Today, 28 January, is European Data Protection Day. The day was originally designated as such by the Council of Europe (CoE) in 2007. As Switzerland is a member of the CoE too, the day is also celebrated in Switzerland. To mark the occasion, we want to have a look at one of last year’s hottest topics in the field of data protection: remote work. To this end, we outline some regulatory requirements for working from home and highlight which recommendations Swiss data protection authorities have made on the issue.
For both companies and individuals, 2020 was a challenging year. One of the many challenges was the need to switch from office work to remote work. Obviously, the various Swiss data protection authorities (DPAs) have also recognised this fact. As a consequence, different cantonal DPAs have issued guidelines on working from home in recent months.
In particular, the cantonal data protection authorities of the cantons of Zurich, Solothurn and Nidwalden/Obwalden/Schwyz have issued recommendations in the area of remote work. Although some of the recommendations differ slightly between the different cantons, all of them go in a similar direction and should therefore be taken into account by both employers and employees when working from home.
The recommendations
Notably, two specific points are mentioned by all three cantonal data protection authorities in their recommendations. Namely, business information as well as personal data should be protected both during storage in the ‘home office’ and during transport from the workplace to the employee’s home (e.g. avoiding other people being able to see your screen, setting up a workstation in a corner of a room). In addition, data loss should be reported immediately to the employer in order to avoid major risks.
Besides these jointly recommended points, there are many others to look out for. For example, the Zurich and Solothurn data protection officers recommend that updates should be installed frequently and that anti-virus software should be kept up to date. In addition, strong passwords and secure connections should be used to prevent unauthorised people from accessing business data (no use of third-party WLANs and exclusive use of secure VPN connections). Last but not least, these two data protection authorities also point out that it is essential to protect oneself against phishing and other threats in order to be able to ward off dangers.
In addition, the Solothurn and the Nidwalden/Obwalden/Schwyz data protection authorities in particular recommend concluding agreements or reaching arrangements regarding remote work – and, if possible, drawing up concepts on how to deal with the situation of working from home. Furthermore, these two DPAs suggest a strict separation of company devices from private devices and constant adherence to the employer’s technical guidelines. It is, in their view, particularly important to ensure that no business documents are stored on private devices.
Finally, the DPAs also point out that emails should be used securely and that communication tools should be selected wisely. In addition, employees are advised to work at a protected workplace and to dispose of printed documents properly (where possible, not at home but in the office).
Implications
The three cantonal DPAs give relatively clear information about the key points that need to be considered when working from home. For private companies, employees and public organisations, it is essential to adhere to this advice in order to avoid violating the Swiss data protection regulations. If you have any questions regarding the implementation of the recommendations, PwC will be happy to assist you at any time.
On today’s European Data Protection Day, we hope to have provided you with practical dos and don’ts for your day-to-day work under the Covid regulations. Looking ahead to the upcoming FADP revision in Switzerland, the coming year will also bring exciting new developments in data protection law.
