Design your home office in compliance with the law: How to comply with data protection, data security, and employment law
In the face of the corona pandemic, a lot of the workforce, both employees and self-employed, have suddenly found themselves in the home office. But data protection and data security must not be disregarded. Businesses that have already allowed people to work from their home offices in the past are now more likely to provide their employees with guidelines than those that have not done so previously. Find out here what to absolutely observe in terms of data protection and how to design your employees’ workplaces at home in a legally compliant manner.
As an employer, you should pay attention to these aspects of data protection
You should observe some data protection aspects and equip your employees accordingly for work in the home office to be successfully completed.
Review your customer contracts
If data is processed on behalf of a third party a, the underlying contract for processing must be reviewed, because not every contract allows from this work to be performed from the home office. Some contracts at least contain restrictions or require certain security precautions. Only if work in the home office is not explicitly excluded and additional security precautions can be met, data processing on behalf of customers by employees in the home office is permitted. Obviously, this only applies to cases in which the employee works for the contractor.
Protect personal data
Data protection law only protects the processing of data of natural persons. This means that data containing information about companies, as is the case particularly in the B2B sector, is not covered by obligations under data protection law. The wide scope of application means, however, that the processing of personal data is also part of work in the B2B sector. The information whether a person is employed by a certain company already constitutes personal data, even if it is not particularly sensitive.
In most cases, it is therefore unavoidable that at least some personal data is used or processed. Confidential data without personal reference, such as business secrets, must also be protected by adequate technical precautions within the company. What is to be considered sufficient is governed by Article 32 GDPR, which imposes different obligations depending on the type and circumstances of data processing.
The obligations under data protection law are not relevant where only data without personal reference is processed.
Do not mix private and business data
While in the home office, data is at least partially processed at a different location and by different means than in the office, the employer nevertheless remains the data controller in terms of data protection law. It is therefore important for private and business data not to be mixed. Employers will also remain responsible for the data processed in the home office and set the technical and organizational measures for the protection of personal data there as well. This is part of their right to give instructions.
Do not use private devices
Effective protection of personal data is possible only where employees are equipped with company computers for the home office. This ensures that the corporate security measures such as operating system, virus protection, and firewall are actually active and up-to-date. Private use of these devices should be prohibited, as otherwise access to stored data by the company may be made more difficult.
Use professional encryption
Employers should implement sufficient encryption on the storage media in the IT devices and on external storage media to ensure sufficient IT security in the home office. If storage media are lost or stolen, the data is still protected against unauthorized access. You will only be on the safe side, however, if files containing personal data are stored on the company’s servers and not on the device in the home office. You should also ensure a secure VPN connection to your company servers.
Employment law in the home office
Create a home office policy
Businesses are advised to define all requirements in connection with working at home (teleworking) in a home office policy that stipulates all security precautions. For all cases of data protection violations or phishing, a contact person for employees should also be specified.
Does the employment contract have to be adapted for work in the home office?
No. The employment contract does not need to be amended. A supplementary agreement will be sufficient, in which the place of performance is stipulated in deviation from the employment contract. Other obligations may also be relevant, which relate to employees’ compliance with protective measures for the processing of personal data. Subject to mandatory data protection rules, it is up to employers and employees to decide how far-reaching these adaptations will be. In particular, it should be governed how far employees’ decision-making authority for work in the home office will be.
Is there a right to work from the home office?
Where employees have entered into individual contractual agreements or there are appropriate company agreements, they are basically entitled to work in the home office. If this is not the case, it depends on the individual situation of the employees and the place of work.
Although employers have the right to give instructions to their employees, they may not exercise this right in a way that violates the legally protected interests of these employees. In particular, employers are also obligated to protect the health of their employees.
A “right to a home office” can therefore only be presumed if the place of work is either in a particularly exposed region or the respective employee is a member of a special risk group. If the work can also be carried out from home without any problems, this reduces the discretion of employers. The same will be presumed if the respective employee is dependent on the use of public transport.
