therefore, on the execution of the transfer, all employees are automatically transferred to the transferee, after their written consent has been obtained.

    Although in practice both internal consultations and collective consultation with trade unions are held before a business transfer takes place, the transferor and the transferee are not required by law to inform or consult employees on a business transfer. However, in order to perform the transfer of staff, the employee’s written consent must be given prior to the transfer. In the absence of this consent, the employee may terminate the employment, with the right to compensation.

    The transferor and the transferee will be jointly and severally liable for any dismissals that arise due to the transfer.

  • Employee representation

    Argentina is a highly unionized country with approximately 3,100 active trade unions with considerable political power. There are unions in nearly all sectors or industries.

    A trade union must be recognized by the Ministry of Production and Labor. Only recognized and authorized unions can enter into a CBA. Employers cannot recognize an unauthorized union voluntarily, not even for collective bargaining purposes.

    The National Constitution sets out collective labor rights in its Article No. 14 (bis), guaranteeing unions the right to collectively bargain and the right to strike.

    CBAs are very common in Argentina. There are different types of CBAs depending on the territory in which they are going to be enforceable. Some CBAs only govern employees within one specific company, whereas other CBAs govern employees performing certain activities in a geographical region or industry.

  • Termination

    Grounds

    Cause is not required for termination of employment; however, it is required to avoid payment of statutory severance. There is no exhaustive and/or exemplary list of behaviors that constitute cause for dismissal; therefore, whether a dismissal is with or without cause will depend on judicial judgment on a case by case basis. 

    Who is subject to termination laws?

    All employees.

    Prohibited or restricted terminations

    Public employees and union delegates cannot be dismissed without cause and without complying with the statutory procedure for these terminations. All other employees can be dismissed with payment of statutory severance, which will differ based on the case (maternity, illness, etc.)

    Pregnant employees are protected from dismissal. If a pregnant employee is dismissed within the period of 7-1/2 months before or after the date of childbirth, the pregnancy will be considered to be the cause of the dismissal, entitling the employee compensation for the discrimination equivalent to their annual salary, in addition to the applicable severance payment.

    Further, if a dismissal occurs 3 months before the marriage of an employee, or 6 months after it, the dismissed employee will be entitled to a special compensation.

    In order to dismiss employees on sick leave, employers must pay a special severance (full severance payment applicable for dismissal without cause, plus the salary which would be payable for the entire period the illness would be expected to last, according to medical opinion).

    Third-party approval for termination/termination documents

    Under Decree No. 1043/18 (effective as of November 14, 2018), employers wishing to dismiss indefinite term employees without cause must notify the Ministry of Production and Labor at least 10 business days before the decision goes into effect. This Decree is effective through March 31, 2019.

    As this decree was issued recently, there is no administrative or judicial case law interpreting the Decree.

    Mass layoff rules

    Prior to a mass dismissal, an employer must provide notice to the respective trade union that regulates the employer's industry. Collective consultation may be required depending on employee headcount.

    Prior to executing or communicating dismissals or suspensions due to force majeure, economic or technological causes that affects more than:

    • 15% of the employees where total headcount is less than 400
    • 10% of the employees where total headcount is between 400 and 1,000 and
    • 5% of the employees where total headcount is greater than 1,000

    Employers must comply with the Preventive Procedure of Companies Crisis (PPC) before the Ministry of Production and Labor. During this procedure, the company will engage in negotiation with the respective union acting on behalf of their members. The aim of this procedure is to avoid business shutdowns or bankruptcy. After the company files the request at the Ministry of Production and Labor, the Ministry will forward the claim within 2 business days of the filing to the other party for its response. After a response is made, a settlement hearing will be scheduled within the next 5 business days. If a settlement is not reached, the Ministry will open a "negotiating period" that must not extend beyond 10 business days. If the parties still do not reach to an agreement within that period, the PPC process will conclude. Notwithstanding this, in practice, this procedure normally takes longer than the law sets out.

    Notice

    In order to proceed with termination, employers must give notice to employees before the dismissal. 

    The term of this notice will depend on the seniority of employees:

    • During their probationary period, notice must be given to employees 15 days before termination
    • In order to dismiss employees who have completed the probationary period but who have less than 5 years of seniority, notice must be given 1 month prior to the dismissal and
    • Employees with more than 5 years' seniority must receive 2 months' notice before their dismissal

    Statutory right to pay in lieu of notice or garden leave

    Employers are permitted to pay in lieu of notice. Current legislation does not regulate nor prohibit garden leave.

