Corona – Home Office and Data Protection

The circumstances governing the handling of COVID-19 are currently changing on a daily basis. We are all committed to reducing the risk of further spread and protecting our employees. Wherever possible, companies are therefore currently reorganising and offering their employees home office solutions. 
Data protection plays an important role here and three key issues should be addressed:

  1. Does the employee working from home come into contact with personal data?
  2. What protective measures are required at the home workplace?
  3. What are the information obligations towards the supervisory authority?

Basically, the same data protection requirements apply at the home workplace as in the office. Which protective measures are required ultimately depends on the data your the employee are handling at home. 
The processing of data without personal reference is harmless in terms of data protection. However, if personal data or special types of personal data in accordance with § 3 para. 1, 9 BDSG or social data in accordance with § 67 para. 1 SGB X, is conserned, this is relevant from a data protection point of view. 
It is therefore self-evident that the higher the sensitivity of the personal data in question is, the better the protection should be. So it must be decided in each individual case how a home office solution can be regulated under data protection aspects. In any case, the company’s data protection officer should be involved in the management of the organisation, because the responsibility for data protection even at the home workplace also lies with the employer. 
The following applies to employees:
The working room should be lockable, or at least a cabinet for official documents should be provided which can be locked. The employee should ensure that personal data cannot be accessed by third parties, e.g. confidential telephone calls should not be made in the presence of third parties, as spouces or children. The IT equipment provided by the company should not be used privately (no access for children). When the room is left, the computer should be locked. Business e-mails may not be forwarded to private accounts.
The employer also has obligations:
For example, the IT equipment provided must be data protection-compliant (e.g. encryption of hard drives and external data carriers such as USB sticks), the operating systems have be secured with a password, electronic data transmission (e.g. e-mail) must also be encrypted in accordance with the state of the art technological standards (access to the employer’s systems should only be possible via a VPN). A concept for handling and destroying sensitive documents and printouts (e.g. by means of shredders or data bins) should be developed.
Always keep in mind the legal consequences of the loss of data which may lead to an obligation to inform the responsible supervisory authority.
What to consider when using video conferencing tools:
In order to be able to keep in touch with customers and colleagues from home office, video conferencing tools are increasingly used. These applications must also be chosen with due regard to the protection of personal data. 
On-premise options – i.e. software that is hosted on your own servers – is always the most secure way. Smaller companies that do not have these options often use SaaS solutions. Here it is important to ensure that the corresponding service provider – contracted processor – ensures that the data is processed in compliance with the current data protection regulations (Art. 28 para. 1 GDPR).
Ultimately, the party responsible is liable for the correct selection of the appropriate software and must take into account the issues of encryption, restriction of log files, deletion of chat histories and regulations for file exchange, the handling of conference recordings, etc..