We talk to Dr. Christian Szidzek, author of the compendium “DSGVO für Dummies,” (“GDPR for Dummies”) published by Wiley in 2021. As the owner of the law firm Thales. Rechtsanwälte. Datenschutz, Dr. Szidzek and his colleagues advise medium-sized companies and corporations on the legally compliant implementation of operational data protection concepts.
Red. Mr. Szidzek, “The General Data Protection Regulation for Dummies”. What prompted you to publish in this series? It’s not really appropriate for your target group, is it?
Dr. Szidzek. But of course it is target group oriented! But it depends on how you define your target group. You don’t necessarily come to data protection because the subject matter seems incredibly exciting right away, but because of a deeper conviction, namely that data protection will play a decisive role in the question of what freedoms we will still enjoy in the future. Knowledge is power. And those who know enough about us can also quickly dominate us, i.e., monitor us, manipulate us, discriminate against us, etc. After many years as a lawyer, which I also spent a lot of as a criminal defense lawyer – and still am from time to time – I have come to realize that personal freedom depends to an extent that should not be underestimated on how we handle the information that concerns us. In my view, the EU’s General Data Protection Regulation – DSGVO for short – is a thoroughly successful first approach to guaranteeing the freedoms and fundamental rights of citizens on the one hand, but also opens the door to new technologies and opportunities for a new economic and scientific approach to the immense treasure trove of data that digital data processing brings with it. The trick is, on the one hand, to protect the freedom of the individual against encroachment – no matter from which corner – but, on the other hand, not to unnecessarily torpedo the great opportunities that the new technologies bring with them. To come back to your question: The target audience of my book is anyone who has recognized or is in the process of recognizing that data protection means freedom, both as an individual and in business terms. So promoting understanding of this is definitely in my mind. Furthermore, it is true that many companies have also recognized the value of data privacy and also realize that they gain a competitive advantage in a trust-driven marketplace by complying with data privacy. However, implementing data protection operationally is still an almost monstrous task for these companies. So my target audience is everyone who is interested in data protection ideally and those who already want to or have to implement data protection requirements on a business basis. They will all find themselves in the booklet.
As a lawyer who has been in the business for more than twenty years, I have unfortunately made the experience that there is generally little understanding for legal contexts. However, this is not because no one is interested in it or is not able to understand legal contexts. It is simply because lawyers tend to explain everything in an incredibly complicated way, using the technical language they have learned, which can be a real imposition for a non-lawyer. That’s why I decided to write a book that doesn’t once again stick to lawyers and their terminology, but that anyone can easily read.
Red. Harsh words about your profession …
Dr. Szidzek. No, not at all. My guild is as heterogeneous as society itself. If you want to know from your doctor what you are currently suffering from and which treatment methods are promising, you don’t want to have to look up the diagnosis in the Pschyrembel, but rightly expect a formulation that is also understandable for you as a medical layman. Unfortunately, lawyers do not learn in their studies how to express themselves in a way that is understandable to legal laypersons. And after working in data protection for a number of years and finding that even some lawyers do not even know the difference between data protection and information security, I came up with the idea of writing something basic on the subject.
Red. And then Wileys approached you …
Dr. Szidzek. Yes. And the Dummies series of the Wiley publishing house is predestined for this. It is not primarily aimed at a specific specialist audience, but at anyone who wants to familiarize themselves with a complex subject in as short a time as possible and in a language that everyone can understand. And that is exactly what I have tried to do in the book. It is aimed at people interested in data protection who are looking for a book to get started in a complicated subject that is limited to the most important things and that can quickly familiarize even a non-specialist with a subject that only experts can handle. Trying to achieve the set goal with as little effort as possible, the “minimax principle”, as my father used to call it, is simply effective. You don’t have to study everything to be reasonably knowledgeable in a particular field with a manageable amount of effort. And finally, to come back to the target group: My target audience is anyone who is interested in data protection, such as entrepreneurs plagued by data protection, overburdened data protection officers and managers, data protection coordinators, order processors, information security officers, auditors, auditors, but also interested private individuals.
Red. … sounds like a lot of protagonists …
Dr. Szidzek. Well. In the book, everyone should find everything they need for their data protection purposes. What I particularly liked about the series, however, is the predetermined modular structure. It is a real challenge for the author to create this, but the reader can simply open this series where he is interested in a topic without having to read the previous text at the same time. It is explained to him in the simplest possible terms what it is all about, what the requirements are and how best to implement them. The whole thing is accompanied by tips, little anecdotes and the necessary cross-references, should the reader need further information at one point or another. For me personally, it was a great challenge, especially as a lawyer, to bring complex legal knowledge well sorted into a language understandable to everyone, so that it can also be fun to deal with the subject. And this challenge has also brought me personally a few milestones forward in my own consulting work.
