In the home office, too, it is important that your employees comply with data protection regulations. It is therefore recommended that you summarize these in one document for the home office - either as an addition to the employment contract or as a guideline. Please do not hesitate to contact us. We will provide you with our sample document.
No, you can also summarize these obligations in a guideline for your employees.
No, you should also include the special features of the home office in your employees' data protection training. You have to repeat this regularly anyway. The heyData training course already includes a section on home office.
Documents containing personal data should not be disposed of with household waste. Either you provide your employees with professional document shredders (with cross cut) or your employees collect the documents and they are later disposed of in the office.
It is desirable for employees to work in separate rooms because then there is less risk of family members or roommates gaining knowledge of data. If there is no other way, employees can also work in mixed-use rooms if they take certain precautions (e.g. sit with their backs to the wall with a laptop). You have to be pragmatic.
That depends on whether the personal data in the files is particularly worthy of protection. If an employee takes paper files home, at least they shouldn't leave them lying around openly.
Companies are obliged to conclude order processing agreements with cloud providers. In addition, they cannot simply rely on cloud providers complying with data protection laws, but have to check this, for example through on-site inspections or targeted inquiries.
In fact, the data processing agreements for many large providers are not that easy to find. However, it is still important that you have already documented order processing contracts with all providers. Please do not hesitate to contact us. Your data protection officer from heyData already has many important contracts available.
Yes, you may only pass on data to processors outside the EU if compliance with the EU data protection level is guaranteed. For some countries, the corresponding level of data protection has already been determined by the EU Commission (e.g. Israel or Japan). For other countries you must first establish the level in a contract. Unfortunately, this is currently not easy, especially with US providers.
The USA is basically not a state with a level of data protection that corresponds to that of the EU. You can therefore only pass on data to providers in the USA if they have contractually agreed (via so-called standard contractual clauses) to an appropriate level of data protection. In addition, the providers have to give further guarantees that exclude that data is passed on to US authorities, for example. heyData will be happy to advise you on this.
That is less explosive, but unfortunately not without its problems. However, you should also reassure yourself with the provider that data will not be passed on to the USA. Here, too, you can rely on the support of heyData.
That depends on how sensitive the data processed in the home office is. A VPN is definitely a good investment in processing security.
No. A remote desktop application does not increase the security of data retrieval. An employee still uses his home internet connection.
No, there is no general obligation to encrypt emails. However, encryption is mandatory if you send particularly sensitive data. This includes data on health, religious affiliation or (e.g. for tax advisors) mandate data.
Encryption via TLS (Transport Locker Security) only encrypts during transport. You should therefore use PGP encryption for data that is worthy of protection. Both the sender and the recipient use a public and a private key. To send an email, you need to know the recipient's public key.
The use of private end devices for work (bring your own device, BYOD) is undesirable from a data protection point of view. But we know that it is often the reality in companies. In order to safeguard this in terms of data protection law, companies should conclude BYOD agreements with their employees. We will be happy to provide you with the relevant document.
The employer may only access private devices if the employee has expressly granted access rights. It's part of the BYOD agreement.
Even if this does not solve all problems (e.g. attachments are still downloaded to a private device), it is certainly a pragmatic approach that leads to less mixing of private and business data.