The Federal Ministry of Labor and Social Affairs is currently planning a draft law “Right to home office,” according to which a legal right to work from home offices is to be granted if there are no operational reasons that speak against it. It is not yet clear, however, to what extent this will actually be implemented, especially as it would require a number of changes to regulations on occupational health and safety and data protection.
Can employers order home office?
In principle, employers’ right of direction does not extend into their employees’ private residences, so that home office cannot be ordered easily. Exceptions to this principle must, however, be recognized.
This is particularly the case if it is necessary for the protection of the workforce that the relevant person no longer appears on company premises, for example because of stays in a COVID-19 risk area. In these cases, an appropriate right to issue instructions must be recognized.
It must be the basic condition, however, that the worker is healthy and fit for work and that the employer provides the necessary work equipment for work from the home office. In any event, the abstract risk of infection alone does not justify the right to a home office.
Difference between home office, teleworking, flexible or mobile workplace?
The terms have no fixed legal meaning and, for employment law, they refer in particular to the question from which place employees may fulfil their duties under employment law. The options range from the additional possibility in the home office as well as from a (mobile or flexible) workplace that is freely selectable by the employee.
Are there aspects of the GDPR that must be observed in the home office?
Basically, the same data protection obligations apply as those that are relevant without a home office. It should be noted that employers remain responsible for any data processing performed from the home office. Of course, this does not mean that special obligations cannot be imposed on the employee with regard to the way in which data is processed. This usually takes place via a home office directive, which acquires the meaning of an instruction under employment law via a reference in the employment contract.
In particular, workers should be informed about how to protect confidential data from access by third parties, including family members or roommates.
The computer should lock automatically after a certain period of time, the home office room should be locked, and confidential telephone calls should not be overheard. Where files or other paper-based documents exist, they should be locked in cabinets after use.
In principle, however, it is recommended that mainly electronic work be done, since digital documents may be protected more easily by technical measures. In addition, the policy should also contain rules on the issue of whether the tools made available for company use may be used for private purposes. The prohibition of private use makes sense from a legal point of view, as private use raises a large number of follow-up questions to be regulated and, in some cases, also obligations.
Can employees deduct the home office from their taxes?
Working in a home office is generally tax-deductible. Employees must prove, however, that their employer has ordered them to work from home. The costs for setting up a home office are only deductible if employees have their own workroom. Irrespective thereof, however, the costs for additionally required work equipment such as additional office supplies, may be deducted. It is a question of the individual case which exact items are tax-deductible.
Where can I find a template of a home office privacy agreement?
We will gladly provide you with a privacy agreement for your home office. Just contact us.
Are there exceptions for working time for “system-relevant activities”?
Yes, to guarantee the production and maintenance of existential goods and services of general interest in the context of the COVID-19 pandemic, exemptions are possible in working time law. System-relevant activities include, for instance, picking goods and filling shelves in food and drugstore retail outlets, medical care of patients by physicians’ practices, laboratory diagnostic activities, and mobile test centers, the production of disinfectants and mouthguards. This also includes work at hospitals, care facilities, public authorities, energy and water suppliers, and waste and disposal companies.
Employees working in system-relevant areas may, in principle,
- work up to 12 hours a day,
- work on Sundays and public holidays, and
- work up to 48 hours a week on average.
It should be noted, however, that these regulations only apply if the respective competent state authorities issue an appropriate ordinance (Section 15(2) Working Hours Act).
May employers order a medical examination if there is any suspected infection?
No. Here too, the employers’ right to issue instructions has its limits. Such instructions may not, in principle, interfere with employees’ rights to physical integrity. Employees do not have to comply with any such orders. Incidentally, this also applies to possible vaccinations that may be available in the future. If employees refuse to undergo an examination despite a suspected case of infection, however, employers may refuse to allow the respective employee to enter the company facilities and, if necessary, order work from the home office. This will require, though, that suitable work equipment be made available.
