Whether in the office or in the home office - companies must adequately protect the data they process. However, data protection does not stipulate which specific measures are to be taken. Rather, every company is required to determine appropriate protective measures itself on the basis of the data processed and in consultation with its data protection officer. This provides important guidance for businesses of all sizes processing directory.
If the processed data includes data worthy of protection - above all health data - high protective measures must be taken. From a technical point of view, it is advisable in this case to only work via a Virtual Private Network (VPN). An employee also works in the home office from the hopefully well-secured company network. This eliminates the risk of the poorly protected home Internet connection becoming a gateway for hackers.
If a company does not provide its employees with a VPN connection, it should at least encourage them to adequately protect their wifi with a WPA2 password. Factory-set passwords are easy to find on the Internet. They therefore do not offer sufficient protection. Companies are also advised to provide their employees with a list of tested software (e.g. for video conferencing) that makes it easier to work in the home office. Otherwise, employees will find suitable software themselves. This will not always comply with data protection requirements.
However, purely technical means are not enough to attract employees data protection compliant to be used in the home office. It is also recommended that employers conclude an agreement with their employees to work in the home office. In addition to technical protective measures that employers can oblige employees to take, practical requirements should also be made for working in the home office: Does the employee have to sit alone in a room when he is working? How should he work if there is no separate room available? And how are documents disposed of? Household waste is taboo if this contains personal data.
Since an employee's apartment is still a legally protected retreat when working there, employers should have access rights granted, e.g. to maintain IT equipment or to check compliance with data protection. Of course, visits must be reduced to absolutely necessary cases and announced.
However, the legal effects of the home office are not reduced to the requirement of a home office agreement. As always, the data protection documents to be kept by every company must be kept up to date, e.g. the processing directory (already mentioned above) and the documentation of the technical and organizational measures. Information relevant to home office (e.g. the use of a VPN or instructions to work in a separate room) must be added to it. The home office should also be taken into account in data protection training for employees.
After the data protection authorities were reluctant to pursue data protection violations in the home office in 2020, the wind is likely to have turned. COVID-19 and the associated move to home office for many companies are (unfortunately) no longer a novelty. There is a risk of fines. Companies that have not yet responded to work in the home office in terms of data protection law should therefore start now.