    Severance

    An employee who is dismissed without reasonable cause is entitled to statutory severance of 1 month's salary for each year of service, or period longer than 3 months. This amount is calculated using the employee's highest monthly, regular compensation received in the last 12 months of work. This baseline cannot be more than 3 times the "monthly payment," which is the average of all compensation set out in the applicable CBA at the time of the dismissal (this average is periodically published). The Ministry of Production and Labor governs the updating of this average for every authorized trade union.  

    If the employee is not subject to a CBA (typically, senior employees), the limits applicable to the activity in which he/she performs duties will apply. In no case will the amount of the compensation payable be less than 1 month of real salary.

    Currently, in the Vizotti case, the Supreme Court of Justice has raised the basis for calculating compensation subject to a limit, establishing that it will be 67% of the employee's monthly and usual compensation, the amount to be multiplied by the years of service of the employee, based on constitutional reasons and in cases where the application of the legal limit imposes a reduction to the severance payment of more than 33%.

    This severance payment may be reduced or increased in other types of termination (eg, force majeure and lack or reduction of work; death of the employee; employer's bankruptcy; employee's retirement; employee's illness; employee's pregnancy; etc.)

  • Post-termination restraints

    Non-compete, customer non-solicitation and employee non-solicitation clauses are often used, especially when the employer and employee negotiate the terms and conditions of the termination of the employment.

    Restrictive covenants are capable of being enforced post-employment, provided the employee receives compensation for the restrictions. Therefore, consideration is required for valid restrictive covenants. The amount must be fair and in accordance with the salary of the employee, his/her position in the company, the agreements that the company intends to impose and the extent (period and territory) of the restrictive covenant.

    The law does not specifically regulate restrictive covenants. However, most restrictive periods range between 2 years to 5 years. However, under certain circumstances the court has enforced a 10 year post-termination restraint period, based on the business and the amount of consideration paid to the employee.

    Where an employee is in breach of an agreement, the employer can file a claim against the employee in court requesting compensation for damages. The complaint may include injunctive relief to stop the violation immediately. Alternatively, courts may declare the covenant null and void if it has been drafted too widely.

  • Waivers

    Pursuant to the LCL, any executed agreement that suppresses or reduces rights granted by the LCL, labor laws related to specific industries, collective agreements or individual employment contracts, either at the time of their agreement or execution, or the exercise of the rights arising from its termination, shall be null and void.

  • Remedies

    Discrimination

    Compensation is available as a remedy for discrimination or harassment. In case the event of a complaint based on harassment, the employee can file a claim requesting the payment of the statutory severance payment applicable to dismissals without cause and an additional amount for the pain and/or emotional distress caused by the harassment.

    Employers are liable for the acts of their employees. Therefore, the employer and the harasser will be declared jointly and severally liable for the payment of any compensation granted to the victim.

    Unfair dismissal

    Employees may challenge a dismissal without cause within 2 years of the dismissal and seek payment of statutory severance, plus interest and court fees. The complaint must be filed before the labor courts.

    Failure to inform & consult

    Not applicable for terminations as there are no consultation obligations.

  • Criminal sanctions

    Breaches of labor law do not entail a criminal breach or sanction unless such a breach or offense is specifically regulated by the National Criminal Code as a crime. In that case, criminal sanctions will be applied for the breach of criminal law and not for the breach of labor law.

  • Key contacts
    Osvaldo Jofre
    Osvaldo Jofre
    Cordova Francos [email protected]

Data privacy

Argentina

The Data Privacy Law No. 24,766 sets limits to the type of personal data that may be collected by prohibiting the collection of sensitive personal data, such as data that is related to political or religious opinions, and regulates the collection, use, processing and transfer of personal data.

Employers are allowed to monitor employee's work devices, provided the employee is duly notified in advance, and personal information is safeguarded and not disclosed.

Australia

Australia has very stringent data privacy obligations. As a general rule, personally identifiable data can only be processed if it is required for the performance of the employment contract and constitutes an employee record. Certain acts and practices are exempt from the application of Australia's data privacy laws, but there are strict criteria which must be met for an exemption to apply. Employee records are generally exempt but this exemption will not apply to documents that come into existence prior to the employment relationship (such as pre-employment/hire documentation). At the time it collects personal information, the employer is required to provide the individual with a statement setting out the company's obligations under Australia's data privacy laws and the individual's rights. Further restrictions apply for sensitive personal data. Employee records (with the exception of tax file numbers) are not covered by the Australian notifiable data breach regime, which requires notification to the Office of the Australian Information Commissioner (OAIC) and to affected individuals of any data breach which could result in serious harm. However the OAIC advises that it is good practice for employers to notify employees affected by a data breach so that they may take protective action.

