Designing the home office in compliance with data protection regulations Data protection
Position of the data protection supervisory authorities
In 2019, shortly before the start of the coronavirus crisis, the Federal Commissioner for Data Protection and Freedom of Information(BfDI) presented its position and recommendations on "Teleworking and Mobile Working". According to this, the following points, for example, must be observed when working from home:
"Private use of IT equipment provided by the employer is not permitted."
"Private hardware and software may not be used for teleworking and mobile working."
"Responsibilities for handling personal data must be comprehensively defined in the contract."
"Access of authorized persons to sensitive personal data only with PIN and hardware-based trust anchor (two-factor authentication)."
"No connection of printers."
"Regular training / further training of employees on data security and data protection-compliant handling of mobile devices."
"The data protection principles for teleworking and mobile working must be laid down in a company/service agreement."
After the start of the coronavirus pandemic, it was clear from the positions taken by various data protection supervisory authorities that the requirements were not initially set too high during the rapid changeover. However, some of these positions were also clearly limited in time, e.g. until April 2020. Now that some time has passed and there has been an opportunity to make the necessary adjustments, it stands to reason that the data protection supervisory authorities will also return to their original, strict requirements.
Irrespective of the actions of the data protection supervisory authorities, however, there are also contractual obligations that may be breached, as outlined in the following section.
Order processing
As already explained in our separate article on the topic of home office and order processing, contractual adjustments will be required for existing order processing, especially if you are on the contractor side of the order processing. This is because order processing usually regulates the technical and organizational measures as they exist in the company, but not as they exist in the home office. For example, there are often regulations on fire alarm systems, multiple locking systems, backup systems and, if necessary, security guards. On the basis of the level of protection described in this way, the client has then placed the order and the contractor has undertaken to essentially comply with this standard of protection. In the home office, however, the standard of protection will not exist in this form.
It is true that some data processing agreements (DPAs) contain clauses on a home office. However, these are usually very general and therefore questionable in terms of their effectiveness. In addition, many home office clauses are based on the assumption that only occasional remote maintenance or similar work is carried out. However, this does not generally include a comprehensive transfer of work to the home office. In the absence of a home office clause, a comprehensive activity as a processor from the home office will be inadmissible. If the clauses proposed by the data protection authorities have been used in some cases, a relocation to the home office also requires the prior express consent of the client, subject to special technical and organizational measures.
Please refer to our separate article on home office and order processing for further details.
Video conferencing systems and other new technologies
The GDPR itself only contains very general provisions on technical and organizational measures, in particular in Art. 32 GDPR. Ultimately, the state of the art must be observed. However, it is very difficult to determine this on the one hand because there are usually a large number of separate technical recommendations and documents to be observed, e.g. the BSI's IT baseline protection compendium. On the other hand, there is the practical problem that technical design is often only possible to a limited extent: if an external video conferencing solution is to be used, for example, there is only limited influence on how the data is actually handled. Even determining exactly how such systems are technically designed in order to evaluate them poses considerable difficulties.
Even if a solution has been found and properly designed, it is necessary to regularly check whether adjustments need to be made. If, for example, a video conferencing solution from a provider based in the USA is chosen, it will be crucial (in addition to the possibility of using standard contractual clauses approved by the EU Commission) that the company is certified under the EU-US Privacy Shield, including the special certification for HR data. This must be ensured before use. However, the ECJ is expected to rule on the admissibility of the EU-US Privacy Shield in summer 2020. As the ECJ has already classified the similar predecessor system "Safe Harbor" as inadmissible, there is a not unfounded fear that the EU-US Privacy Shield may also be classified as ineffective in the foreseeable future. Due to this fear, the EU Commission is already examining alternatives to the EU-US Privacy Shield, as can be seen from a response from the EU Commission to a query.
Regardless of the outcome of the ruling, it remains clear that even systems that have already been introduced must always be reviewed to ensure that they remain lawful.
Employer liability and employer checks at the employee's home
If employees work from home, liability remains with the employer. In view of the considerable range of fines under the GDPR, it is therefore in the particular interest of a company to ensure that it is properly organized. Due to the liability privilege of employees, according to which they can only be held partially or fully liable in the event of gross negligence or intent, companies are therefore well advised to provide employees and other staff with clear guidelines, e.g. through clear QM instructions specifically for the home office. It should be checked whether it actually makes sense to provide a special QM instruction for the home office or rather to go through the existing QM instructions and add sections with special regulations for the home office.
The employer will also have to carry out checks. This does not necessarily mean that on-site checks must always be carried out, especially not during the contact restrictions due to the coronavirus pandemic. However, a graduated system should be established, consisting, for example, of regular training, discussions with individual employees, random checks and intensified checks in suspected cases. In 2019, for example, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) demanded that an employer must have access to an employee's home in order to carry out checks. The extent to which such checks by the employer in the employee's private home are legally possible if the employee refuses and what consequences this has for the employee's home office activities must be assessed separately. In any case, it is advisable to make provisions on this under employment law as early as possible, possibly also as a standard provision for future employment relationships.
However,inspections at the employee's home may not only be required by the employer, but also by the data protection supervisory authorities themselves.
It should also be noted in particular that on-site inspections of an employee's home can also be carried out by clients of a data processing agreement. This is because it has been agreed in the data processing agreements (DPAs) that the controller must carry out regular checks, even if this does not always mean on-site checks. This is another reason why the "home office clause" in the data processing agreements (DPAs) is crucial (see above).
Information obligations and new technology tools
A major component of the GDPR is the obligation to inform data subjects. According to Art. 13, 14 GDPR, data subjects must be provided with certain information prior to data processing. In addition to "simple" information such as the name of the controller and the contact details of any data protection officer, more specific information must also be provided, such as the legal basis for the processing and the storage period. However, information must also be provided on the third parties to whom data is transferred and whether data is transferred abroad outside the EU/EEA. This also includes processors.
Example: If the video conferencing solution of a US provider is used, this may only be used if the data subjects have been informed in advance that the data will be processed via this video conferencing provider, that the video conferencing provider is based in a third country (or more specifically: the data is processed in a third country), and that an adequate level of data protection is ensured despite this third country reference. This sounds very complicated at first. However, such a description can usually be found quickly if the actual framework conditions are met (e.g. proper certification in accordance with the EU-US Privacy Shield). However, it is more important that the company provides the information in good time. It should be noted here that the data subject must be informed. If, for example, a video conference takes place between two employees in the company via a sole trader customer, this customer must be informed as their personal data is affected. As a minimum, it will therefore be necessary to add "data protection information" to the usual customer contracts, which should already be available as an annex anyway.
Requirements for the offline area
Data protection requirements also apply to the "offline area", i.e. paper documents and files located in the home office, as well as general protection against unauthorized access. It must also be ensured that family members do not gain access. The exact measures to be taken depend on which documents are usually held by employees and how "sensitive" the data contained in them is. For example, other protective measures must be taken if health data or religious affiliation are involved. It should be noted that such sensitive data can be available quickly. For example, religious affiliation is regularly processed in payroll accounting with regard to church tax.