October 2020

How to Protect Personal Data while Teleworking

courtesy of the European Data Protection Supervisor

Teleworking Tools

Review the tools used, assess their security, confidentiality and privacy features and that your IT department can provide guidance so you can make an informed decision, preferably at the highest management level, about the selection of the appropriate tools.

Corporate and Private Devices

Will personal data be processed on personal devices? Does your company provide users with clear policies and instructions on how to handle this personal data? On the other hand, providing employees with company equipment will give you more control over the IT environment used by staff. Be mindful of the principle of data minimization and avoid unnecessary sharing of personal data.

Controller/processor Roles

When relying on external providers for new products or services, choose the most privacy-friendly tools and ensure that you have appropriate control over how external providers handle the data entrusted to them. Make sure that your controller-processor agreements cover all mandatory elements under Article 28(3) of the GDPR.

Data Processing in the EU/EEA and Data Transfer

If you have to rely on an external provider, then first check if the services of providers established in the EU/EEA entail any transfer of personal data outside the EU/EEA. Should this be the case, make sure that your provider has appropriate safeguards in place that meet the requirements set out under Chapter V of the GDPR. If your external provider is not established in the EU/EEA and does not fall within the scope of an adequacy decision by the European Commission, then you need to obtain appropriate safeguards under Article 48 of the Regulation.

For more guidelines on employer/provider monitoring, data retention, data subject rights, contact tracing activities and others, feel free to get in touch with the Penteris IP&DP team.