Series on Data Protection and Corona – Part 5: Data Protection compliant remote work

25. March 2020

The corona virus (SARS-CoV-2) is currently omnipresent. In order to slow down the spread of the virus, many companies, offices and employers are switching to having their staff work remote. But even in times of pandemic crisis and in the home office, the conditions for compliance with existing data protection laws must be in place and need to be considered. The responsibility of the company or employer (as a controller) and thus, if applicable, the personal liability of the management still remains.

For the period working at home, the employer should establish strict and transparent rules to clarify his rights and obligations as well as for his employees, regardless where and on which end device the employees work. Therefore, each employer should take appropriate and proportionate measures in order to make sure, that he and his employees will act in compliance with the requirements of the GDPR during the whole period of state emergency within the EU.

Due to the fact, that data processing at home carries a higher risk of data loss and data breach. It is recommended to consider the following measures below and further, to agree in such measures in writing, especially in order to avoid unnecessray misunderstandings and liability issues:

  • to provide employees with business terminal (mobile) devices for work in the home office, in order to be able to update the devices on regular terms or for setting up firewalls and anti-virus protection and unauthorized access,
  • to prohibit the use of private devices and, as far as possible, to technically prevent this.

The measures above can be implemented in the company or office, further precautions and instructions are required in the employee’s home workplace, such as:

  • the employer should set up a guidline on the handling of documents and how they are to be deconstructed (e.g. shredding and not misued as scap paper),
  • employees should be aware of measures to protect confidential data and information. Third party access, such as privacy filter or a password-protected screen saver in order to avoid “shoulder surfing” etc.,
  • the employee should prevent the viewing and access by third parties, such as aligning the monitor, using a privacy filter or setting up an automatic, password-protected screen saver,
  • the workplace should be in a separate room,
  • employees who do not live alone should always lock their mobile devices or laptops when leaving,
  • business related documents or mails should not be forwarded to private mail accounts or mailboxes,
  • employees should set up secure passwords (the password should contain at least 8 characters, consisting of a combination of letter, numbers and special characters).

The series on data protection and corona will be continued tomorrow with a blogpost regarding the statement of the Global Privacy Assembly on “Data Sharing Practices to Fight the Corona Pandemic”.

For up-to-date information (in German) you are welcome to follow us on Twitter.

We wish you all the best, stay healthy and protect yourself and others.