When employees work remotely, is the data controller obliged to update the register of processing activities?

ANSWER

How the register should be updated depends on how it is currently structured. As a rule, the register of processing activities is divided into processes (recruitment, employment, marketing, clients, etc.). In remote work, there is in fact no new processing activity (no new process), because what an employee does at home is the same as what they did previously when working in the office. In other words, the same operations are performed on the data as before, within the "normal" mode of work.

As regards updating the safeguards applied and recorded in the register, what matters is whether employees will work on company or private equipment. If on company equipment, equipment safeguards such as VPN, passwords or antivirus software remain unchanged. If on private equipment, it is then worth requiring the employee to apply specified safeguards on their own equipment, e.g. by means of a remote work policy. Such a policy will specify not only the required equipment safeguards (including various data storage media), but also how to handle personal data recorded on paper.

In summary, there will be no need to add further processes to the register of processing activities, but there will be a need to supplement the safeguards applied in those processes that relate to data subjects whose data are processed remotely.