Working in the home office brings with it a range of new challenges. Special precautions should be taken when dealing with personal data and other confidential information in the employment context when working outside the company.
From a data protection perspective, the home office is a difficult situation for employers. On the one hand, they still remain legally responsible for all operational processing of personal data according to Article 4 (7) of the GDPR and are therefore obliged to take all possible organizational and technical measures to ensure the security and integrity of data processing. This is because the GDPR and the German Federal Data Protection Regulation do not differentiate between whether an employee works mobile or in company facilities. On the other hand, employers do not have direct control over what happens in the home office in every respect. Against this background, it is very important that employers clearly communicate their expectations of compliance with data protection regulations and with regard to the protection of confidential information and that they commit their employees to comply with the relevant operational measures.
The responsibility of employers arises from the fact that they decide how and for what purpose personal data are processed in the operational context. Against this background, employees are bound in every respect to the employer’s instructions with regard to data processing. Since the potentially increased possibilities for third parties – such as family members or visitors – to access sensitive data in the home office mean that the infrastructural security that should prevail in office premises does not exist to the same extent, the employer must take extended measures to prevent access by third parties and establish an adequate level of protection. For aid with that, the Federal Office for Information Security has published tips for secure mobile working which can be found here (in German).
Employers should train all employees with regard to the handling of personal data on the one hand and company and trade secrets on the other hand, and in particular also include situations in which corresponding data may leave the protected operational area with the consent of the employer. In our opinion, trainings are only effective if they are regularly repeated or refreshed. Employers may also want to issue special home office guidelines or guidelines for mobile working and make it mandatory for employees to comply with them. Such guidelines can also be issued by concluding works agreements.
Under no circumstances should employers allow employees to use their own devices such as private cell phones and computers for their work activities at home. An adequate level of data protection can only be achieved if operational data is processed exclusively on devices provided by the employer. In our view, “BYOD” (“Bring Your Own Device”) has not been a good idea anymore since the GDPR entered into force, and it should therefore be avoided. Of course, the employer must ensure that their entire IT infrastructure is always up to date and is regularly maintained and updated. This applies not only to the servers and desktops in the company, but also to laptops and cell phones that are left to the employees for business purposes.
It is also the responsibility of the employer to ensure secure communication channels from the home office to the company. In our opinion, this includes a secure VPN connection from the laptop to the office infrastructure.
Since unauthorized third parties outside the company are potentially more likely to have access to the workplace when an employee is working from home than is usually the case when employees work from the office, special measures must also be taken by both the employer and the employee with regard to securing the home office workplace. Examples of such measures include the use of privacy screen protectors, which the employer can provide to protect the laptop from glances from the side. The data protection obligation also applies to the storage of materials after work and during breaks. The employee must ensure at all times that all company documents are securely locked so that relevant information cannot be viewed by unauthorized third parties. Safety precautions must of course also be observed when transporting or disposing of the documents. Documents and data carriers should only be disposed of by the employer and are not to be thrown into the private garbage can by the employee.
Ultimately, the home office naturally also imposes increased obligations on the employee to handle the technology. Passwords must not be given to family members and locking the work equipment in the home office during breaks or other absences from the workplace gains special importance.
Home offices can principally be set up to conform to data protection regulations if both employers and employees do their part to ensure success in compliance. For the protection of company and business secrets, however, we recommend that particularly “valuable” data not be moved outside a secure operational environment such as the employer’s facilities.