The monitoring of individuals and their data is covered by various surveillance legislation in each state/territory. Essentially, surveillance of employees is prohibited in sensitive areas such as washrooms and change rooms, unless the surveillance device is installed pursuant to a warrant or authorization. Surveillance is permitted in public areas if it conforms with relevant legislation. The monitoring of an employee's use of a work computer (emails and Internet browsing) is governed by specific laws in some states.

Austria

Employees must be generally notified of personal data processing (and in certain cases, give consent). Strict rules apply to data transfer outside the EEA. Monitoring employees usually requires an agreement with the work counsel (if any) or an individual agreement with each employee. Since May 2018 Austria has been subject to the General Data Protection Regulation which has introduced significant new obligations and onerous sanctions for employers.

Bahrain

There are no clear laws in Bahrain comparable with those in the US or Europe concerning the handling and transmission of employees' personal information, nor do any provisions address the cross-border flow of data. However, it is advisable to seek prior written consent to the processing of personal data from the employee to the extent necessary to address the various privacy protections set out in Bahrain laws, including the protections set out in the Bahrain Penal Code.

Belgium

Employees generally must be notified of personal data processing (and in certain cases, give consent). Registrations with the Privacy Commission are required in certain cases. Special rules apply to data transfer outside the EEA. Significant restrictions on monitoring email and Internet use and use of cameras at the work place. Since May 2018, Belgium has been subject to the General Data Protection Regulation, which has introduced significant new obligations and onerous sanctions for employers.

Brazil

Notification and consent are recommended. The National Congress has reviewed some bills addressing data privacy matters, and a new data protection law will become effective in August 2020.

Monitoring of corporate e-mail and Internet use is allowed, but employees should be notified that they cannot expect privacy in the use of these work tools.

Canada

Legislative requirements vary by jurisdiction. Where privacy laws apply, personal information must only be collected with consent and only used for the purposes for which it was collected. In most jurisdictions, email and Internet use may be monitored where notice has been given through clear employer policies.

Chile

The employer is obliged to maintain the privacy of the information and personal data related to its employees. The right to personal data protection has the status of constitutional right and therefore any breach can lead to litigation for impairment of fundamental rights.

China

The Regulations on Employment Services and Employment Management require that an employee's personal data be kept confidential and not be made public without the employee's consent.

The PRC Cyber Security Law imposes new security and data protection obligations on "network operators", puts restrictions on transfers of data outside China by "key information infrastructure operators", and introduces new restrictions on critical network and cybersecurity products.

Colombia

To process personal data, data controllers must provide a privacy notice to the affected employees prior to the collection and processing of personal data. In the case of data transfers, the privacy notice must contain the name of the transferee or the person to whom the information is transferred. All transfers of personal data to domestic or foreign third parties must be pre-approved by the data subject/employee.

Employees will have the right to know, update and correct their personal data. This right may be exercised in relation to partial, inaccurate, incomplete, split, or deceptive data, and/or data that is prohibited from or not authorized for processing (such as race or ethnic origin, political orientation, religious or philosophical orientation, and enrollment to unions or social organizations, among other items considered as sensitive information).

Employees can revoke the authorization granted for the processing of their personal data and could request to remove their personal information from the employers or subcontractor's databases by filing a formal claim, save for information directly related to their employment (for example, HR core data, recruitment, performance, global compensation learning and training-related data and master data). This possibility is only applicable in the case of wrongful use of the employee's information.

Czech Republic

Generally, employees must be notified of personal data processing (eg camera recordings) and, in certain specific cases, give their consent. Significant restrictions on monitoring employees, including email and internet use.

The Czech Republic is subject to the General Data Protection Regulation (GDPR). The local law implementing the GDPR shall be issued in 2019.

Denmark

Employers must comply with the General Data Protection Regulation (GDPR) as since May 25, 2018 and the Danish Data Protection Act

Employees will have the right to detailed information about the processing of their data. All information provided must be concise, transparent, easily accessible and in plain language. Employers must provide information on the legal basis for processing and, if the data is sensitive, which of the conditions for processing special categories of personal data the employer relies on. The notice must also advise the employees of their rights under the GDPR.

Finland

Employees must usually be notified about personal data processing and give consent to this when necessary. Only necessary data may be processed. Special rules apply to data transfers outside of the EEA. Significant restrictions on monitoring email and internet use.

From May 2018, Finland will be subject to the General Data Protection Regulation which will introduce significant new obligations and onerous sanctions for employers.

