Terms such as working from home, teleworking, remote or mobile working are flexible forms of work in which employees carry out all or part of their work from their private environments. In the past months of the Coronavirus Pandemic, these models became increasingly popular, but there has not yet been a clear or even unified approach.
Germany presents bill for a “Mobile Work Act”
The German Federal Ministry of Labour and Social Affairs has recently presented a bill for a “Mobile Work Act” with the aim of creating a legal framework to promote and facilitate mobile work. It states:
“The Federal Government has set itself the goal of promoting and facilitating mobile work and creating a legal framework for this. Mobile work can increase the motivation and job satisfaction of employees. It thus offers businesses the opportunity to increase their attractiveness as employers and to retain skilled workers.
Mobile working also contributes to a better work-life balance and can reduce commuting times. Although mobile working is possible in an increasing number of activities, employers still make too little use of this potential. It is therefore an important labour and family policy concern that employees can voluntarily work from a flexible location and that this is also promoted within businesses”.
Compatibility of working from home/remote work and data protection
When contemplating a contractual arrangement for remote work, you should take into account the types of data being processed, the processing purposes, etc. to assess whether the performance of the respective tasks in the context of remote work is justifiable under data protection law.
Since the management has less control and influence, the risk of data abuse by third parties can be higher in remote environments than in the office, for example.
Especially in case of personal data requiring special protection, this is only justifiable if appropriate technical and organisational measures can be ensured. This applies to special categories of personal data pursuant to art. 9(1) such as health data and (under certain conditions) social security data.
The underlying principle is that more sensitive data requires more protection.For this purpose, a risk analysis can be used to examine the threats to the rights of data subjects, the respective level of damage and the probability of occurrence.
On the basis of the identified risk value, in consideration of the implementation costs and taking into account the state of the art, the controller must define and implement effective and appropriate technical and organisational measures before allowing remote work. These measures must ensure the protection of the processing by reducing the risks to an acceptable level.
Therefore, guidelines on data protection and security for remote workshould be established – and explained to the employees in an understandable and comprehensible way.
Contractual arrangements between employer and employee
An agreement for remote work can be implemented separately. It can then contain the guidelines on remote work in the appendix.
As an employer, you must ensure that regulations and laws on occupational health and safety, working time regulations and data protection are met in remote work environments to avoid fines.
ePrivacy advises its clients on the creation of an individual work-from-home policy.
Adaptating your GDPR documentation to reflect remote work
Technical and organisational measures for the processing of personal data when working from home must be defined. These can be adapted accordingly with regard to remote work. We recommend integrating the essential, necessary measures directly into the work-from-home policy.
The TOMs already in place for the company should reflect the measures required for remote work as far as possible. It should be borne in mind that the TOMs should ensure an appropriate level of protection for the processing of personal data throughout the company.
Alternatively, specific regulations to ensure the necessary technical and organisational measures in remote work environments can be added to the existing TOMs.
Controller-processor relationships and remote work
In the case of controller-processor relationships under art. 28 GDPR, both controllers and processors must ensure that data protection is maintained and that the audit rights – also for the supervisory authority – are guaranteed. This also applies to the processing of personal data in remote work.
When using (new) software for remote work, businesses must ensure that the information requirements regarding these systems under art. 13 GDPR are met.
Our checklists helps businesses meet all the essential requirements
Here is an excerpt of important To-Dos to consider when your employees work from home:
- make documented arrangements for remote work, including defined security measures and communication channels
- make your employees aware of potential risks, e.g. phishing.
- access protection must be guaranteed in the same way as in the office
- security requirements for the IT systems used remotely
- mobile devices and data carriers must be encrypted
- use of screen protectors, especially in public environments
- enable more secure remote access to the corporate network
- protect data from loss with regular backups
- clear reporting channels and prompt notification of loss in the event of lost equipment
- communication channels and contacts that can be clearly verified by employees, e.g. in the event of a data protection incident
- name a contact person for supporting remote workers
- set up rules as well as training for working with external IT systems/networks
- ensure that confidential information is deleted correctly
- check whether an adequate level of protection for documents with increased confidentiality requirements can be ensured in remote environments and, if necessary, take additionalsecurity measures.
Template for creating a work-from-home policy
ePrivacy has created a template to help our clients create and implement an individual work-from-home policy in their company.
Please feel free to contact us at any time.
Your contact to ePrivacy: