Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Germany
CMS Germany Abroad
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
Press releases
CMS News
Stay up to date with our growth, evolution and our many successes.
CMS Press Office - Press Room Germany
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Deutsch English
Legal Update

Data protection and your home office: from crisis mode to regular operation

16 Apr 2020 Germany 9 min read

The COVID-19 outbreak in Germany has forced many companies to make it possible to process personal data in home offices. Many companies were only able to give rudimentary consideration to data protection issues. These companies should now examine how to apply the legal requirements retroactively so their employees' home offices meet data protection regulations even after the crisis is over.

Employers remain responsible for data processing even when done by employees at home

When employees of a company process personal data, their employer is responsible for that processing. This does not change when employees perform their work at home. The employer must therefore ensure that data processing in home offices complies with the legal regulations. As a rule, employers are also responsible under data protection law when freelancers or temporary workers carry out the data processing.

Legal requirements for the security of processing

In addition to numerous other obligations, the employer, as controller, must ensure the security of the processing of personal data. To this end, appropriate technical and organisational measures ("TOMs") must be implemented by the employer to ensure a level of security appropriate to the risk. (Article 32(1) GDPR). The TOMs must ensure the confidentiality (protection against unauthorised access), availability (data can be retrieved at any time) and integrity (protection against falsification) of data processing.

If data processing is moved from the company's premises to the employee's home, new risks to the confidentiality of the data may arise, for example personal data can be viewed by co-residents or family members. Data can also be "tapped" by third parties during transmission from the employee's home network to the company network. As data controllers, employers must therefore reconsider and, if necessary, adjust the existing security measures for data processing at the employees' home offices.

The employers must ensure that the TOMs implemented are also appropriate to the processing risk. These requirements have applied even before the COVID-19 outbreak in Germany. For work performed at home, the Federal Commissioner for Data Protection and Freedom of Information recommends in the flyer "Telearbeit und Mobiles Arbeiten" ("Teleworking and Mobile Working") (January 2019), pages 13 f the following minimum measures:

  • Connection only via a "virtual private network" (VPN).
  • Data encryption (end-to-end security) including storage encryption on the mobile device.
  • USB access and other ports blocked.
  • No connection to printers.
  • No private use of IT equipment provided for work purposes.
  • Regular training/advanced training of employees on how to handle mobile devices in a manner that is secure and compliant with data protection laws.

These measures are primarily aimed at protecting data against unauthorised access. Other measures may also be necessary, depending on the type of processing. For example, data protection mechanisms previously used in the company's network often no longer apply to data processing at home and must be replaced by suitable alternatives. If data processing is moved, for example, to the employee's notebook at home, a suitable data security concept should also be considered. Measures must also be implemented to deal with a personal data breach in the employee's home office as defined in Articles 33 and 34 of the GDPR.

Implementation of measures to ensure the security of processing in companies

To meet the challenges of teleworking with respect to data protection, companies whose employees were regularly working from home even before the COVID-19 outbreak usually have a home office agreement. This is an agreement containing binding rules for employees concerning the protection of personal data in their own home offices. Such agreements also allow the employer to inspect the employees' home offices in inpidual cases.

Companies that may have been reluctant to address the legal implications of home offices in the past, have had to face not only the challenge of the COVID-19 outbreak, but also the challenge of maintaining their ability to function by enabling home office work while complying with data protection legislation.

No legal exemption from data protection in crisis situations

The corona crisis has forced many companies to suddenly and almost completely relocate their business operations to home offices. Against the background of the exponential COVID- 19 outbreak and the almost daily changing official measures for protection against infection, companies have been forced to steer even the company's core processes from home offices. The challenges posed by data protection law were likely one of the last items on a long list of other issues that managing directors and board members had to deal with in the context of the current situation. As a result often only the absolute minimum of the required data protection measures have been implemented.

Statutory requirements

Although the GDPR and the German Federal Data Protection Act (BDSG) provide sufficient legal foundations to permit the processing of personal data - especially by employees - at home for the purpose of protection against infection, crisis situations do not generally exempt companies from the requirements of data protection law. In particular, there is still a legal duty to ensure that data processing is secured by appropriate protective measures. Even if compliance with data protection regulations in some companies has sometimes had to take a back seat to maintaining the ability to work, companies should note that neither the GDPR nor the BDSG provide for even a temporary reduction in the security of processing in the event of "force majeure".

At the same time, however, the requirements of the GDPR regarding technical and organisational measures for data protection are not intended to exclude any and all risks associated with data processing. Instead, the GDPR follows a risk-based approach: the risks of data processing must be weighed against the rights and freedoms of the data subjects on a case-by-case basis and mitigated by technical and organisational measures to a level of risk acceptable to the data subjects. It is therefore not possible to determine with absolute certainty what measures are necessary to achieve an adequate level of data protection in each inpidual case.

Initial publications by inpidual data protection authorities indicate that the authorities are proceeding with a sense of proportion and are not placing insurmountable demands on companies affected by the crisis. For example, Marit Hansen, the State Commissioner for Data Protection of Schleswig-Holstein, acknowledges in a press release dated 24 March 2020:

"For many employees, the motto right now is: starting immediately, home office! Many companies and authorities had no previous experience with this or only in exceptional cases. For this reason, many companies are currently improvising to keep the business running and at the same time meet the needs their employees as well as possible.

For this purpose, the Independent Centre for Data Protection of Schleswig-Holstein refers to its information sheet "Suddenly in home office: What now?" (24 March 2020) a workplace is "best" set up in "a room or corner of its own". This is not a mandatory inpidual requirement, however. If a partitioned-off space is not available to the employee, data security must be ensured by other means, such as by using a screen protector. Ultimately, the decisive factor is that data protection is ensured in a similar way as in the office by means of immediately implementable measures.

Contractual requirements

Companies that process personal data for third parties as contract processors often face additional challenges. For example, data processing from home is often already prohibited by contract or is subject to the consent of the data controller. In the corona crisis, however, work often had to be moved "overnight" to home offices. If this happens, the processor is in breach of contract and may be liable towards the controller for damages, among other things. Processors should therefore check their contractual obligations– if this was neglected so far, this should be done now and a dialogue with the other contractual party should be opened.

Need for action to ensure home offices comply with data protection regulations in the future

It is clear from situation after the COVID-19 outbreak in Germany that many companies have adjusted to work being done in home offices. Even after the strict infection control measures have been lifted, it is therefore unlikely that working from home will be discontinued immediately. On the contrary, it is to be expected that in the future many companies will take advantage of the benefits of work being performed by employees in home offices – at least occasionally.

Companies should therefore not look back, but rather look forward. Data protection measures for home offices that have been implemented too hastily or not at all should be re-examined and implemented in the long term on the basis of appropriate planning. A home office agreement, an appropriate policy or a works agreement could offer a suitable solution.

At the same time, it is to be expected that with the return to a normal working day, data protection authorities will also increasingly focus on data protection in home offices. The Independent Centre for Data Protection of Schleswig-Holstein, for example, clearly states in its information sheet "Suddenly in home office: What now?":

"If, however, an unprepared home office situation should continue over a longer period of time, it is necessary to draw up a written concept for it in your company or government agency. This concept must describe, in particular, the technical and organisational measures to be implemented so that data can be processed securely and in compliance with data protection regulations in home offices."

Companies that have not yet considered data protection in home offices in detail should therefore take action now. This is the only way to address any data protection deficiencies that have arisen as a result of the challenges described above and to come out of the crisis stronger.

More insights
TMC - Technology, Media & Communications

Explore more

Event Germany

IP Insights webinar series 2026

28 Apr 2026
Publication Germany

Cloud solution for register modernisation – legally compliant, federal, efficient

19 Jun 2025 2 min read
Expert Guide International

Data protection and cybersecurity laws in Germany

20 min read
Back to top Back to top
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.