Working from Home During the Coronavirus Crisis: Data Protection Requirements
In order to reduce the risk of infection and spread of the coronavirus (SARS-CoV-2), many companies are currently choosing to allow their employees to work from home if possible. If personal data are processed when working from home, it must be noted that the GDPR data protection regulations apply just the same. This applies in particular to the duty to take appropriate technical and organisational protective measures to prevent an infringement of data protection.
Particularly in view of the fines that may be imposed if data processing does not comply with the GDPR, this should not be disregarded in the current crisis.
When working from home, the confidentiality and integrity of personal data must be guaranteed, just as at a normal workplace in a company.
It follows from the principle related to the processing of personal data laid down in Article 5 (1) lit. f) GDPR that the personal data concerned must be protected from
- (i) against unauthorised or unlawful processing and against
- (ii) accidental loss, destruction or damage.
1. Use of hardware and software, storage of work results
In a first step, it is imperative that only the hardware and software provided by the employer is used when working from home. This applies not only to the PC used but also in particular with regard to the storage of work results. Such storage may not be on private storage media such as local hard disks or unsecured USB sticks but exclusively on servers or other hardware of the employer and, if possible, in the directories and folders provided for this purpose. To the extent possible, the company should create the possibility for employees to access the employer's IT infrastructure from home (via an Internet connection). If storage is only possible locally, the personal data concerned should then only be stored in encrypted form. In addition, local storage should be transferred to the usual systems and the respective folders at the next opportunity.
2. Printing out work results
The printing of documents in the home office should be limited to the absolutely necessary extent.
Printed documents should be destroyed immediately after their intended use has ceased. To the extent that the employee does not have equipment for the data protection-compliant destruction of documents, the printouts must be brought to the office for destruction at the next opportunity. Disposal with household waste is not permitted in any case.
3. Access to personal data
It must be ensured that only the respective employee working from home has access to the personal data processed in connection with his or her work activity. Family members, flatmates or other third parties must not be given the opportunity to do gain access. For this reason, employees should be encouraged to work in a room that is not accessible to other persons, at least temporarily. Alternatively, the screen should at least be positioned in such a way that it is protected from being viewed by third parties. When leaving the room, the work equipment should be switched off or at least the password-protected screen lock should be activated.
4. Data protection incidents
In the home office area, too, data protection incidents, i.e. in particular the disclosure of the personal data concerned to unauthorised third parties, must be reported to the respective company data protection officer or, if it was not necessary to appoint such an officer, first to the office in the company designated for this purpose by the management. A decision must then be made on how to proceed with the data protection incident, i.e. in particular whether there is an obligation to notify the data protection authorities and/or the data subjects.
5. Other measures the employer may take
In order to ensure compliance with the above principles, employees should be provided with a work policy on the details of the processing of personal data when working from home.
Depending on the sensitivity of the data concerned, the employer may also be required to carry out a data protection impact assessment before enabling working from home arrangements.
Christian Frederik Döpke
Lawyer, LL.M., LL.M.