The so-called right of control in data processing relations is an important topic in connection with the General Data Protection Regulation (Art. 28, 3c GDPR). The GDPR obliges the controller to take suitable and appropriate technical and organisational measures (TOM) to protect personal data. The same applies to processors who process the personal data of a controller. The processor must also take suitable and appropriate technical and organisational measures (TOM) to ensure the security and protection of the data.
The controller must still be able to easily check and prove compliance with the agreed measures. This usually applies to business premises: Alarm system, access and access concept etc., this is usually a different matter in home office. Strictly speaking, personal data may not be processed if this takes place outside the control of the controller. This applies to the employees of both the controller and the processor.
Contract processing companies and their data protection officers often cite the fundamental right to inviolability of the home as an argument as to why it is virtually impossible to enforce the right of control in home office. This is where Article 13 of the German Constitution (inviolability of the home) collides with European legislation, which guarantees the “right to informational self-determination” when processing personal data.
As EU law, the General Data Protection Regulation takes precedence over national law, including the constitution. As such, the invocation of the constitution harbours a legal conflict, as both are fundamental rights at EU level.
It is often forgotten in the debate that there is no right to work from home at all. It is possible to process personal data from business premises at any time without jeopardising the protection of one’s own home and at the same time in compliance with data protection.
If employees and companies utilise and grant the option of working from home, the right to inviolability of the home must therefore be waived to a certain extent to the extent necessary. In other words: Anyone who does not want to enable the person responsible, whether employer or client, to fulfil their own duties and is obliged to be present on the business premises.
Furthermore, a contractually agreed right of inspection, e.g. of the client in the context of commissioned processing, does not mean that the client will actually visit an employee in their home for the purpose of inspection. After all, the inspection can also be carried out and proven on a proxy basis, for example by the employee’s own employer. It is therefore not necessarily the case that strangers will be wandering curiously around the home. By designing the technology accordingly, as well as by imposing corresponding obligations on employees, the actual area to be inspected can be restricted and therefore easily verified. The controller’s right of control can therefore be reserved for cases in which self-regulation does not take place at the processor’s premises or in which events make control necessary.
The control of data processing in home office is therefore a challenge that requires both the controller and the processor to review the existing agreements and measures and adapt them if necessary. In doing so, they should take into account the risks to personal data, the rights of the data subjects and the possible sanctions for violations of the GDPR. This is because the risk of access by third parties, even if unintentional, increases when working from home or while travelling.
We therefore recommend that our clients draw up appropriate rules for working outside the business premises, e.g. in the home office, and implement appropriate technical and organisational measures. Your employees will also gain confidence in their actions thanks to clear guidelines and rules.
You are not sure whether the implementation in your company is appropriate for the data protection requirements? Talk to us. We will be happy to assist you.