MDM

MDM in the company: Focus on data protection, works councils and employee rights

In many companies today, the introduction of mobile device management (MDM) is a sensible measure to make mobile working safer and more efficient. However, companies repeatedly encounter internal hurdles during implementation, particularly due to concerns raised by the works council. These concerns often centre on protecting employees' privacy and the potential monitoring functions that could come with an MDM system. This article highlights why MDM benefits not only the company but also its employees, how the workforce's co-determination rights are preserved, and which technical and organisational measures (TOMs) ensure data protection.

Advantages of MDM for employees

A mobile device management system not only offers advantages for the company, but also makes everyday work easier for employees. Here are some of the most important points:

Data security

In the event of a device being lost or stolen, an MDM system offers the option of quickly and securely deleting sensitive company data. This not only protects the company, but also employees from unpleasant situations when private devices (BYOD) are used in a work context.

Increased flexibility

MDM allows employees to work securely from anywhere. Whether in their home office, on business trips or in a café – secure access and encryption mean that company resources can be used without risk. This means greater flexibility and fewer restrictions.

Separation of professional and private data

A well-implemented MDM makes it possible to neatly separate professional and private data on a device (keyword: ‘container solutions’). This gives employees the assurance that their private data is not being controlled or monitored by the company.

Fast IT support

Problems with mobile devices can often be solved quickly and easily remotely, without the employee having to take the device to the IT department. This saves time and hassle.

Employee co-determination rights

One of the key issues when introducing MDM is the co-determination rights of the works council. These co-determination rights offer employees an important opportunity to actively protect their data privacy and rights.

Works agreement as a protective instrument

In many companies, a works agreement is concluded between the employer and the works council, which precisely regulates how an MDM system is used. This agreement can set clear limits on what data is collected, how it is processed and who has access to it. This prevents the MDM system from being seen as a ‘control tool’.

Transparency and information

Employees have the right to be fully informed about how an MDM system works and how it is used. This creates transparency and trust. An open dialogue between companies and employees often alleviates many of the initial concerns.

Possibility of adaptation

A works agreement is not a rigid construct. It can be adapted to the needs of employees and changing technical possibilities. This ensures that data protection remains at a high level at all times.

What data does an MDM store and what does it not store?

One of the most common misconceptions when introducing an MDM system is the concern that it could be used as a monitoring tool. To allay these concerns, it is important to clearly explain what data an MDM actually collects and what it does not.

Data stored by an MDM

An MDM system primarily collects security-related information to protect company data and resources. Typical data stored by an MDM includes:

  • Device information: Device type, operating system version, serial number, model and technical specifications.
  • Software information: Information about installed and approved apps and their versions.
  • Security status: Encryption status, jailbreak/root detection, status of security patches.
  • Network connections: Logs of connections to company resources, e.g. VPN usage.
  • Location data (optional): In certain cases, such as when a device is lost, location data may be collected, but only with clear consent and according to defined rules.

Data that MDM does not store

MDM respects employee privacy and does not store any personal data. The following data is not usually collected:

  • Personal communication: Emails, text messages, chat messages and call logs remain private.
  • Private apps and their data: Private apps and their content (photos, social media, personal documents) are not monitored.
  • Browsing history: Private browsing history is not tracked. Only access to company resources may be recorded.
  • Private app usage: How often and in what way private apps are used is not within the scope of the MDM.

This clear separation between private and business data is not only ensured technically by the MDM system.

Technical and organisational measures (TOMs)

Another important issue that ensures data protection is technical and organisational measures (TOMs). These measures are required by law and play a central role in the introduction of MDM.

Technical measures

An MDM system must be configured in such a way that it does not collect unnecessary data and respects the privacy of employees. This includes, for example, the encryption of data both on the device and during transmission. Access restrictions and a strict separation of private and professional areas are also technical measures that strengthen employee trust.

Organisational measures

In addition to technology, organisational processes must also be defined. These include clear rules on who in the company has access to which data, how long data is stored and when it must be deleted. These measures are often developed in collaboration with the data protection officer and the works council and are reviewed regularly.