Red. We are particularly interested in data protection concepts in the context of hybrid working and mobile workplaces …
Dr. Szidzek. Yes, of course, in the wake of the Corona crisis and the associated home office obligations, there was an increasing need for data protection consulting. Since then, employees have sometimes worked at their desks in the office or from home. According to Section 2 (7) of the Ordinance on Workplaces (Arbeitsstättenverordnung – ArbStättV), teleworkplaces are computer workstations permanently set up by the employer in the employees’ private areas, for which the employer has specified a weekly working time agreed with the employees and the duration of the setup. A telework station is not set up by the employer until the employer and employees have specified the conditions of telework in an employment contract or as part of an agreement. In addition, the required equipment for the teleworking workplace with furniture, work equipment including communication equipment must be provided and installed by the employer or a person appointed by the employer in the employee’s private area. This is what the law requires, and these are of course challenges that employers must first overcome.
Red. A complex question to start with. Mobile workstations need adequate technical equipment. What are the three most important requirements for hardware and software in order to meet data protection requirements?
Dr. Szidzek. Above all, the most important requirement is that data protection is ensured in the home office just as it is when working at the company. First of all, only end devices should be used that can access the company’s own system via a secure connection – i.e., VPN – and only under multi-factor authentication. If possible, no data should be stored on the end devices themselves, because otherwise data can be lost if a device is lost. And if this is the case, for example because the device is lost or stolen, there is formally a data protection breach subject to notification under Art. 4 No. 12 of the GDPR. This should be avoided. Of course, the software used must also meet all information security and data protection requirements. Organizing this is not quite so easy, and without suitable experts to set up the system cleanly, it can be difficult.
In detail, other aspects would also have to be ensured. I’ll list them at random, at the risk of more than three requirements:
- Always secure devices (notebooks, tablets, smartphones) with a strong password.
- Encrypt internal and external data carriers and files (for Windows, e.g., using Bitlocker)
- Do not leave paper files unlocked in the home office or in hotels or other accommodations, even temporarily (storage in locked cabinet, locking the room)
- Ensure privacy when processing files away from home (provide devices with privacy filters/display protection films if possible)
- Deactivate over-the-air interfaces that are not required, e.g. WLAN, Bluetooth, NFC, or activate individual interfaces only as needed.
- Avoid free hotspots. Access potentially insecure hotspots only via VPN.
- Only connect to the company network via secure VPN connections.
- When using private printers, delete the printer’s memory after printing (if storage takes place); the same applies to private fax machines
- Always securely destroy confidential paper printouts (shredder security level at least 3, level 4 for classified documents). If a suitable shredder is not available, the paper files to be destroyed are to be destroyed only upon return to the office.
- Telephone calls with confidential content both in the home office and on buses, trains and other public transport should only be made if it can be ensured that bystanders cannot overhear the content.
A lot comes to mind right off the bat, as you can tell, but they’re actually all things that should go without saying.
Red. From a legal point of view, does the Workplace Ordinance also apply to “mobile workplaces”?
Dr. Szidzek. Well, according to the ArbStättV, only § 3 of the ArbStättV applies to teleworkplaces for the initial assessment of the working conditions and the workplace, and § 6 – the instruction of employees – together with Annex Number 6. So to that extent, the ArbStättV does apply to teleworkplaces, even if only to a limited extent. For those interested, I recommend reading the passages as a precaution. A look into the law makes it easier to find the law, as lawyers say.
Red. How may the employer secure or control working or core working hours in the home office?
Dr. Szidzek. The employer is actually obligated to record the working hours of his employees, especially when it comes to overtime. Section 16 (2) of the Working Hours Act (ArbZG) applies here. And the employer must even keep the evidence of this for a period of two years. As a rule, this is done via performance records on a trust basis or by logging into the company’s own time recording system. Here, the same options are available in the home office that are available elsewhere. The employee logs into the company’s own system and can prove via the duration of his log-in that he has worked during this time. The employer, in turn, can track that his employee was online. The concrete monitoring of all of the employee’s activities through the use of appropriate tools is of course also conceivable, but very problematic from a data protection perspective. In my view, apart from the data protection implications, it is also a somewhat exaggerated control mania to record every click and every entry in the system. In the end, it’s the results that matter, and good results are usually not generated by permanent control, but by enjoying the work.
Red. Do employees or employers have a legal right to enforce mobile working?
Dr. Szidzek. In principle, an employee’s obligations are based exclusively on the employment contract that has been concluded. If mobile working was agreed in the contract, the employer can of course also demand that mobile working takes place. If not, a contractual amendment can be considered. But these are really more questions for employment lawyers and less for data protection experts.
Red. Are there rights and obligations regarding accessibility when working on the move?
Dr. Szidzek. That, too, is more a question from the field of labor law. In general, however, an employee must be available for communication within the contractual working hours, which usually includes being reachable. This does not change if the employee is working from a home office or otherwise.
Red. Again, the topic of ‘control’. If home office is a mobile workplace … does the employer have a right of entry to the employee’s home, apartment or office?
Dr. Szidzek. Haha, I was already waiting for this question. I’ll ask you a small counter-question: If the public prosecutor’s office and the police are only allowed to enter your house with a court order, do you think your employer would have further rights? Of course, I understand what you are getting at: The problem with the home office is that companies whose employees work in the home office have to guarantee the conditions under labor law in the home office, but then encounter the resistance of the inviolability of the home according to Article 13 of the German Constitution, which prohibits a control at home. Now, one can think of a corresponding consent, according to which the employee allows a control if he is allowed to work in the home office in return. Unfortunately, however, consent is only effective if it is given completely freely and without any direct or indirect pressure. Unfortunately, this cannot be assumed in subordinate relationships such as that of an employer to an economically dependent employee. At least if one follows the case law of the labor courts to date. Long story short: No, the employer does not have a right of access.