France

The General Data Protection Regulation (GDPR) came into force on May 25, 2018. It applies to any processing of personal data within the EU. The GDPR implements new rights for data subjects, such as right to access, data erasure, data portability and consent.

Where data processors/controllers process operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data, a Data Protection Officer (DPO) must be appointed.

Data transfers outside of the EU are subject to additional requirements. Significant restriction on monitoring internet and e-mail use even when on company's IT device.

Germany

Covered by the EU-wide General Data Protection Regulation (Datenschutzgrundverordnung) entered into force in May 2018 and the complementing Federal Data Protection Act. Processing of personal data generally unlawful except as listed by the Act and the General Data Protection Regulation, a works council agreement or free and individual consent. Appointment of data protection officers required if more than 9 individuals deal with electronically saved personal data. Special rules apply to data transfer outside the EEA. Significant restrictions on monitoring email and Internet use.

Hong Kong

The PD(P)O is principally concerned with 6 data protection principles (DPPs). Broadly, these require that personal data is only collected for a lawful purpose,  that only personal data which is necessary and not excessive for that purpose may be collected, and that individuals are informed of certain things before data is collected or used (DPP 1); that all reasonably practicable steps need to be taken to ensure that personal data is accurate and that it should only be retained for as long as necessary to fulfill its purpose (DPP 2); that personal data must not, without the prescribed consent of the job applicant or employee, be used for a purpose other than the purpose for which it was collected (DPP 3); that all reasonably practicable steps must be taken to ensure that the personal data is secure and protected against unauthorized or accidental access, processing, erasure or other use (DPP 4); that all reasonably practicable steps must be taken to ensure that an individual can access information about the data user's policies and practices in relation to the personal data, the kind of personal data about him or her that is being held, and the purposes for which it will be used (DPP 5); and that, with some exceptions, an individual is entitled to request access to all personal data held by a data user and to correct that data if it is inaccurate (DPP 6). There are provisions in the PD(P)O restricting the transfer of personal data outside of Hong Kong, but these are not currently in force.

Hungary

Employers must balance their need to obtain, use, store and disclose information for effective management and business purposes with their employees' right to privacy. The law distinguishes between ''personal data'' and ''sensitive personal data.'' Special rules apply for the transfer of personal data within and outside of the EEA. The National Authority for Data Protection and Freedom of Information is responsible for ensuring compliance and enforcing data protection.

Since May 2018, Hungary has been subject to the General Data Protection Regulation which introduced significant new obligations and onerous sanctions for employers.

India

Employee records and employee access to data

The Information Technology Act, 2000 covers data protection and violation of personal privacy. This statute safeguards against certain breaches in relation to data from computer systems, prevents unauthorised use of computers and creates liability for damage suffered in the event of unauthorized access, downloading, extraction and copying of data from a computer system/network. It stipulates the penalty for breaches of confidentiality and privacy.

The storage, management and handling of sensitive personal data or information belonging to persons located in India is regulated by the Sensitive Information Rules enacted under the Information Technology Act, 2000. Sensitive personal data or information is defined under the Sensitive Information Rules to include passwords, financial information, physical, psychological and mental health conditions, sexual orientation, medical records and history, biometric information.

Any body corporate receiving any of the above types of information as a result of either using the services of an individual or employing an individual must comply with the Sensitive Information Rules regarding processing and storing that information.

Indonesia

Law No. 11 of 2008 on Electronic Information and Transactions, which recently has been amended, restricts the electronic use of private data without the data subject's consent. Under Law No. 39/1999 on Human Rights, each individual has the right to their own privacy, and cannot be subjected to an investigation in relation to personal data without their agreement, except on the order of a court or other legitimate authority under prevailing legislation. A new draft of the Data Privacy Law has been prepared, but it is not clear when it will be introduced

Ireland

Since May 2018, Ireland has been subject to the General Data Protection Regulation (GDPR), which introduced significant new obligations and onerous sanctions for employers. GDPR requires employers to identify a legal basis for their processing of personal data and it is unlikely that a "catch all" consent will enable processing of employee data by an employer. Employers must ensure that they have GDPR compliant documentation and that they are able to deal with the new rules on subject access requests. There continue to be significant restrictions on monitoring employees, including email and internet use.

Israel

Employees generally must be notified of the terms of the employer's personal data processing policy, and must consent to it. Registrations in the Databases Register may be required. Special rules apply to data transfer outside Israel. Significant restrictions on monitoring email and Internet use. Monitoring personal email is restricted.