DPA: Data protection security for MDM

Another very important tool for data protection security is the data processing agreement (DPA), which is concluded between companies and external service providers in accordance with the General Data Protection Regulation (GDPR).

Data processing by third-party providers

MDM providers act as service providers on behalf of the company. In order for these service providers to be allowed to process data, an AVV must be concluded between them and the company. This contract ensures that the service provider only processes the data within the scope of the agreed purposes and complies with strict data protection requirements.

Basic contents of an AVV

According to the GDPR, an AVV must regulate certain points in order to ensure the protection of personal data. The basic contents include:

  • Subject matter and duration of processing: This defines what data is processed and for how long. It must be clearly specified what type of personal data the processor receives and how long they are allowed to process it.
  • Nature and purpose of processing: The DPA describes the purpose for which the service provider processes the data, e.g. for managing devices within the scope of MDM. The processor may only use the data for the purposes described in detail.
  • Obligations and rights of the controller: The contract must clearly specify the rights of the company as the client and the obligations of the service provider towards the company and the data subjects (employees).
  • Security measures (TOMs): The service provider must take appropriate technical and organisational measures to ensure the protection of the data. This may include encryption, access restrictions, backup procedures and other security measures.
  • Regulations on data transfer: It must be clearly regulated whether the processor uses subcontractors (sub-processors) and under what conditions they have access to the data. The same strict data protection requirements also apply to subcontractors.
  • Controlling rights of the client: The DPA must stipulate that the client has the right to verify the service provider’s compliance with data protection regulations. This includes, for example, audits and inspections.
  • Procedure in the event of data breaches: It must be defined how the processor will proceed in the event of data breaches. This includes the obligation to inform the company immediately so that it can comply with its reporting obligations under the GDPR.
  • Deletion or return of data: The contract must specify what happens to the personal data after processing has been completed. The processor must either delete the data or return it securely to the company.

Data protection-compliant implementation

The DPA ensures that both the company and the MDM service provider comply with the provisions of the GDPR. This strengthens employee confidence, as they can be sure that their data will not be misused or passed on.

Checklist: MDM implementation with works council

If your company has a works council and you want to implement mobile device management, cooperation with the works council is crucial to creating a data protection-compliant and employee-friendly solution. Here are the most important steps you should take:

  • Early involvement of the works council
    • Contact the works council at an early stage to discuss the project.
    • Provide the works council with comprehensive information about the objectives and functions of the MDM system.
  • Information and education phase
    • Provide the works council with all relevant information: What data is collected, how is it processed, and what security measures are implemented?
    • Organise training sessions or workshops to answer questions and clarify any misunderstandings.
  • Information phase
    • Contact the works council at an early stage to discuss the project.
    • Provide the works council with comprehensive information about the objectives and functions of the MDM system.
  • Drafting a works agreement
    Work with the works council to draft a works agreement that regulates the use of MDM. The agreement should specify the following points:
    • What data may be collected and processed.
    • Technical and organisational measures (TOMs) to protect employee data.
    • Regulations on the separation of private and professional data on mobile devices.
    • The works council’s rights of control and transparency obligations towards employees.
  • Data protection security through a DPA
    • As external service providers are involved in the operation of the MDM, a data processing agreement (DPA) must be concluded with the contractor.
  • Transparency towards employees
    • Ensure that all employees are clearly informed about the MDM system, its functions and the protection of their privacy. Also offer them the opportunity to ask questions.

Conclusion: MDM as an employee- and data protection-friendly solution

The introduction of mobile device management should not be misunderstood as a surveillance tool. Rather, it offers companies and employees numerous advantages – from increased data security and greater flexibility to a clear separation of professional and private data.

Company agreements and technical and organisational measures can effectively address concerns about privacy and control functions. Ultimately, everyone benefits: the company can make its IT infrastructure more efficient and secure, while employees enjoy more freedom and support in mobile working. Open dialogue and transparent regulations are the key to successful and data protection-compliant MDM implementation.

Contact

Are you looking for a European MDM solution for your company?

Contact us to learn more about 7P MDM! Our team of experts will be happy to advise you.

Get in touch now