Mobile working has become a worldwide trend since the beginning of the corona pandemic. Online team meetings are held from home, sensitive emails are sent on the go via smartphone, or new applications are programmed on the laptop in a café. Many are not aware that their mobile work doesn’t comply with data protection regulations. The possible consequences are misuse, manipulation, or loss of data.
CARMAO GmbH, a specialist in corporate resilience, names security risks and shows who is responsible for handling sensitive data under data protection law.
The employer is reliable for damage
Mobile work offers a number of advantages, such as flexibility, but also increases the risk of non-compliance with data protection regulations. Negligence can lead to the misuse of authorizations, manipulation of hardware or software by third parties, or access to personal and customer data by unauthorized persons, if not to the complete loss of data.
Misuse and damage are often caused by the incorrect use or administration of devices and systems or by unauthorized intrusion into IT systems. This can have serious consequences for the company. Because although employers only have limited control rights and influence outside the office, they must take responsibility if damages occur due to a lack of data protection.
The General Data Protection Regulation (GDPR) underlines this as according to Art. 4 No. 7, the employer always remains responsible for data processing. Claims for damages and fines can be asserted against the employer if data protection has not been adequately implemented in the home office or mobile.
The protection of sensitive data is the duty of the employee
Even if the employer bears the responsibility, the employees are obliged to always comply with any guidelines or instructions relating to their job when handling data. This applies in particular to requirements for the security of personal data. Anyone who works on the go must protect sensitive data with the same care as in the office. For example, data should not be stored on local hard drives or data storage devices that are not owned by the employer.
The employer is therefore obliged to provide or release hardware and software. Only this may then be used by employees to store data. Employees who work in the home office or on the go must also ensure that other people do not have access to the data processed in connection with the employment. If, despite all precautions, there is a justified suspicion that data security, in particular the confidentiality of data, could be at risk, employees must report this to the company immediately.