There are some dangers lurking in the home office when it comes to data protection – data protection violations in particular can be expensive. What companies have to pay attention to when selecting and configuring messenger services and how they control communication in corona times in compliance with data protection regulations.
Messenger services as well as video and online conference tools are flying high in the home office. They are often used without security precautions on company laptops, home PCs or private smartphones. This carelessness can have costly consequences. Because even in times of crisis, the General Data Protection Regulation (GDPR) applies. A data protection compliant use of messenger services is possible and should be a priority for companies. We summarize what you have to pay attention to in 7 points.
1. Is the tool not only used internally but also externally?
Companies must first ask themselves whether the software should only be used for internal organizational communication or also for discussions and video conferences with customers and business partners. This gives rise to different data protection issues. In particular, with Section 26 of the Federal Data Protection Act (BDSG), employers may have an independent and specific standard for the processing of employee data. The legal requirements are also lower if this is only done in an internal employee context.
2. Selection of the communication tool
With correct pre-settings, most of the requirements for a data protection-compliant use of communication services can be implemented. With Art. 25 GDPR, this stipulates that “data protection through technology design and data protection-friendly default settings” must be guaranteed.
When choosing a service provider, you should pay attention to some data protection criteria, for example so-called end-to-end encryption.
3. Special app requirements
If messenger services or video and online conference tools are used as an app on mobile phones or tablets, the latest software should always be running. Automatic synchronization of the address book and automatic cloud backups are taboos. In addition, other apps are not allowed to access the data if chat attachments are saved on the device. It is also recommended that the end devices be adequately protected (access block, encryption).
4. Health sector
Special requirements apply to the use of messenger services or video and online conference tools in the health sector if health data is (also) processed. At the end of 2019, the German data protection authorities published a detailed white paper on the technical data protection requirements for messenger services in the hospital sector, which also applies to the rest of the healthcare sector.
5. Human weakness
Various studies show that humans are the number one weak point and the main cause of data breaches. If not yet available, the way and limits of the use of the communication tools should be recorded and described in an internal guideline. Training courses and flyers with the most important points also help and raise awareness among employees.
EXTRA: Data protection: As an entrepreneur, you absolutely have to know that
6. Data protection information
All participants in the conversation should be informed about the processing of their personal data in accordance with Art. 13 and 14 GDPR before taking part in the conversation. Among other things, it must be informed about the purpose, scope and duration of the processing as well as about the recipients of the data. In practice, it has proven useful to provide the data protection information in the context of conferences as a link in the invitation to the meeting and / or on the log-in page. In the case of pure messenger / chat tools, it would be appropriate to transmit the data protection information immediately during installation or as a link in an automatic message when you first contact us.
7. Employee representation and data protection officer
Works councils or staff councils must be involved before the services are used, as the tools are basically suitable for monitoring the behavior or performance of employees (Section 87 (1) No. 6 of the Works Constitution Act – BetrVG). In addition, the data protection officer should also be involved in the selection of suitable communication tools.