By Marlene Schreiber and Dr. Martin Schirmbacher, HÄRTING Attorneys at Law
Due to the Corona pandemic, many employees have been placed in home offices, in some cases without any preparation or strategy. While some companies have used the time since March 2020 to put the initially provisional work from home on a professional and legally compliant footing, it seems that some other companies are having difficulties with the proper implementation. One thing is certain: burying one’s head in the sand does not work – Corona does not absolve companies of their responsibilities! The longer the current situation lasts, the more urgent it is for companies to ensure that their employees’ mobile workplace implementations comply with legal requirements, particularly from labor and data protection laws. But what exactly do companies and their employees need to consider?
What is “Home Office” really?
The term “home office” is not legally defined and usually means the workplace is at ones home desk or kitchen table. If an employer agrees on a weekly working time and the duration of the arrangement of a home office with the employees, this is considered so-called teleworking. According to Section 2 (7) of the Workplace Ordinance (ArbStättV), a “teleworkplace” is a workstation with a monitor permanently set up by the employer in the private area of the employees. Thus, if the work performance is performed in a private home in the home workplace, “domestic telework” is present. In these cases, the special requirements of the ArbStättV, in particular regarding the ergonomics of the workplace, must be observed.
Work on the move, i.e. work that is not tied to a specific location, so-called “mobile telework” or “mobile office“, e.g. on the train, in a restaurant or in a park, must be distinguished from telework at home. Here, the ArbStättV does not impose any obligations on the employer.
The employer cannot determine the scope of his duties as he sees fit: if an agreement on mobile work is made instead of an agreement on a domestic teleworkplace, although in practice a domestic teleworkplace exists, this constitutes a misdemeanor subject to a fine and can be punished accordingly.
Even in the home office, employees regularly process personal data, e.g. relating to customers, contacts or other employees of their own company. Even if the processing does not take place in the office: in all cases of the “home office”, the employer remains responsible for compliance with data protection regulations by its employees bound by instructions and is obliged to provide evidence accordingly. The risk of data misuse or improper knowledge or influence by third parties is naturally higher in the home office, since the employer does not have the same control and influence options as it does in the office.
Before granting home office, a risk assessment must therefore always be carried out to determine whether and, if so, which activities can and should be performed outside the company. In other words, the employer should determine the type, scope, circumstances and purposes of the respective data processing in each individual case and weigh them against the associated risks for the data subjects and their probability of occurrence. Based on the identified risk in relation to the implementation costs and taking into account the state of the technology, the employer must then determine effective and appropriate technical and organizational measures (TOM) and ensure their implementation in the home office. As always in the context of data protection and security, these TOM cannot and do not have to provide 100% protection – but they must ensure the protection of processing in such a way that they reduce the risks to an acceptable level.
Examples of effective and appropriate TOM in the home office:
- Maintaining standard work discipline, in particular:
- Clean-Desk-Policy,
- Secure storage of work materials,
- locking up notebooks when leaving the workplace,
- ensure that unauthorized third parties do not eavesdrop on conversations,
- guidelines for effective password protection,
- Disposing of data media and documents conscientiously.
- Ensuring technical safety, for example:
- Use of home Wi-Fi with strong passwords
- Complete hard disk encryption for notebooks
- Updating of antivirus programs and deployed software
- Deployment of devicesEinsatz von Geräten
- Preferable: Provision of business devices,
- Clear regulations on private use of company IT or company use of private devices,
- Use of remote connections when using private devices.
- Protection of the IT infrastructure
- Specially secured connections (e.g. VPN)
- Awareness-raising and, if necessary, further training of employees
- Clear procedures in the event of data breakdowns and IT problems
Tip: The Bavarian State Office for Data Protection Supervision has issued “best practice” criteria on the basis of the Corona pandemic and the associated accumulation of work in the home office in May 2020, which may be helpful for further orientation.
From the perspective of employment law, it is again important to determine whether the specific tasks and the respective employee are at all suitable for mobile or home-based work. The prerequisite is comprehensive trust and sufficient awareness or training of the employee on the topics of confidentiality, the protection of trade and business secrets, and data protection and data security (“security awareness”).
In order to ensure compliance with labor and data protection requirements and to be able to meet the associated verification obligations at any time, it is advisable to establish a home office agreement with the employees.
Checklist for a Home Office Agreement
An agreement concerning home office – whether in the form of telecommuting or mobile work – can be made directly in the employment contract, in an addendum to the employment contract or, in companies where a works council has been formed, also by means of a company agreement. The following points should not be missing from such an agreement:
- Home Office Activities
In accordance with the risk assessment to be carried out in advance, the tasks and activities classified as permissible must be explicitly named in the home office agreement. - Place of work
If work is performed in a home office, the place of work from which the employee performs his or her work must be explicitly specified. Mobile working allows even greater freedom to work, as the place of work is irrelevant in the mobile office.
The integrity of the employee’s home is protected under Article 13 (1) of the German Basic Law, so the employee does not have to allow his employer into his home without an express agreement to the contrary, even if the workplace is located there. In contrast, the employer has a legitimate interest in being able to check compliance with work and data protection requirements on site. This should be taken into account by a clear regulation on who is entitled to access the home workplace, when and under what specific conditions. - Working hours
The Working Hours Act naturally extends to the home office! Violations by the employer, for example, against the break regulations according to § 4 ArbZG, the rest periods according to § 5 ArbZG or the maximum working hours according to § 3 ArbZG constitute administrative offenses and can be punished with considerable fines. Therefore, regulations on working hours should also be included in a home office agreement. - Occupational health and safety
Equally important is the employer’s compliance with occupational health and safety laws and regulations as they relate to the home office. This is less important in the mobile office. The home office workplace must therefore be located in a room that is generally permitted for people to stay. The workplace must comply with occupational health and safety requirements. - Technical and organizational measures (TOM)
The employer must take into account the changed risk situation in the home office compared to the company workplace and ensure that the level of data protection and security is appropriate. Depending on the risks identified in each individual case, technical and organizational measures must be defined and implemented. These should be listed specifically and comprehensibly in the agreement. - Reimbursement of expenses
It is advisable to agree on a flat rate for the expenses incurred by the employee when using his or her home office workstation. This lump sum covers the employee’s expenses, e.g. for rent, light, wear and tear of furniture and equipment, etc. This is a social security contribution. This is a financial benefit from the employer that is subject to social security contributions. - Secrecy and confidentiality
Particular attention must always be paid to the regulations on secrecy and confidentiality. It must be ensured that domestic roommates, visitors or guests of the employee have no possibility of accessing the employer’s data. This is even more true for safeguards such as screen and keyboard protection in the mobile office. The employer should also consider a system for generating passwords, where they are stored and when they need to be changed. Information obligations in the event of a break-in or in the mobile office if devices are lost should also be considered. - Recoverability
The operational organization of work processes may change. Working in a home office or mobile office with employees does not always proceed as the employer would have wished. In order for the employer to be able to bring its employee back into the company, it is imperative that a retrieval provision be included in a home office agreement.
