Many companies currently allow employees to work from home or even encourage them to do so. At present, it is not possible to say when this situation will end. Depending on how the coronavirus pandemic develops, many more home office jobs could be added in the near future.
Home office has been set up for the first time
In practice, data protection will often be of secondary importance, because for many companies, the ability to survive at all depends on home office work. These companies may still consider the law from an economic point of view: is the avoided fine from the data protection supervisory authority still of any use if the company is insolvent due to a lack of working employees? The answer is probably no.
Data protection should not be ignored completely
Nevertheless, companies should at least make an effort to ensure data protection when using the home office. Otherwise, there is a risk of surviving the Corona crisis but not the subsequent fine proceedings for data protection violations. In this respect, the current model for calculating fines is based on the company's previous year's turnover. So far, there have been no announcements that the Corona-related losses would be taken into account.
So while the home office was initially set up with a lot of spontaneous work from the IT department to keep the company running despite SARS-Cov-2, a certain initial calm has now set in in many places. Employees quickly got used to the home office and the initial technical problems were overcome. IT has also had a good night's sleep again.
Then, at the latest now, the data protection authorities expect that work is now also being done on compliance with data protection requirements.
Design of the home office workplace
One of the most important requirements for a home office is maintaining confidentiality.
The workplace must therefore be designed in such a way that no one can see personal data, including family members or other third parties. The frequently encountered desk against the wall is not ideal in this respect – but as long as only the home office employee is in the room, it is not problematic. Otherwise, the screen must be positioned so that it cannot be seen (even by the neighbor through the window).
Basic data protection also requires that the computer be locked as soon as third parties approach the device or when you leave the device and other people could enter the room.
Paper documents are often particularly difficult to secure against prying eyes in the home office. In this case, the family will have to accept that there may be times when the home office employee has a personal, locked drawer that must not be accessible to anyone else. Where there is no such drawer, a lockable suitcase will suffice as an interim solution. It goes without saying that disposing of business papers in the household rubbish should be taboo.
When making phone calls, no one should be able to listen in, or you must be careful not to give any identifying information. To prevent business partners from finding out the private numbers of employees, it is advisable to use company cell phones, which can still be obtained, or some telephone systems also allow a telephone app to be connected via the internet. These options should at least be documented and checked to be able to prove your own efforts to a data protection authority at a later date.
At the very least, the employer will have to impose documented obligations on its employees with regard to these issues, or withdraw the home office if necessary in the event of a lack of cooperation or compliance.
Where should you store the data?
You will only be able to allow business-related personal data to be stored on private devices if these devices are used exclusively by the employee.
In addition, encryption should be considered for all devices. Notebooks, if their hard disks are not encrypted, also belong in the above-mentioned drawer, as long as you do not work to prevent unauthorized access.
The better way from a data protection perspective is therefore to work on a terminal server or another remote working solution on the company IT through a secure VPN connection, whereby the remote devices must not, of course, endanger IT security. The introduction of such a way of working, which is often technically more complex, should be tackled at the latest when IT capacities can be freed up for this purpose.
The use of cloud storage with third-party providers is only permissible under data protection law in very few cases. All too often, the necessary encryption, the processing of data only within the EU, order processing agreements and much more are lacking when using it.
Other topics
A variety of other topics also require closer examination, such as the question of which email address to use, how to securely remove data from devices, whether there are any data protection-compliant messenger/video conferencing systems and how to deal with data loss in the home office. We would be happy to advise you in more detail, analyze with you where you stand and what you should do as a matter of priority to comply with data protection.
The statements represent initial information that was current for the law applicable in Germany at the time of initial publication. The legal situation may have changed since then. Furthermore, the information provided cannot replace individual advice on a specific matter. Please contact us for this purpose.