This is what your home office staff should be aware of
Your employees should take some precautions to ensure data protection and data security even when working from home. This summary gives you an overview of the most important measures. Each company should have its individual requirements checked.
Is Wi-Fi encryption legally compliant?
If the Internet is accessed at home via Wi-Fi, the connection must be sufficiently encrypted. This relates both to the type of encryption and the complexity of the key.
Use secure VPN connections
The online connection to the company’s servers may only be established via a secure VPN connection.
Video conferencing in the home office: These providers are secure
Video conferencing is frequently an important part of working from home. Data protection needs be ensured here as well. Find out which programs are particularly suitable for your company in a detailed article on this topic.
Be careful with private email addresses
It is not prohibited to use private email addresses, but it is advised against doing so from the point of view of IT and data protection. Access to possibly confidential contents within an unsecured connection should be critically assessed. Employers remain responsible for the processing of personal data in accordance with data protection law. In occupational areas that are governed by special obligations to maintain secrecy, such as in the healthcare system or the administration of justice, the forwarding of emails alone may constitute a violation of the relevant obligations to maintain secrecy.
Be careful when communicating via messenger applications
If messenger applications are used, they should have sufficient end-to-end encryption.
Protect your room
When leaving the room, (personal) data should be protected from unauthorized access. A screensaver with password protection should therefore be activated on the computer.
Ideally, the room in which you work may be locked. Written documents should be kept in a locked cabinet, anyway.
Care must be taken to ensure that other persons staying in the household will not have access to personal data. Therefore, the computer screen should be placed in such a way that it cannot be viewed by others. Telephone calls should be made in rooms where others cannot listen in. Printouts should be removed from the private printer as quickly as possible. Print jobs should obviously also not end up on printers in the company where the individual printing them cannot pick them up.
A wastebasket is not a safe container.
Care should also be taken with paper waste. Business documents and particularly documents containing personal data should always be taken to the company and disposed of professionally. Under no circumstances should such documents be thrown into the household waste.
What to do in case of data loss?
If loss of data occurs, employees should know that they must report the incident as soon as possible and to whom they must report it within the company. Ensure regular backups of your relevant data.
We support you in implementing data protection, data security, and employment law in your home office
We will gladly provide you with fast and cost-effective support in all issues relating to data protection, data security, and employment law in the home office and draw up appropriate corporate policies for you.
- use our checklists for all legal issues that need to be checked in the context of introducing home office work or mobile workplaces
- implementing practice-guided online and classroom training
- providing training materials and service cards
Data protection and data security
- assessing data protection and IT security measures when working in the home office
- individually tailored privacy policies for your company
- FAQ documents and work instructions on data protection for your users
- legal advice on when the works council must be involved in the topic of home office
- individually coordinated company agreements and supplementary agreements to employment contracts
- home office in the employment law practice
Other legal issues
- home office and ensuring the protection of trade secrets
- home office and insurance coverage
- home office and issues relating to tax law
- home office and observing personal rights of employees and business partners
We offer the individual modules either at fixed prices agreed in advance or individually priced as required.
Either way, we guarantee full cost transparency in every case.
Additional information on the home office by the data protection supervisory authorities (in German)
Privacy in the home office. Information by the Data Protection Center:
Data protection in times of COVID-19: Information from the Hamburg Commissioner for Data Protection and Freedom of Information:
Corona pandemic: Data protection and work from home. Information from the Brandenburg State Commissioner for Data Protection and Access to Files:
Teleworking and mobile working. A data protection guide by the Federal Commissioner for Data Protection and Freedom of Information:
Does the ECJ prohibit all US service providers? - Online webinar with our SKW Schwarz data protection experts
What are the next steps after Schrems II? – An initial assessment of the DSK press release - The Conference of Independent German Federal and State Data Protection…
BfDI publishes its position on anonymization under the GDPR - At the end of June 2020, the Federal Commissioner for Data Protection and…