Home office solutions for employees – requirements under German data protection law

Under German data protection law, as well as under the European data protection directive (95/46/EC), there exist no specific provisions that would govern the processing of personal data in home office scenarios. Only few German data protection authorities published recommendations on how or which kind of technical or organizational measures should be implemented, if a company wants to grant its employees the benefit of working at home. The few existing recommendations remain mainly vague and don’t name specific measures which must be taken.

According to the guidelines (PDF) published by the German Federal Data Protection Commissioner, home office solutions can lawfully be established if 1) the protection and security of the personal data involved is guaranteed by adequate technical and organizational measures and 2) if the employer as well as the competent data protection authority possess the permission to audit the proper implementation of these measures at the employee’s home and on the devices used.

Technical and organizational measures
Under German data protection law, an employee processing personal data at home is still regarded as part of his/her employer’s entity. Hence, the employer remains fully responsible in law for all data protection and data security aspects. Under Article 17 of directive 95/46/EC (and similarly under Section 9 of the German Federal Data Protection Act, PDF), the employer is obliged to implement the necessary technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of processing.

Inter alia, this means safeguarding the room in which the employee will work and/or stores the devices used. Necessary measures might be the installation of burglar-proof doors and/or windows, the possibility to separately lock the respective room or installing a visual cover for the monitor of a PC/laptop, if it is otherwise possible for third parties to see the monitor through a window.

Furthermore, the implementation of identification and authentication mechanisms for the device used by the employee will be necessary. This includes security hard- and software that allows and requires at least the use of unique identifiers (e.g. fingerprint) and a password. These hardware and software products must be chosen by the employer and be tested and approved prior to handing them to the employee.

Moreover, the electronic storage as well as transfer of personal data to and from the employee’s device must only take place if the data transmission is encrypted (end-to-end encryption). The Internet connection itself should be protected by a firewall, chosen and installed by the employer.

Neither the German data protection law nor directive 95/46/EC provides for a specific data security standard with regard to home office scenarios. The law requires that companies act and decide applying a principle of proportionality. There is no “one size fits all” approach.

Contractual requirements / the employee’s consent
As a second requirement, the German data protection authorities demand specific contractual agreements between employer and employees that govern the work at home. Some aspects which should be agreed on are the precise location of the home office, a commitment to data confidentiality and secrecy, the equipment used by the employee and the procedure for cases of violations of the technical and organizational measures.

Furthermore, German data protection authorities are of the opinion that the competent authority and the employer must have the right to check and audit the implementation of the technical and organizational measures. As the employee’s home is protected under Article 13 of the German Constitution as a fundamental right, he/she must be asked to give his/her express written prior consent regarding the right of the employer as well as the competent data protection authority to enter his home in order to conduct these audits.

Monetary Penalties for Data Protection Breaches: ICO vs. German DP Authorities

I have just stumbled upon the Information Commissioner’s Office’s  page that informs the British public on the monetary penalties that the ICO has handed down over the last 1 ½ odd years: 26 penalties of about £ 120,000 on average. Not that that kills any of the public authorities and private companies involved (and nor should it). But it shows that where the ICO believes that a breach is serious enough to warrant a monetary penalty the penalties are not only symbolic but designed to at least sting a bit. Continue reading

“Google Has Few Concerns About the Right to be Forgotten!”

Until last year, the right to be forgotten used to be an idea of Viktor Mayer-Schönberger, an Austrian law professor. He suggested – and probably still suggests – providing a “best before date” for data that is electronically saved. After the expiration of the date, the data would be automatically deleted by the application or computer system. Last year, the idea – or a modification thereof – became part of a draft regulation of the European Commission. Continue reading

69th German Legal Colloquium

During last week’s 69th German Legal Colloquium the association’s members discussed – amongst other topics – the future of IT-law in Germany (you can find all the decisions here – in German). Their decisions on how to fight cyber crime, data protection and liability are supposed to initiate legal reforms. In some cases, you hope the legislator won’t feel inclined. Continue reading

The Pope’s litigation against a German magazine

The following is certainly not really a matter of IT-Law but I bet you will find it interesting anyway.

This post is about a law suit Pope Benedict XVI. started against Titanic (nice case reference, isn’t it?), a well-known German satire magazine. We all expected today a hearing to take place at the Hamburg Regional Court – but it was canceled just last night, as the Pope had withdrawn his petition.

It has already been written a lot on whether this case is an example for censorship or some kind of litmus test for the freedom of speech in Germany. I don’t think that this really what makes the case so interesting. I believe that the question we should discuss is whether a pope should defend his personality rights by going to a civil court. Continue reading

E-Commerce Law Reports with our article on Oracle v. UsedSoft

As a blogger you are always happy to receive feedback from your readers. So I was really pleased when shortly after posting my recent comments about the CJEU’s UsedSoft decision, the E-Commerce Law Reports approached me to ask whether I could write a more detailed article about the case for their August 2012 issue. Recently published, this issue also contains a number of other fascinating contributions by colleagues from around the world on a variety of important topics such as the online collection of consumer data, search engines’ liability for misleading search results, the cloning of games, advertising on Twitter, etc. Check it out: http://www.e-comlaw.com/e-commerce-law-reports/

„Implied Consent“ to Cookies Being Set Suffices in the UK

Contrary to what had been the understanding before, the ICO in its capacity as data privacy watchdog in the UK has now declared in his guidance (download it here) that implied consent – if actually given – is just as valid a form of consent as explicit consent. That is not to say that website owners can simply continue to as before. When you read through the ICO’s advice on how implied consent may be brought about, it becomes quite clear that there really is not much difference from what the website owner must do to obtain explicit consent. Continue reading

CNIL’s Sends Second Questionnaire to Google on Google’s New Privacy Policy

Google’s new privacy policy is not that new, as it “went into force” on March 1. It is still big news in data protection terms, though, at least as far as European data protection authorities are concerned. CNIL, commissioned by the Art. 29 Working Party, has now sent a second rather comprehensive questionnaire to Google. Obviously they were not completely sold on Google’s answers to the first set of questions CNIL had sent in March. Continue reading

Tracking and Controlling Your Child’s Mobile Phone Activities

I just came across a post on golem.de (a rather good IT news site – in German only, sadly) about bemilo, a service in the UK that (I quote)

“puts [parents] in full control of [their] child’s mobile service”;

“puts [parents] in the driving seat, 24 hours a day”;

“[gives parents] FULL control [w]ho [their] children can contact and who can contact them, time of das [their] children can use their phone, WHEN they can browse the web”;

“[enables parents to] [r]eview all calls & SMS messages at any time, block bullies at the flick of a switch, control mobile spend with no fuss [emphasis added].”

Do watch the intro on the website. It’s rather, well, unique, besides the fact that it the little toy man in the intro looks suspiciously similar to a typical LEGO design. Continue reading