Under German data protection law, as well as under the European data protection directive (95/46/EC), there exist no specific provisions that would govern the processing of personal data in home office scenarios. Only few German data protection authorities published recommendations on how or which kind of technical or organizational measures should be implemented, if a company wants to grant its employees the benefit of working at home. The few existing recommendations remain mainly vague and don’t name specific measures which must be taken.
According to the guidelines (PDF) published by the German Federal Data Protection Commissioner, home office solutions can lawfully be established if 1) the protection and security of the personal data involved is guaranteed by adequate technical and organizational measures and 2) if the employer as well as the competent data protection authority possess the permission to audit the proper implementation of these measures at the employee’s home and on the devices used.
Technical and organizational measures
Under German data protection law, an employee processing personal data at home is still regarded as part of his/her employer’s entity. Hence, the employer remains fully responsible in law for all data protection and data security aspects. Under Article 17 of directive 95/46/EC (and similarly under Section 9 of the German Federal Data Protection Act, PDF), the employer is obliged to implement the necessary technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of processing.
Inter alia, this means safeguarding the room in which the employee will work and/or stores the devices used. Necessary measures might be the installation of burglar-proof doors and/or windows, the possibility to separately lock the respective room or installing a visual cover for the monitor of a PC/laptop, if it is otherwise possible for third parties to see the monitor through a window.
Furthermore, the implementation of identification and authentication mechanisms for the device used by the employee will be necessary. This includes security hard- and software that allows and requires at least the use of unique identifiers (e.g. fingerprint) and a password. These hardware and software products must be chosen by the employer and be tested and approved prior to handing them to the employee.
Moreover, the electronic storage as well as transfer of personal data to and from the employee’s device must only take place if the data transmission is encrypted (end-to-end encryption). The Internet connection itself should be protected by a firewall, chosen and installed by the employer.
Neither the German data protection law nor directive 95/46/EC provides for a specific data security standard with regard to home office scenarios. The law requires that companies act and decide applying a principle of proportionality. There is no “one size fits all” approach.
Contractual requirements / the employee’s consent
As a second requirement, the German data protection authorities demand specific contractual agreements between employer and employees that govern the work at home. Some aspects which should be agreed on are the precise location of the home office, a commitment to data confidentiality and secrecy, the equipment used by the employee and the procedure for cases of violations of the technical and organizational measures.
Furthermore, German data protection authorities are of the opinion that the competent authority and the employer must have the right to check and audit the implementation of the technical and organizational measures. As the employee’s home is protected under Article 13 of the German Constitution as a fundamental right, he/she must be asked to give his/her express written prior consent regarding the right of the employer as well as the competent data protection authority to enter his home in order to conduct these audits.