In part 1 of this blog series, I explained how you can also conclude a data processing agreement digitally and what you need to look out for.
Part 2 deals with the question
Does our AVV even allow employees to work from home?
We have now seen some of our clients' data processing agreements (DPAs) which stipulate that data processing outside the processor's premises (e.g. home/teleworking, remote access, home office) is not permitted.
If you look at the model of the BfDI (Federal Commissioner for Data Protection and Data Security), for example, you will find a similar passage on this in Section 3 (9) of the AVV model:
(9) The processor shall ensure that natural persons under its authority who have access to data only process it on the instructions of the controller. Any processing of data outside the premises of the processor (e.g. teleworking, working from home, home office, mobile working) requires the prior express written consent of the controller, which can only be granted after appropriate technical and organizational measures for the processing situation have been defined.
The location of processing is also explicitly regulated in other AVVs, for example, and home office is excluded. You should therefore check your DPA once. If you have used our sample and have not stated otherwise in your technical and organizational measures, you do not need to worry about obtaining permission from your client for your employees to work from home.
Home office without the client's consent?
If you have a contractual agreement that home office may only take place with the consent of the client, you should take a look at Art. 28 para. 10 GDPR.
According to this, the processor is considered the controller if it determines the purposes and means of processing personal data itself. In addition to liability as a processor, you are now also liable as a controller.
As is so often the case, the interpretation of the standard and the agreements depends on the individual case. Many people will ask themselves whether the location of the individual employee is important, or the location of the actual processing, if the employee only accesses the server data remotely (remote access), which is still located in the company itself or on its server.
An argument against this could be that access from the company's network at the company's location poses less of a risk to data security than remote access. The client will want to prevent precisely this data insecurity through remote access by specifying the location of the processing. And it is precisely the intention of the client that is important in the contract, as the client is authorized to issue instructions and exercises this by only wanting to permit home office on an individual and explicit basis.
There are many arguments in favor of concluding a supplementary agreement with the client, especially in the case of a contractual restriction, in order to avoid additional liability and possible claims for damages by the client.
- Check your DP contracts (place of data processing, force majeure or subsequent approval of necessary measures)
- Talk to your client and find a joint solution as part of a supplementary agreement.
- Ensure that the home office complies with data protection regulations (guidelines for employees, employee training, data protection-compliant setup of mobile work devices, etc.) See Part 3 of this blog series.
In the third part, I deal with the question:
