Authors: Dr Stefanie Hellmich, LL.M. and Eva Maria Amoah
Due to the current spread of the corona pandemic, many employees have to move spontaneously to the home office. This relocation of work outside the company premises entails data privacy risks, which companies can minimise with appropriate security measures. The German Federal Office for Information Security (BSI) as well as various supervisory authorities have already recommended appropriate precautions for secure working from home. These and other suggestions below shall serve as a first guide for companies.
When working from home, the same security requirements should be met as at the office workstation. Insofar as personal data are processed from the home desk, the data protection regulations of the General Data Protection Regulation (GDPR) apply, as they do at the office workplace. This applies in particular to the obligation to take technical and organisational measures to adequately protect data (Article 32 GDPR) to prevent data protection violations. This duty is firstly incumbent on the company, which must create the technical prerequisites - for example, by setting up a virtual private network (VPN) - and provide employees with appropriate rules of conduct. In addition to clear regulations in this regard, it is important that these are also communicated to all affected employees.
In addition to IT security, it should also be ensured that the protection of business data also has top priority on the private desk. Here too, the level of security from the office should be maintained. In particular, the workplace should therefore be organised in such a way that private and company data do not mix.
The BSI expects more and more criminal attempts to gain access to confidential information and data of companies by means of specially prepared e-mails (so-called phishing e-mails) or telephone calls. Criminal attackers would refer to the issue of coronavirus and the necessary measures associated with it. Here they suggest a high pressure to act due to the emergency situation, which is why prudent action is imperative here. Against this background, it is necessary to ensure that simple measures to defend against such attacks are followed.
In our FAQ, we provide answers to the most common data protection questions in the company when dealing with the coronavirus (e.g. on rights to ask questions and reporting obligations). For further information and contact persons regarding the legal implications of the coronavirus, the containment measures as well as the government's economic aid measures, please see our overview page.