Red. What about the protection of relevant company or even customer data at the “external” workplace, especially the established home office? What does the employee have to guarantee?
Dr. Szidzek. First of all, the employee does not have to guarantee anything, except for compliance with his contractual obligations. If they work in a home office, these obligations must be imposed on them in the form of specific work instructions and requirements for compliance with data protection regulations and information security requirements. If there is a works council, this can also be solved by means of corresponding works agreements that are binding for the workforce. Otherwise, however, the employee does not have to take any additional initiative of his or her own other than providing and contributing his or her labor and complying with the instructions given to him or her.
Red. The employer is liable to third parties for omissions or data protection violations in the home office. How can he protect himself most effectively?
Dr. Szidzek. First of all, before the first employees go into the home office (keyword “company practice”), the employer should issue rules on who is allowed to work in the home office, when and under what conditions. This is done by means of a corresponding work instruction or company agreement. If you have not issued sufficiently documented work instructions, you will already be liable for any screw-ups that occur due to the fault of the company’s executive bodies. Next, internal IT must ensure that the highest possible level of data security is guaranteed. There are the famous technical-organizational measures (TOM) that have to be taken. Here you can issue organizational instructions on how data may be handled. More effective, however, are technical measures that require data protection and information security-compliant processing already on the system side. If you have taken all measures that are possible according to the current state of technology and science and your employee still violates the requirements imposed on him or her, you can exculpate yourself, i.e., sign off. But only then.
Red. What are the requirements for remote access from the home office? And who bears the costs for the new infrastructure that may be required at the employee’s site?
Dr. Szidzek. Yes, these are much-discussed questions about who bears which costs. The employer enjoys the advantage of not having to bear office expenses if the employee works from the home office. The employee, on the other hand, does not have to travel long distances to and from the office. Who bears which costs here can only be regulated by a clear supplementary agreement to the employment contract, which should also be made in order to create legal clarity for all parties involved. But this, too, is more a question of labor law, how to balance such mutual interests.
Red. Does the employee have to have a security concept for his home office? And what about protecting sensitive data and documents from family members?
Dr. Szidzek. The security concept is always the responsibility of the company in charge, which must provide the employee with corresponding specifications for compliance with security standards. It is clear that the employee must adhere to these. This applies in the home office and, of course, also to close relatives. In the office, they wouldn’t notice anything, and that’s how it should be in the home office.
Red. What about the private use of company equipment by employees?
Dr. Szidzek. Yes, this is always an issue where freedom-oriented corporate philosophies and legal reality clash unpleasantly. If a company allows or tolerates the private use of e-mail accounts, smartphones or tablets by its employees, it becomes a telecommunications provider vis-à-vis these employees – whether it likes it or not – and is subject to the corresponding regulations that apply to such companies. These include compliance with postal and telecommunications secrecy (Section 206 of the German Criminal Code). If you do not want to violate these regulations, you may not access your employee’s mail account without his or her consent. As a rule, I recommend to my clients to generally prohibit the private use of company devices. Today, everyone has their own ways of communicating, so you don’t have to use the company’s own account for this and you don’t have to get the company into trouble.
Red. Would you allow us a few personal questions?
Dr. Szidzek. Hate to, but if we have to.
Red. If you were an animal, would you be a …? Please give reasons for your statement.
Dr. Szidzek. I agree with Joachim Ringelnatz: “If I were two little birds and had four wings, too. If anything, I would like to be two little birds. Then you could discuss current topics and be free to do whatever you like. As an old aviator – I once took a pilot’s license for single-engine aircraft a few years ago – I’m also fascinated by the idea of simply flying off. But flying alone is boring. Maybe someone would like to fly with me? Then we would be four little birds.
Red. What do you consider to be the most important invention of the last hundred years?
Dr. Szidzek. That’s hard to break down to just one. But the Internet and GPS are among them.
Red. Please complete the sentence. In a next life, I would …
Dr. Szidzek. … I would probably do it in a similar way as I did in this one, whether I wanted to or not and regardless of whether everything was right or not. I agree somewhat with Schopenhauer: “Man can do what he wants, but he cannot want what he wants. If you look at yourself with due honesty, the possibilities of self-development are determined by what you want deep inside and the ability and willingness to implement it, but without actually being able to influence that too much in the core. This is a little bit different for everyone and it is already much gained to find out what one wants, let alone to implement it.
Red. In conclusion: Do you have a life motto and share it with us?
Dr. Szidzek. “When the time would come when I could, the time is over when I can”. That’s stolen again, too, and it’s from Marie von Ebner-Eschenbach, but that sums it up pretty well.
Red. Mr. Szidzek, thank you very much for the interview.
Dr. Szidzek. Thank you very much from my side as well.