Legality of data protection inspections of at-home workstations
Many companies are currently arranging for their employees to work from home. The associated requirements in data protection law have been lowered in recent weeks due to coronavirus. However, there has been little discussion thus far of the question as to whether and to what extent the controller, the processor's customer or the data protection authority is allowed and required to perform inspections in private residences in order to verify that the necessary technical and organizational protective measures have been implemented.
This seems remarkable at first given the relevance of this question for companies. After all, an employee who processes personal data while working from home is not physically in the company and is therefore outside of the controller in spatial terms, but this does not change the fact that the company remains responsible in terms of data protection law. The employee's actions in this regard are attributable to the company: the employee is acting as the extended arm of the company in processing the data, and not e.g. as the employer's processor.
Employees who process personal data while working from home are required to satisfy the requirements of Article 32 of the GDPR, which requires the controller and processor to implement technical and organizational measures to protect the data. These measures must be appropriate for the risk of processing and the state of the art. Suitable measures may include, e.g. using a lockable room, providing sealable containers or ensuring that documents and computer screens cannot be viewed by third parties e.g. through the window. Further information can be found in the reuschlaw White Paper on Data Protection for Working from Home.
The controller is generally required to verify implementation of the measures required under Article 32 of the GDPR. The GDPR makes no exception for employees working from home, so that this duty applies in this case as well. In other words, while the required protective measures themselves may differ in each case, the duty to verify that they are implemented is the same: it makes no difference whether the personal data is processed at the company's office, at an employee's home or at a mobile workstation.
In its 2019 flyer on "Telearbeit und Mobiles Arbeiten" (PDF / only in german), the Federal Commissioner for Data Protection and Freedom of Information (BfDI) addressed the controller's verification duty and stated that "the employer must also have the ability to access the employee's residence." The Berlin Commissioner for Data Protection and Freedom of Information also required on-site inspections in its 2016 Annual Report (i.e. before the GDPR took effect) (PDF / only in german). However, the employer's ability to access the employee's residence is problematic in light of Article 13 of the Basic Law, which states that private residences are inviolable. Although the Basic Law does not apply directly to relationships between private individuals, this Article does have a certain third-party effect on relationships between private individuals, such as between an employer and employee. Accordingly, the responsible employer may not enter the employee's residence without the employee's consent, and possibly that of other persons living in the employee's household, if such entry would violate their fundamental rights as well in accordance with Article 13 of the Basic Law. According to the view expressed in the aforementioned BfDI flyer, such consent is not automatically evident from the telecommuting agreement itself. Companies are therefore advised to expressly stipulate rights of inspection in their employment contracts for employees working from home.
In addition to inspections by the controller, inspections by the data protection authority are also a possibility. The existence of such powers is assumed e.g. by the data protection authority for the Federal State of Hesse in its 2003 Annual Report (although this reflects the legal situation before the GDPR). However, in view of the fact that such inspections involve a violation of fundamental rights (since the Basic Law is directly applicable to public authorities), the authorities cannot simply invoke their powers under the GDPR. Accordingly, in their agreements concerning inspection rights for employees working from home, controllers are advised to include provisions allowing for inspections by the data protection authority in order to eliminate any lack of clarity. The need for such an agreement is assumed by BfDI in its flyer (see above).
Finally, if the employer is acting as a processor for its customers, those customers may have the right to inspect workstations of employees working from home. On-site inspections by the customer are not absolutely necessary for selection and monitoring of the processor in accordance with Article 28 of the GDPR. Nevertheless, a right to perform on-site inspections is occasionally stipulated in processing contracts. Such a right for the customer to perform on-site inspections is generally guaranteed for at-home workstations as well, unless excluded in the contractual agreement. Companies which process personal data on behalf of their customers and which assign employees to work from home should therefore examine their contractual agreements not just with respect to telecommuting in general, but with regard to any third-party inspection rights as well.
Regardless of whether rights of inspection exist in principle, inspections must be performed while observing rules of good hygiene given the current situation.