Since the pandemic, remote work has become an integral part of everyday working life. This is why employees processing data on behalf of a controller regularly work at home or elsewhere remotely. Although it is absolutely necessary, the topic is very often concealed in data processing agreements and service providers who are approached about it sometimes vehemently refuse to make the necessary adjustments.
We highlight the most common arguments of data processors and refute them.
Responsibility in the context of data processing
The responsibility of the controller is not diminished by the outsourcing of the processing of personal data, but it is extended to the area of the appointed data processor. It therefore becomes greater.
Wherever and however personal data are processed according to instructions by the controller, the controller must also comply with and be able to comply with its obligations. One of the most essential obligations is that of ensuring suitable and appropriate technical and organisational measures (TOM) (Art. 32 GDPR) and also being able to test and prove their effectiveness (Art. 5 (2) GDPR, Art. 32 (1) (d) GDPR). The central regulation on data processing explicitly addresses this in Art. 28 (1) and (3) GDPR. Violations can be punished with the known fines, via the diversions of Art. 5 (2) GDPR in conjunction with Art. 83 (5) a) GDPR, even to the maximum extent permitted.
In other words, no processing of personal data may take place if it is outside the controller’s control. This applies both if the personal data is processed by the controller’s own employees outside its own business premises and if employees of a data processor process personal data outside the business premises of the data processor within the scope of the outsourcing. Control is mandatory.
One more remark beforehand: The fact that the topic is treated so negligently overall is certainly also due to the fact that it is often forgotten or ignored by data protection consultants and data protection officers. Many of them are not even aware of the problem or do not think about it. Moreover, offering a solution is not quite trivial. It is much more convenient not to wake sleeping dogs. If there is a contract for data processing, only what is contained in it is quickly assessed. What should be in it, but is missing, remains unconsidered and so one’s own work is done more quickly. After all, as an internal data protection officer, you still have other things to do, and as an external data protection officer, you still have tens of other clients to look after.
In the end, however, the big hurdle arises primarily with data processors, who regularly fight tooth and nail as soon as the topic comes up.
Why do data processors refuse?
Many service providers have failed to define the control aspect of granting remote work. If known at all, the issue is ultimately a mood killer. Quite understandably, companies face difficulties with this and a change, especially one made retrospectively, is difficult to accept by their own employees. However, this does not change the initial situation described and – mind you – the data processor is already in breach of data protection in his own affairs, as he himself is also unable to carry out the prescribed control and consequently cannot fulfil his very own accountability. The problem does not only arise from an inconvenient client!
Many employers also find it disturbing for the peace of the company to impose requirements and restrictions in this area. After all, you only have good employees whom you can trust completely. So there is often a great reluctance to make a policy. This reluctance is partly due to the fact that the technical prerequisites for a secure remote working would first have to be created and, in addition to the lack of knowledge of how to do this at all, the investment is also shied away from.
This card is often used by cornered data processors or the data protection consultants behind them. It is true that many constitutions, e.g. Art. 13 of the German Constitutional Law guarantee the inviolability of the home. But that is not the end of the argument. The protection of personal data, as the “right to informational self-determination”, also has the status of a fundamental right. And, to emphasise this as well: As EU law, the General Data Protection Regulation ranks above national law, including the constitution (i.e. the German Constitutional Law), insofar as the core area of constitutional law is not affected.
The reflexive invocation of the German Constitutional Law or any other constitution is thus dogmatically unclean. In the end, however, this is irrelevant, since both fundamental rights are also found at the EU level. Art. 7 of the EU Charter of Fundamental Rights defines, among other things, the protection of the home. And Art. 8 is even completely and exclusively dedicated to data protection. None of these fundamental rights automatically takes precedence and none of these fundamental rights cannot be restricted if other rights or the rights of others require it.
Finally, it should be noted that fundamental rights primarily protect against the state. They develop third-party effects between private individuals only indirectly, if at all. In this respect, too, it is not correct to indignantly claim that fundamental rights are violated by a contractual policy.