Italy

Employees generally must be notified of personal data processing (and in certain cases, give consent). Special rules apply to data transfer outside the European Economic Area (EEA). Not possible to control or monitor employees remotely with devices unless upon agreement with works council or authorization of the Labor Office, with the exception of the instruments used by the employee to carry out their work or to detect access or attendance. Since May 2018, Italy has been subject to the General Data Protection Regulation, which introduced significant new obligations and onerous sanctions for employers.

Japan

The receipt, maintenance of and access to personal information relating to an individual is regulated by the Act of Protection of Personal Information. Broadly, upon the collection of such information, the collector must notify the person of the purpose of the use of such information, and thereafter must take necessary and proper measures to prevent leakage, loss or damage of that information, and take other reasonable steps to control the security of the personal information. In addition, the party maintaining such information is required to adopt internal regulations designed to ensure the confidential and secure maintenance of such information as long as it is held. Disclosure of personal information to third parties (parent and affiliated companies are considered third parties) is strictly limited.

Kenya

Kenya does not presently have data protection legislation. There are, however, two draft bills, both titled the Data Protection Bill, 2018 which were published during 2018. Both Bills are modeled along the lines of the EU General Data Protection Regulations (GDPR).

The Constitution gives citizens the absolute right to privacy, but some restrictions may be imposed contractually, especially relating to data transfer to third parties.

Kenya has also enacted the Computer Misuse and Cyber Crimes Act, 2018 which creates various offences, including the rights to privacy, in relation to computer systems.

Kuwait

There are no clear laws in Kuwait comparable with those in the US or Europe concerning the handling and transmission of employees' personal information, nor do any provisions address the cross-border flow of data. However, it is advisable to seek prior written consent to the processing of personal data from the employee to the extent necessary to address the various privacy protections set out in Kuwait law, including the protections set out in the Kuwait Penal Code and the Kuwait Constitution.

Luxembourg

The General Data Protection Regulation (GDPR) is in force since May 25, 2018. It has been complemented by a law dated  August 1, 2018.

Since then, the processing of personal data is no longer subject to a prior notification to/authorization from the National Data Protection Commission (Commission Nationale pour la Protection des Données or CNPD). However, the processing of personal data for the purpose of supervising employees in the context of employment relationships may only be carried out by the employer under certain conditions.

The employee's consent does not legitimize the processing of data.

Employees as well as the Staff Delegation/the Labor and Mines Inspectorate (Inspection du Travail et des Mines or ITM) must be notified of any personal data processing.  

Data subjects have the right to lodge a complaint with the CNPD.

Malaysia

Collection and processing of personal data is governed by the Personal Data Protection Act 2010 (PDPA). Employers must obtain employees' consent (implied or express) before collecting and processing employees' personal data, and explicit consent is required if "sensitive personal data" is being collected. Employers must notify their employees of the nature and purpose of information being collected, to whom it is being disclosed, and that the employees have the right to access such data. Employee consent is also required before employee personal data is shared with third parties (for example, external payroll service providers).

As a result of the PDPA, an employee consent/notice document is required. This document has to be bilingual – in both English and Bahasa Malaysia – and is usually a separate document and referenced in the employment contract.

Mexico

To process personal data, data controllers must provide a privacy notice to the affected employees prior to the collection and processing of such personal data. In the case of data transfers, the privacy notice must contain the name of the transferee or the person to whom the information is transferred. All transfers of personal data to domestic or foreign third parties must be pre-approved by the data subject/employee.

Morocco

Employees must be notified of data processing in accordance with law No 09-08 on data protection. Employees' consent to the processing of their data is required. Employees should be given the right to have access to and modify/amend their personal data.

Employers must declare the data processing to the national committee for data protection (Commission Nationale de protection des Données Personnelles).

Mozambique

The Constitution of the Republic of Mozambique, as well as the recently enacted Electronic Transactions Law (The Law No. 3/2017, of January 9), prohibits the access to data bases or to computerized archives, files and records for obtaining information on the personal data of third parties, as well as the transfer of personal data from one computerized file to another that belongs to a distinct service or institution, except in cases provided for by law or by judicial decision.

The Labor Law establishes that employers may not require an employee to supply information regarding his private life, except when particular requirements inherent to the nature of the professional activity so require. Also, employees' personal data obtained by an employer is subject to a duty of confidentiality, and information the release of which would violate that employee's privacy rights may not be given to a third party without the consent of the employee, unless it is required by law.

Myanmar

There are not currently any specific laws or regulations in Myanmar relating to data privacy. However, per the Law Protecting the Privacy and Security of Citizens enacted on March 8, 2017, a person is not allowed to do the following without permission of the relevant authorities:

  • Request or acquire any private call data, electronic communications data and information from operators or supply such information
  • Open, search, seize, destroy or damage any envelope, parcel or correspondence communicated that are the personal affairs of other individuals and
  • Criticize or interfere in the personal affairs and family affairs of any citizen or engage in conduct that may be detrimental to the good name, standing or dignity of an individual

Other than the above, there are currently no other laws or regulations on data privacy.

Netherlands

Employees generally must be notified of personal data processing (and in certain cases, give consent). Registrations with the Information Commissioner are required. Special rules apply to data transfer outside the EEA. Significant restrictions on monitoring email and internet use.

From May 2018, the Netherlands are subject to the General Data Protection Regulation (GDPR), which introduces significant new obligations and onerous sanctions for employers. In general, GDPR aims at empowering individuals (including temporary employees, job applicants, contractors, trainees and other workers) with regard to controlling the use of their personal data and at harmonising the data protection legislation across the EU.

New Zealand

The Privacy Act 1993 controls New Zealand data privacy and determines how employers collect, use, disclose, store and give access to ''personal information.''

Nigeria

The National Information Technology Development Agency has published Data Protection Guidelines, 2019 which safeguard the rights of natural persons to data privacy.

Norway

Notification to the employee is required. An obligation to notify the Data Inspectorate may apply. Significant restrictions on monitoring and control of employees. Special provisions apply for transmission of data outside the EEA. 

Oman

There are no clear laws in Oman comparable with those in the US or Europe concerning the handling and transmission of employees' personal information. However, the Electronic Transactions Law, RD 69/2008 (''ETL'') provides for the protection of personal data and regulates the transfer of personal data outside of Oman.

The Cyber Crime Law, Royal Decree no. 12 /2011 (''Cybercrime Law'') provides that it is an offense to violate the privacy of individuals through technology, and prohibits the collection of private data.

It is advisable to seek prior written consent from employees to the processing of their personal data to the extent necessary to overcome the various privacy protections set out in the applicable civil and criminal laws.

Philippines

When an employer collects and processes personal information of its employees, especially sensitive personal information, the employer must comply with applicable guidelines on the adoption of organizational, physical and technical security measures and the registration thereof with the National Privacy Commission. The data subject must have given his or her consent prior to the collection, or as soon as practicable and reasonable. An employer's collection of personal information from its own employees does not require the employee's prior written consent, provided the personal information collected and the processes applied to such information are only to the extent necessary for compliance with legal requirements prescribed for an employer-employee relationship.

Poland

An employer is obliged to respect its employees' dignity and other personal rights, including their privacy and the confidentiality of the content of employees' private correspondence. There are no specific regulations on the protection of employees' privacy at work; however, statutory rules forbid the secret monitoring of employees and there are specific rules to introduce camera monitoring. The Polish Labor Code sets forth specific rules regarding collecting and processing personal data of the candidates and the employees, and in particular, lists the type of data that can be requested by the employer. In matters not regulated by the Labor Code, general rules on data protection provided for in the Act on the Protection of Personal Data and the General Data Protection Regulation apply.

Portugal

The Data Privacy Law No. 67/98 governs Portuguese data privacy and determines how employers collect, use, disclose, store and give access to "personal information."

Various restrictions, notification or authorization requirements towards the Portuguese data protection authority (CNPD). Data transfers outside of the EU are subject to additional requirements. Significant restriction on monitoring Internet and e-mail use.

Except if required for the execution of the employment contract, employees generally must give consent to personal data processing. Employees have the right to be informed about the use of their personal data.

Since May 2018, Portugal is subject to the General Data Protection Regulation, which will introduced significant new obligations and onerous sanctions for employers. A local privacy law under GDPR has not been enacted yet.

Qatar

On November 2016, Qatar issued a new data protection law No. 13 of 2016 on Protection of Personal Data Privacy (Data Protection Law). Businesses must take action to protect the privacy of personal data or risk fines of up to QAR 5 million. Some of the key features of the new law are:

  • Personal data is defined as data relating to an individual whose identity is determined, or able to be reasonably determined, either through the data or through linking this data with other data
  • The Data Protection Law applies to personal data when it is processed electronically, or when it is accessed or collected or extracted otherwise in preparation for its electronic processing, or when it is processed in a traditional and electronic way together
  • The processing of personal data will be regulated in a way which bears similarities with existing data protection regulations elsewhere in the world
  • Particular protection will be provided to certain types of personal data, such as data relevant to children, to physical and mental health and to crimes referred to as sensitive personal data
    • For example, parental consent will be required in connection with the online collection and processing of the personal data of children
  • Businesses will need to implement suitable measures, including training, to protect personal data from loss, damage, modification, disclosure or illegal access
  • Direct marketing will require the prior consent of the intended recipient and, amongst other requirements, the relevant communication must include a means by which the recipient may opt-out of future communications

This law may sit alongside the Qatar Financial Centre data protection regulations. It is also important to note that as per the Qatar Penal Code it is advisable to seek prior written consent to the processing of personal data from the employee to the extent necessary to overcome the various privacy protections.

