Recommendation on data processing in the home office.

If employees also process personal data of data subjects in their home office in the course of their professional activities, this data processing entails high risks for the personal rights of the data subjects, as data misuse or unauthorised interference by third parties is easier due to the limited control options of the employer. In the case of data processing in the home office, the employer remains responsible for compliance with data protection regulations and technical and organisational security.

The employed person should therefore be required to comply with appropriate measures in the home office in order to protect the personal data thus processed. The measures taken should be documented.

Technical security measures to protect personal data in the home office can be:
  1. Employees should take measures for adequate access and burglary protection in the home office.
  2. Business equipment must be secured with a firewall, virus scanner and regular operating system updates.
  3. Data processing in the home office should only be carried out on company IT equipment.
  4. The data connection to the servers must be secured via VPN.
  5. Access to IT resources must be restricted with an authorisation concept and restrictive access authorisations.
  6. The connection of non-operational USB devices to the operational work equipment must be restricted.
  7. The computer equipment should not be accessible to other flatmates and should not be used by other persons.
  8. If paper files are processed in the home office, we recommend keeping a file withdrawal book in which it is documented which files are taken out of the company and brought back again.
  9. Paper files are to be kept in the home office in locked cupboards and inaccessible to other flatmates.
  10. If paper files are destroyed in the home office, an appropriate shredder must be provided for the destruction of the files (security level P4).
  11. The files should be transported safely on the way to the home office and must be protected against loss or theft.
  12. Regular data backups are to be made on local devices or data storage on local devices is to be prohibited/prevented.
Suitable organisational measures can be:
  1. Home office agreements with employees should contain provisions according to which the employer can effectively check compliance with the agreed safety measures. The agreement should include a right of access for the employer and persons authorised by the employer (e.g. company doctor, data protection officer, supervisory authority). At the same time, it should be specified under which conditions the right of access may be exercised. The wording should be agreed with a specialist lawyer for labour law regarding compatibility with other provisions in the employment contract.
  2. Usage guidelines should regulate the handling of company IT and prohibit the use of noncompany equipment for the home office.
  3. Employees should be obliged to handle data and IT infrastructure securely in an IT security policy, see also: IT security policy.
  4. Work instructions can regulate the transport and destruction of files in the sense of electronic data processing without media disruption.
Further information on the regulation of telework and data protection as well as recommendations for implementation can be found on the website of the Federal Commissioner for Data Protection at: https://www.bfdi.bund.de/SharedDocs/Publikationen/Faltblaetter/Telearbeit.html