This line of argument also regularly ignores the fact that a fundamental right to working in your private home is not defined anywhere. The processing of personal data is possible from business premises without endangering the protection of one’s own home and at the same time in compliance with data protection. Those who wish to enjoy the luxury of working at home must accordingly waive their own legal protection to the extent necessary. This aspect would therefore have to be a mandatory part of any remote work grant; even outside of data processing! Anyone who does not want to enable the person responsible, whether employer or customer, to perform his or her own duties, simply cannot work at home.
This assessment is simply wrong. The commitment to measure the effectiveness of technical and organisational measures and the accountability are not dependent on any appropriateness or restricted for risk considerations. Only in the area of data security can the level of technical and organisational measures be aligned with adequacy. The obligation to control even limited measures and the obligation to provide evidence in this regard remain unrestricted.
This is the standard response to pretty much any comment that a regulation in a data processing agreement might not be reasonable or correct. Never has anyone else questioned or even raised this and ended up not happily accepting it. Together with one’s own consultation, one is completely perplexed as to how one could even come up with such an absurd idea.
As in other cases: Many believe themselves to be better advised than they actually are.
The fact that employees insist on remote working may certainly be true, but unfortunately it is not a valid argument in this context. This is no justification for cutting back on data protection. Remote work must then be granted under certain conditions. There is no right of the employee to an unconditional working at home.
What would data processors have to do as employers?
Those who allow work from home without regulations can of course accept this risk from an entrepreneurial point of view. However, they must be aware that they are violating data protection, which can also lead to the corresponding consequences, including a fine. Anyone who is sloppy in their own house cannot trust or even expect that their clients will also agree, as far as their responsibility is concerned. This is probably also a reason why many contracts and descriptions of technical and organisational measures do not even deal with the unpleasant topic of remote work.
Being able to control does not automatically mean to actually control. What is decisive is that the person in charge could control in an emergency. This does not mean that they will do so in any case. After all, control can also be exercised and proven by proxy, for example, by one’s own employer. The fact that strangers walk around curiously in the flat is therefore not necessarily a given.
By designing the technology accordingly, the actual area to be controlled can also be very strongly limited and accordingly also rather easily proven. The right of control of the responsible principal can thus be reserved for cases in which self-monitoring does not take place at the data processor’s premises or is insufficient. A policy along these lines should be acceptable to every employee.
As otherwise, the question arises as to what extent an employee can still be meaningfully employed if they expressly and emphatically oppose data protection requirements.
Conclusion: Without pressure, hardly anything will change
As in other areas of data processing, it will very often happen that the service provider used refuses to make necessary adjustments and concessions. It is preferable not to accept the contract or to terminate it. The fact that in this context, sometimes bluntly, the announcement is made that this procedure (in plain language: the observance of data protection in the relevant area) does not correspond to one’s own business model, stands for itself and does not need to be commented on further.
As the person responsible, one has no means of pressure and the supervisory authorities seem to be blind to this. Support is apparently not to be expected even in the case of concrete indications and suggestions. For instance, an audit announced in the German state Bavaria years ago, which would have at least slightly touched the comfort zone of the data processors, seems to have stopped coming. Currently, data processors often enjoy foolish freedoms.
As a result, clients are often left to bite the bullet and accept the risk with their eyes wide open and deliberately (!) use the service provider in a way that does not comply with data protection laws. The greater the dependence on a specific service provider, the greater the pressure. Often there is no alternative to a contract, either in fact or as desired by the (corporate) management. Finally, the service is often already purchased before data protection has to be quickly checked off. If the service provider already has the contract, however, his motivation to make concessions is even smaller.
As long as the overwhelming majority of those responsible in the data processor market do not demand that they work in a consistent and fully data protection-compliant manner, this will unfortunately not change. It is probably only necessary for some cases to be covered by the press due to lawsuits.