Romania

Employees must be informed of personal data processing (and in certain limited cases, must give consent).

Since from May 2018, Romania has been subject to the General Data Protection Regulation (GDPR), which introduced significant new obligations and onerous sanctions for employers. Under the GDPR, specific rules apply to any personal data transferred outside the European Economic Area aimed at ensuring that appropriate safeguards are provided for the transferred personal data and that enforceable data subject rights and effective legal remedies for data subjects are available.

Monitoring of employees, including email and internet use, may be performed under very specific circumstances, provided that the legal provisions which impose restrictions on interference with the protection of private life, data privacy and electronic communications are complied with.

Russia

In certain cases, employers are required to obtain the prior written consent of their employees in order to process their personal data (eg, transferring personal data to third parties including cross-border transfers).

Saudi Arabia

Transfer of employee data outside of the KSA is not regulated under Saudi law. However, general Sharia principles provide for personal data protection rules which imply that employers should include provisions in employment contracts where the employee's consent is required for the employer to use or disclose the employee's data to third parties, to the extent that such disclosures may be required.

Singapore

Generally, employers are required to at least notify applicants of the purposes for which their personal data is being used in connection with the management and termination of employment and/or obtain their consent where collecting, using or disclosing their personal data.

However, under the PDPA, an employer is permitted to collect, use and disclose the employees' personal data for purposes of managing or terminating an employment relationship without the need to seek employee's consent, so long as the employee has been notified of the purposes of such collection, use and disclosure and/or provides his or her consent prior to such collection, use and disclosure. Notably, employers may collect, use and disclose personal data without obtaining the employees' consent or notifying them where it is necessary for evaluative purposes, including the determination of the suitability or eligibility of an individual to whom the data relate for employment, continuance in employment or promotion.

Note that employers would need to seek consent for purposes that are not related to, or for the collection of personal data that is not relevant to the management or termination of an employment relationship or not relevant for evaluative purposes (unless any other exception under the PDPA applies).

Slovak Republic

Covered by national Data Protection laws and EU rules. Processing of personal data is generally unlawful except as listed in relevant legislation, or based on consent of the individual. Special rules apply to data transfers outside the EEA.

In general, an employer may collect personal information on an employee which relates to his or her qualifications and professional experience, and other information which is relevant to the work carried out by the employee.

From May 2018, Slovakia is subject to the General Data Protection Regulation, which introduced significant new obligations and onerous sanctions for employers.

South Africa

The right to privacy is protected under the Constitution of the Republic of South Africa, 1996 and the common law. Case law recognizes that the right to privacy is not absolute and may be limited where it is reasonable and justifiable to do so. Personal information may generally be processed with consent or where necessity dictates.

The Protection of Personal Information Act, 2013 (POPIA) has been signed into law but, save for certain sections, is not yet in force and effect. It is anticipated to come into effect shortly.

South Korea

Under the PIPA, an employee is entitled to request the employer to allow access to, correct or delete his or her personal information. The PIPA requires an employer to obtain the consent of the individual employee when his or her personal information is obtained or provided to third parties.

Spain

Employees generally must be notified of personal data processing (and in certain cases, have to give consent). Registration of databases with the Spanish Data Protection Commissioner (AEPD) is required. Special rules apply to data transfers, even between companies belonging to the same group. International data transfers are subject to a stringent regime of administrative approvals and consents. Significant restrictions on monitoring email and Internet use at the workplace. Spain is subject to the General Data Protection Regulation.

Sweden

The Swedish Personal Data Act applies to the processing of employees' personal data. The employer must ensure that the fundamental requirements for processing of the employees' personal data are fulfilled (eg, personal data must be correct, adequate and relevant in relation to the purposes of the processing, and may not be retained for a longer period than is necessary in light of the purposes of the processing); there must be a legal basis for the processing, such as performance of the employment agreement or consent; and the employee must receive adequate information regarding the processing. Special rules apply to data transfers outside the EEA.

Since May 2018, Sweden has been subject to the General Data Protection Regulation, which introduced significant new obligations and onerous sanctions for employers.

