Working from home in times of corona - data privacy requirements

Authors: Dr Stefanie Hellmich, LL.M. and Eva Maria Amoah


Due to the current spread of the corona pandemic, many employees have to move spontaneously to the home office. This relocation of work outside the company premises entails data privacy risks, which companies can minimise with appropriate security measures. The German Federal Office for Information Security (BSI) as well as various supervisory authorities have already recommended appropriate precautions for secure working from home. These and other suggestions below shall serve as a first guide for companies.

Security measures in the home office

When working from home, the same security requirements should be met as at the office workstation. Insofar as personal data are processed from the home desk, the data protection regulations of the General Data Protection Regulation (GDPR) apply, as they do at the office workplace. This applies in particular to the obligation to take technical and organisational measures to adequately protect data (Article 32 GDPR) to prevent data protection violations. This duty is firstly incumbent on the company, which must create the technical prerequisites - for example, by setting up a virtual private network (VPN) - and provide employees with appropriate rules of conduct. In addition to clear regulations in this regard, it is important that these are also communicated to all affected employees.

IT security
  • It should be ensured that only the hardware and software provided by the employer is used for work at home, unless special bring-your-own-device rules apply. This applies not only to the PC/notebook used, but also to the storage of work results on hard disks, USB memories or other data storage devices.
  • Data should always be stored in the directories/folders of servers or central IT systems of the company in order to continue to comply with archiving and documentation requirements (e.g. under the GDPR, the German Basic principles on the proper keeping and storage of financial books, recordings and documents in electronic form as well as data access (GoBD) or the German Trade Secrets Act (Gesetz zum Schutz von Geschäftsgeheimnissen, GeschGehG) . Insofar as exceptions to these requirements are permitted, e.g. if an Internet connection to the central IT systems and thus storage on the IT systems is not possible, it must be ensured in any case that the data are stored on the data carriers used in encrypted form (including storage encryption).
  • Mobile devices (notebooks, smartphones and tablet PCs) should be kept up to date (pay attention to updates!); this applies in particular to antivirus protection and firewalls. In this regard, employees should be requested to connect their devices to the company network regularly and take into account update instructions from the IT department.
  • The PC should be set up so that it is connected to the Internet via a cable or an encrypted WLAN.
  • Other wireless interfaces (such as Bluetooth) should be deactivated.
  • If (video) conferencing systems or platforms are used, it must be ensured that it is a service approved by the IT department. Many conference systems on the market collect user data, such as location data, and/or record the communication without the consent of the participants.
Clean desk policy

In addition to IT security, it should also be ensured that the protection of business data also has top priority on the private desk.  Here too, the level of security from the office should be maintained. In particular, the workplace should therefore be organised in such a way that private and company data do not mix.

  • It should be ensured that no third parties are able to see what’s on the screen. In addition, automatic screen locks with password protection and privacy filters should be used.
  • No paper documents, USB sticks, data carriers, etc. should be left on the desk, but should be stored in lockable containers.
  • When leaving the work station, care should be taken to ensure that doors are closed to prevent unauthorised access, loss or modification of data.
Print & disposal
  • Print-outs of company documents should not be made when working from home. If this is absolutely necessary to print documents for the completion of operational tasks, care should be taken to ensure that the documents are removed from the printer immediately so that other people in the household cannot take note of them. If work is carried out via VPN in the company network, it must be ensured that no print jobs are sent to printers in the company buildings. In the case of a mandatory printout, it should be ensured that the printed information can also be suitably destroyed on site (shredders/data bins).
  • Company paper documents should not be disposed of with private paper waste. If it cannot be destroyed in accordance with the regulations, paper waste should be collected and stored in a sealed container. As soon as this is possible, the paper waste should then be disposed of in the office according to the applicable rules.
  • Clear communication channels and contact points for staff should be ensured. So employees can be sure that the data and information end up in the right hands.
  • A loss of data in the home office can also include a reportable breach of data protection obligations. Employees should therefore be familiar with their obligations to notify the relevant departments in the company in the event of a breach of data protection obligations so that the company can comply with its statutory reporting obligations. Otherwise, there is a risk of substantial fines being imposed by data protection supervisory authorities.
  • Since the operational use of messenger services is subject to special data protection regulations, which "common" messenger services from the private sector do not or only partly comply with, messenger services should generally be avoided in corporate communication. If such a service is nevertheless used, care should at least be taken to ensure that no confidential company information is exchanged. Some security standards, such as end-to-end encryption, should also be guaranteed.
  • The use of private mobile phones or private e-mail accounts for business communication or other business purposes should be avoided.
  • If telephone calls have to be made in the home office for business purposes, other people in the household should not be able to take note of the contents of the telephone calls.
Attention: phishing e-mails pose a particular risk

The BSI expects more and more criminal attempts to gain access to confidential information and data of companies by means of specially prepared e-mails (so-called phishing e-mails) or telephone calls. Criminal attackers would refer to the issue of coronavirus and the necessary measures associated with it. Here they suggest a high pressure to act due to the emergency situation, which is why prudent action is imperative here. Against this background, it is necessary to ensure that simple measures to defend against such attacks are followed.

  • In particular, names and e-mail addresses should be checked and e-mail attachments from unknown senders should not be opened. In addition, no information about customers, employees or economic circumstances of the company should be disclosed to unknown persons. If in doubt, the company's IT department should be consulted, as they usually have more effective means of determining authenticity and risk.
Attention - special cases: special categories of personal data/data processing agreements/transfer of personal data to third countries/special areas
  • Access to special categories of personal data (e.g. health data) should only be possible with PIN and hardware-based trust anchor (two-factor authentication).
  • Companies that perform services as processors for others should ensure that the data processing agreements do not contain any restrictions with regard to working from home.
  • For home office activities in countries outside the European Economic Area (EEA) that relate to data from companies within the EEA, the more far-reaching provisions of Article 44 et seqq. GDPR must be complied with.
  • The Federal Financial Supervisory Authority (BaFin) has already made public statements on corona-related home office work in connection with so-called trading transactions (securities trading) and on video identification procedures on the basis of the Circular 03/2017 (GW) of 10 April 2017.
More information

In our FAQ, we provide answers to the most common data protection questions in the company when dealing with the coronavirus (e.g. on rights to ask questions and reporting obligations). For further information and contact persons regarding the legal implications of the coronavirus, the containment measures as well as the government's economic aid measures, please see our overview page.

Dr Stefanie Hellmich, LL.M.

Dr Stefanie Hellmich, LL.M.
Frankfurt a.M.
+49 69 27229 24118