Who is responsible for data protection when working from home?
Trends & Innovations

Privacy and working from home

| | PM (D-A-CH) automated processing of incoming invoices non-SAP systems, SEEBURGER
Privacy and working from home

In many companies, the Corona pandemic has enabled employees to work from home to prevent the Corona virus from spreading rapidly. But how does that affect one’s privacy?

Privacy is the responsibility of the employer

In the digital age, many employees are able to conduct their work from home easily. A connection over the Internet to the company is usually set up quickly and data can easily flow. However, this is where things become critical. Who is responsible for protecting this data?

According to the GDPR guidelines, it is the responsibility of the employer to ensure data protection at home. Therefore, the employer should sensitize their employees to the handling of company data. Appropriate protective measures to ensure that third parties, such as people living in the employee’s household, cannot access personal data need to be taken.

personal data

What exactly is personal data?

Article 4 of the GDPR guidelines specifies when personal data is involved and defines the term as follows: ‘personal data’ means any information relating to an identified or identifiable natural person. Examples of personal data include:

General personal data

  • Name
  • Date of birth
  • Age
  • Place of birth
  • Address
  • E-mail address
  • Telephone number
Bank details

  • Account numbers
  • Credit information
  • Account balances
Ownership characteristics

  • Vehicle and real estate ownership
  • Land register entries
  • License plate number
  • Approval data
Identification numbers

  • Social security number
  • Tax identification number
  • Health insurance number
  • Identity card number
  • matriculation number
Customer data

  • Orders
  • Address data
  • Account details
Physical characteristics

  • Gender
  • Skin colour
  • Hair colour
  • Eye colour
  • stature
  • Dress size
Online data

  • IP address
  • Location data
Value judgments

  • School reports
  • Work certificates

Additionally, there is also special personal data that requires increased protection. The regulations governing the collection and processing of such data are much stricter. Such special categories of personal data include:

  • cultural or social origin
  • political views
  • religious beliefs
  • genetic data
  • biometric data uniquely identifying a natural person
  • health data

With a few exceptions (e.g. consent of the person) the processing of this data is generally prohibited.

Read more: Reliably Compliant – IT Security that pays off.

Working from home – here are the rules

The current Corona pandemic usually forces companies which are often unprepared, to deal with the possibilities of employees working from home. Data protection precautions have in many cases not been taken and corresponding regulations or guidelines have not yet been issued. Therefore, it is important to catch-up quickly. The better you prepare your employees and your IT for the new situation, the smoother the everyday work from home will be.

The employer is responsible for data protection when working from home

Tips for safe and privacy-compliant work from home:

Working environment:

  • Set up a quiet area in which you can work as undisturbed as possible. A study that allows you to clearly separate work and private life at home is ideal. You can also avoid confidential data being overheard or read by third parties. The study should be separate and lockable.
  • Official documents should be stored in a lockable cabinet.
  • A password must be assigned to the operating system. The longer the better – twelve characters offer a good level of protection. Do not use the same password for several accounts.
  • Electronic data transmission must be encrypted using robust and modern methods.
  • Use only hardware and software (PC and smartphone) of the company for your work. Private devices may only be used for professional purposes with the express prior authorization of the employer.
    The IT equipment provided by the employer should not be used privately and the hard disk of the PC/laptop should be encrypted, as well as external data carriers such as USB sticks.
  • For quick exchange, only message applications and telephone or video conference systems authorized by the employer should be used.

The WLAN router should be secured against unauthorized access. If you have never changed the password, make sure that it is not the standard delivery password that will make it vulnerable to attackers. Due to the particularly high protection requirements of a WLAN, the password must be at least 18 characters long.

Read more about: The Risks of Using FTP and E-Mail for the Transfer of Sensitive Files and How to Ensure Compliance and Process Automation to Transfer Sensitive Files.

Working Methods:

  • Transfer the acquired data regularly to the central company system (VPN access).
  • Professional e-mails should not be forwarded to private e-mail accounts.
  • Protect the technology with regular updates. Update virus scanners and installed applications.
  • Make sure that your computer is not used by other roommates, your partner or the children during working hours, for example by setting up a screen lock that you activate every time you leave your workplace. Also, when workers are in your home or when you work with your laptop on the balcony for example, appropriate measures must be taken to prevent access and insight.
  • Avoid printing work documents and papers wherever possible. If this is unavoidable, keep/carry documents until you return to the office, until secure destruction by shredder or privacy paper containers is possible.Report possible violations of data protection immediately to the management and the company’s data protection officer. He or she must then decide how to deal with the data protection incident, in particular whether there is an obligation to notify the data protection authorities and the data subjects.


In the context of the classical employment relationship, the employer is responsible for processing the data. The company is therefore liable for privacy violations, even if the GDPR violations occur at the employee’s home. Privacy at home is a very reasonable expense, if the guidelines of the GDPR are implemented appropriately by the company.

Get in contact with us:

Please enter details about your project in the message section so we can direct your inquiry to the right consultant.

Share this post, choose your platform!

Peter Fels

Written by:

Peter Fels is Product Manager D-A-CH (Germany, Austria, Swiss) at SEEBURGER for the automated processing of incoming invoices for all non-SAP systems. Mr. Fels has many years of experience regarding the conversion from paper to the electronic invoicing processes.