Working from home from the perspective of data protection

Current situation: In view of the COVID-19 crisis, the federal and state governments as well as experts recommend avoiding social contacts as much as possible in order to slow down the spread of the coronavirus. This also includes carrying out professional activities from home wherever possible. Employers weighing options certainly concentrate on the tension between the health of the employees and the maintenance of the employer's business operations at first. Accordingly, the data protection requirements associated with working from home appear to be of secondary importance at the moment. Of course, data protection means, for example, that business documents must be protected against access by third parties, such as family members. But data protection also includes IT security. Employers have gained nothing in the end if they first send their employees to work from home to maintain business operations, but then operations come to a standstill in some other way. An imaginable situation is, for example, a hacker attack on a company’s IT systems, facilitated by inadequate IT security measures in the employees’ office at home.

Consequently, the existing data protection requirements also apply to working from home; compliance with them is probably challenging, in particular for businesses which have not yet established remote workstations or have done so only to a limited extent since their implementation is subject to major organisational and technical requirements.

That means: Employers need to create the following conditions to ensure working from home in compliance with data protection rules:

1. The technical and organisational measures specified by the employer pursuant to Article 32 of the General Data Protection Regulation (GDPR) must also be observed in home offices, such as:

• Preventing unauthorised access to data carriers and documents: It must be ensured that e.g. business documents are not disclosed to family members;
• Observance of password regulations and encryption techniques as well as screen locking when absent in order to prevent that e.g. family members use the business computer for private purposes;
• Access control concept in conformity with data protection rules
• Separation of private and business IT and telecommunications technology: family members surfing the web must not become a danger to the company network;
• IT security concept - a secure connection to the employer's network (e.g. via Virtual Private Network "VPN") must be established;

2. No processing of special personal data (e.g. applications, sick notes etc.) within the meaning of Article 9 GDPR;

3. Monitoring of compliance with the code of conduct the employer established for working from home (Articles 40, 41 GDPR)

4. Involvement of a works council, if any, and of a data protection officer

An ‘Employer’s Guide to Working from Home’ can be an appropriate means for laying down the organisational rules resulting from these requirements. Amongst other things, this guide sets out the rules employees have to observe from a data protection perspective. Its contents are to be communicated to the employees before setting up their workplaces at home. In return, the employees are required the observe these regulations.

Act now: In view of the many and sometimes complex questions around working from home and data protection – in particular considering the fact that a solution in conformity with data protection may be critical in terms of time – you should deal with the relevant technical and data protection requirements right now. We will be pleased to assist you with your questions in this relation. Contact us.