Is an open space office layout compliant with GDPR and LPD?

For several years now, there has been a tendency to adopt open space offices, in other words a workspace in which the offices are not separated by partitions. The idea is to make communication within the company more fluid while at the same time bringing staff closer together.

Is a layout of that kind in a company which processes personal data compatible with data protection, in particular with the Swiss Federal Data Protection Act (LPD) and the EU General Data Protection Regulation (GDPR)?

That Regulation may in fact even apply to Swiss companies (on this matter, see: https://wg-avocats.ch/blog/donnees-personnelles).

Our analysis shows that an open space office layout is not incompatible with data protection, despite the possible first impression. A layout of that kind is not prohibited per se, but the cardinal principles of data protection must be respected. In particular, the principle of proportionality which is enshrined in Art. 4 LPD and Art. 5 GDPR.
In practice, this means that the company concerned must take a number of technical and organisational measures to protect the personal data that it processes, in relation both to third parties and to its own employees.

For that purpose, it must determine in the first place which particular data are processed, their character (sensitive personal data etc.) and the departments/employees who or which must have access to them to achieve the purpose for which processing is effected.

The following measures can be quoted as examples:

• protect access to the open space; that could be done by installing a system of personal badges at the entrance to the space;
• confine visitor access to the open space zones in which personal data are not processed and instruct employees not to leave visitors unsupervised or simply prohibit all access by visitors to the open space;
• create an adequate number of secure “confidentiality” zones (which can for instance be locked) within this space; employees may then go to those zones when the need arises;
• set up work zones reserved solely for departments that process personal data (for instance the human resources department, legal service etc.) and will only be accessible to wearers of a personal badge;
• make sure that staff are aware of the need to protect data security.

The penalties that may be imposed in the event of failure to comply with the applicable legal stipulations are by no means negligible, since they may amount to as much as CHF 10,000 under the present LPD (Art. 34 et seq LPD) (on this subject see: https://wg-avocats.ch/blog/revision-loi-federal-protection-donnees/) and, if the GDPR applies, up to EUR