COVID-19 - Work from home and what the GDPR regulation says about this

COVID-19 - Work from home and what the GDPR regulation says about this

In connection with the outbreak of a coronavirus pandemic (COVID-19), many employers were forced to reduce or suspend their business activities.

One of the solutions to the emergency situation, how to avert a complete paralysis of the operation and maintain business continuity, was to introduce the employees performance of work from the employee's household (hereinafter referred to as "work from home").

Work from home essentially defines the temporary performance of dependent work by an employee for the employer from the employee's residence, if the agreed type of work allows it.

By default, the employee performs such work through established remote access to information systems and network repositories or by approved removal of various documents from the workplace to the house, and vice versa. All ways of transmitting information and personal data bring a number of security risks that you have to deal with.

If the subject of the work from home is the transfer or access to the personal data of the persons concerned, then you must first take appropriate technical and organizational measures in accordance with Art. 32 par. 1 of the GDPR Regulation in order to prevent any security incidents related to loss, destruction, damage or unauthorized access. These rules need to be documented in internal data protection guidelines.


When drafting, you must not forget:

  • Create a list of people (employees) who are authorized to work from home.
  • Approve a list of paper documents and media that individual employees can take out of the workplace.
  • Define rules and tools for remote work (VPN, encryption and access to information systems).
  • Provide technical equipment for working from home (laptop, PC, tablet, etc.) with active protection (at least a firewall, anti-virus and anti-spam program) and setting user rights. Similar security and rules must be applied when using private facilities as long as they have been permitted to work by the employer.
  • Provide backup.
  • Define rules and tools for remote work monitoring and access logging.


If an employee performs his work from home, he should be instructed on the principles of personal data  processing that apply to him in this work. Internal training through one of the many digital platforms (eg Skype or Microsoft Teams) can be considered an ideal form during this period.

What to focus on when training employees:

  • Under what conditions, and which documents and portable media can be taken out of the company's premises.
  • How to securely transfer data in paper and electronic form outside the company's premises.
  • How to adhere to the "clean desk" and "clean screen" policies so that other roommates at the employee's place of residence cannot acquaint themselves with personal data and information.
  • How and to whom incidents arising from the processing of personal data are to be reported.
  • What to do if your documents, portable media and devices are lost or stolen.
  • What are their obligations when processing personal data.
  • What they are not allowed to do.

Do not hesitate to contact us for help in developing security measures.