Lega­li­ty of data pro­tec­tion inspec­tions of at-home workstations

Many com­pa­nies are curr­ent­ly arran­ging for their employees to work from home. The asso­cia­ted requi­re­ments in data pro­tec­tion law have been lowe­red in recent weeks due to coro­na­vi­rus. Howe­ver, the­re has been litt­le dis­cus­sion thus far of the ques­ti­on as to whe­ther and to what ext­ent the con­trol­ler, the processor’s cus­to­mer or the data pro­tec­tion aut­ho­ri­ty is allo­wed and requi­red to per­form inspec­tions in pri­va­te resi­den­ces in order to veri­fy that the neces­sa­ry tech­ni­cal and orga­niza­tio­nal pro­tec­ti­ve mea­su­res have been implemented.

This seems remar­kab­le at first given the rele­van­ce of this ques­ti­on for com­pa­nies. After all, an employee who pro­ces­ses per­so­nal data while working from home is not phy­si­cal­ly in the com­pa­ny and is the­r­e­fo­re out­side of the con­trol­ler in spa­ti­al terms, but this does not chan­ge the fact that the com­pa­ny remains respon­si­ble in terms of data pro­tec­tion law. The employee’s actions in this regard are attri­bu­ta­ble to the com­pa­ny: the employee is acting as the exten­ded arm of the com­pa­ny in pro­ces­sing the data, and not e.g. as the employer’s processor.

Employees who pro­cess per­so­nal data while working from home are requi­red to satis­fy the requi­re­ments of Artic­le 32 of the GDPR, which requi­res the con­trol­ler and pro­ces­sor to imple­ment tech­ni­cal and orga­niza­tio­nal mea­su­res to pro­tect the data. The­se mea­su­res must be appro­pria­te for the risk of pro­ces­sing and the sta­te of the art. Sui­ta­ble mea­su­res may include, e.g. using a lockable room, pro­vi­ding sealable con­tai­ners or ensu­ring that docu­ments and com­pu­ter screens can­not be view­ed by third par­ties e.g. through the win­dow. Fur­ther infor­ma­ti­on can be found in the reusch­law White Paper on Data Pro­tec­tion for Working from Home.

The con­trol­ler is gene­ral­ly requi­red to veri­fy imple­men­ta­ti­on of the mea­su­res requi­red under Artic­le 32 of the GDPR. The GDPR makes no excep­ti­on for employees working from home, so that this  duty appli­es in this case as well. In other words, while the requi­red pro­tec­ti­ve mea­su­res them­sel­ves may dif­fer in each case, the duty to veri­fy that they are imple­men­ted is the same: it makes no dif­fe­rence whe­ther the per­so­nal data is pro­ces­sed at the company’s office, at an employee’s home or at a mobi­le workstation.

In its 2019 fly­er on “Tele­ar­beit und Mobi­les Arbei­ten” (PDF / only in ger­man), the Fede­ral Com­mis­sio­ner for Data Pro­tec­tion and Free­dom of Infor­ma­ti­on (BfDI) addres­sed the controller’s veri­fi­ca­ti­on duty and sta­ted that “the employ­er must also have the abili­ty to access the employee’s resi­dence.” The Ber­lin Com­mis­sio­ner for Data Pro­tec­tion and Free­dom of Infor­ma­ti­on also requi­red on-site inspec­tions in its 2016 Annu­al Report (i.e. befo­re the GDPR took effect) (PDF / only in ger­man). Howe­ver, the employer’s abili­ty to access the employee’s resi­dence is pro­ble­ma­tic in light of Artic­le 13 of the Basic Law, which sta­tes that pri­va­te resi­den­ces are inviolable. Alt­hough the Basic Law does not app­ly direct­ly to rela­ti­onships bet­ween pri­va­te indi­vi­du­als, this Artic­le does have a cer­tain third-party effect on rela­ti­onships bet­ween pri­va­te indi­vi­du­als, such as bet­ween an employ­er and employee. Accor­din­gly, the respon­si­ble employ­er may not enter the employee’s resi­dence wit­hout the employee’s con­sent, and pos­si­bly that of other per­sons living in the employee’s house­hold, if such ent­ry would vio­la­te their fun­da­men­tal rights as well in accordance with Artic­le 13 of the Basic Law. Accor­ding to the view expres­sed in the afo­re­men­tio­ned BfDI fly­er, such con­sent is not auto­ma­ti­cal­ly evi­dent from the tele­com­mu­ting agree­ment its­elf. Com­pa­nies are the­r­e­fo­re advi­sed to express­ly sti­pu­la­te rights of inspec­tion in their employ­ment con­tracts for employees working from home.

In addi­ti­on to inspec­tions by the con­trol­ler, inspec­tions by the data pro­tec­tion aut­ho­ri­ty are also a pos­si­bi­li­ty. The exis­tence of such powers is assu­med e.g. by the data pro­tec­tion aut­ho­ri­ty for the Fede­ral Sta­te of Hes­se in its 2003 Annu­al Report (alt­hough this reflects the legal situa­ti­on befo­re the GDPR). Howe­ver, in view of the fact that such inspec­tions invol­ve a vio­la­ti­on of fun­da­men­tal rights (sin­ce the Basic Law is direct­ly appli­ca­ble to public aut­ho­ri­ties), the aut­ho­ri­ties can­not sim­ply invo­ke their powers under the GDPR. Accor­din­gly, in their agree­ments con­cer­ning inspec­tion rights for employees working from home, con­trol­lers are advi­sed to include pro­vi­si­ons allo­wing for inspec­tions by the data pro­tec­tion aut­ho­ri­ty in order to eli­mi­na­te any lack of cla­ri­ty. The need for such an agree­ment is assu­med by BfDI in its fly­er (see above).

Final­ly, if the employ­er is acting as a pro­ces­sor for its cus­to­mers, tho­se cus­to­mers may have the right to inspect work­sta­tions of employees working from home. On-site inspec­tions by the cus­to­mer are not abso­lut­e­ly neces­sa­ry for sel­ec­tion and moni­to­ring of the pro­ces­sor in accordance with Artic­le 28 of the GDPR. Nevert­hel­ess, a right to per­form on-site inspec­tions is occa­sio­nal­ly sti­pu­la­ted in pro­ces­sing con­tracts. Such a right for the cus­to­mer to per­form on-site inspec­tions is gene­ral­ly gua­ran­teed for at-home work­sta­tions as well, unless excluded in the con­trac­tu­al agree­ment. Com­pa­nies which pro­cess per­so­nal data on behalf of their cus­to­mers and which assign employees to work from home should the­r­e­fo­re exami­ne their con­trac­tu­al agree­ments not just with respect to tele­com­mu­ting in gene­ral, but with regard to any third-party inspec­tion rights as well.

Regard­less of whe­ther rights of inspec­tion exist in prin­ci­ple, inspec­tions must be per­for­med while obser­ving rules of good hygie­ne given the cur­rent situation.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.