Switzerland

In general, employees should be notified of any processing of their personal data (and in certain cases, give consent). Registrations with the Federal Data Protection Commissioner are required in certain circumstances. Special rules apply to data transfers outside of Switzerland. Significant restrictions on monitoring email and Internet use.

Taiwan

The collection, processing, and use of employee personal information is governed by the Personal Information Protection Act. The Act has notice and consent requirements that can be applicable to the collection, processing and use of employee information. This applies to cross-border transmission of the information or any use outside of the norms of a domestic employment relationship.

Under amendments to the Employment Services Act that came into force in late 2012, the amount of personal information that an employer may request from an employee or prospective employee has been severely restricted. Prohibited or restricted personal information includes: physiological information: for example, medical tests and fingerprints; psychological information: for example, psychiatric tests and polygraph tests; and personal lifestyle information: for example, financial records, criminal records, family information and plans, and background checks.

Thailand

There are currently no provisions governing data privacy under Thai law, although the Constitution offers general data privacy protection. However, the misuse of another's personal data without consent could be considered a wrongful act under Thai civil and commercial code (ie, willfully, negligently or unlawfully injuring the life, body, health, liberty, property or any right of the injured person), and Thai Criminial Code (ie, disclosure of secrets), if such misuse causes damages to the data subject.

Turkey

Employees must be notified of personal data processing and their prior written consent should be obtained (unless exceptions stipulated under the relevant legislation are present) for such processing and transfer of their personal data. Personal data should be processed:

  • In accordance with the law
  • In good faith
  • For definite, clear and legitimate purposes
  • In a relevant and measured manner

Data controllers (individuals or legal entities that determine the purposes and means of processing personal data - eg, employers) are required to be registered with the Data Controllers Registry.

Uganda

A Data Protection and Privacy Bill has not yet been passed into law. The right to privacy, however, is enshrined in the 1995 Constitution of the Republic of Uganda.

Ukraine

In most cases, the processing of personal data requires the consent of the respective data subject. However, employers are allowed to process an employee's basic personal data without consent to the extent required to perform the employer's statutory obligations (eg, pay salary, perform statutory reporting, etc.).

Processing of sensitive data (eg, health status data, data related to religious beliefs, political views, etc.) is prohibited, unless the individual provides explicit consent or there is a statutory ground for processing these categories of data. The processing of sensitive data requires notification to the Ukrainian Parliament Commissioner for Human Rights.

Cross-border personal data transfers require documents such as an intercompany agreement on the transfer of data, etc., in addition to the data subject's consent.

United Arab Emirates

With the exception of the Dubai International Financial Centre Free Zone, there are no clear laws in the UAE comparable with those in the US or Europe concerning the handling and transmission of employees' personal information, nor do any provisions address the cross-border flow of data. However, it is advisable to seek prior written consent for the processing of personal data from the employee to the extent necessary to address the privacy protections set out in UAE law, including the protections set out in the UAE Penal Code, Cyber Crimes laws and the UAE Constitution.

United Kingdom

Since May 2018, the UK has been subject to the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, which has introduced significant new obligations and onerous sanctions for employers. Under this new regime, it is extremely difficult for employers to rely on consent as a basis for processing employee data and other legitimate grounds generally need to be identified.

United States

Certain states restrict the use of employees' social security numbers for any identifying purposes. Medical information must be maintained separately from personnel files and kept confidential. Otherwise, employers generally are entitled to monitor or search corporate emails of their employees and internet traffic accessed by their computer systems, on the premise that employees do not have an expectation of privacy in the use of their employer's computer systems or corporate emails (especially with a policy that says so). Jurisdictions vary as to an employer's ability to search or monitor personal email addresses and websites accessed from an employer's computer or premises.

Venezuela

There is no general legislation on data protection in Venezuela. However, employees should be notified of personal data processing, and in certain cases, they must give consent. In cases involving medical checks, the employee has the right to request the confidentiality of the results.

Vietnam

The Civil Code requires any person to seek the consent of an individual before collecting, storing, using or publishing their personal data. The parties to a contract are not permitted to disclose any information about the private life or personal affairs of each other that they became aware of in the course of entering into and performance of the contract.

The 2018 Law on Cyber Security covers any domestic or foreign enterprise that provides services on telecommunications networks, the internet or value-added services in Vietnam's cyberspace. The law governs the collection, exploitation, analysis, and processing of personal data, data about service users' relationships, and data generated by them in Vietnam. Under this law, any such data must be stored in Vietnam under the terms stipulated by the Government. Any such foreign enterprise must have a branch or representative office in Vietnam.