Data protection house search in the home office?
by Mag. Sascha Smets
24. April 2020
Knock, knock - who's there? Your worst nightmare! WHO? The data protection authority! A bad joke that could soon turn out to be the new reality. Well, it might be an exaggeration to describe the data protection authority as a personified nightmare that could one day be on your doorstep. Especially since this title has already been awarded exclusively to bailiffs and broadcasting fee collectors. Nevertheless, it would not be pleasant if the authority were to inspect one's own home for compliance with the data protection law. But, are they even allowed to do so?
In theory, national data protection authorities are entitled to enter any premises where data processing happens. This applies to the private and business premises of the data controller, the data processor and third parties (such as employees) if personal data is processed there. How you can correctly assess your own role under the GDPR is the subject of this in-depth article by Dr. Jana Moser.
The relocation to home office therefore significantly extends the local scope of this control right. Every home could be entered by the data protection authority in order to check compliance with GDPR obligations. However, the authority may not search in the actual sense (such as opening and rummaging through drawers). Denial of admittance can be punished with an administrative penalty.
However, it is not only the data protection authority that could suddenly make an unwanted home visit. The controller of a data processing is also usually contractually entitled to search the home office of all employees of his data processor. It is actually mandatory to grant such a right to the data controller in the corresponding data processing agreement (Art. 28 Para. 3 lit h GDPR).
If the authority and/or the data controller should come across data protection violations, there is the threat of enormous administrative penalties, claims for damages and/or contractual penalties. A home office visit to the employee is therefore likely to bring beads of sweat to the brow of most employers. The protective measures usually chosen by employers to ensure the level of data protection in the home office are - paradoxically - mostly analogous. Employees are bound by internal company guidelines (usually as a product of an ISMS) and home office agreements to observe data protection. A toothless "paper tiger" as an answer to a digital challenge that does also not meet the requirements of Art. 32 GDPR.
Rather, it is necessary to live the (hopefully existing) ISMS in practice with technical data protection measures and to use it in the home office. In particular, technologies for automated data, access and workflow management should be considered.
Here you can access the LinkedIn profile of our guest author Mag. Sascha Smets.
ABOUT THE AUTHOR
Mag. Sascha Smets is a trainee lawyer at Schönherr Rechtsanwälte GmbH and an expert for data protection, IT and venture capital.