BYOD | Bring your own Device

BYOD | Bring your own Device

grüner Hintergrund mit Laptop und Smartphone

Guideline Q&A FAQ Documents

Info page on the policy on handling Private IT Devices (BYOD) and Business IT Devices, including Mobile IT Devices

TU Braunschweig wants to enable its employees to work flexibly and therefore promotes the use of mobile IT devices.

The use of work devices for private purposes and the use of private devices for work purposes has not been permitted to date due to data protection, information security and employment law requirements. With the "BYOD policy", TU Braunschweig enables mixed use and protects its employees from personal liability.

On this website you will find additional information on the guideline Dealing with private IT devices and business IT devices, including mobile IT devices. The guideline applies together with Service Agreement No. 54 for all employees of TU Braunschweig and for all types of IT devices, such as computers, notebooks, smartphones and tablets.

Please note that a transitional period will be granted until the end of the year to allow mixed use to take effect.

The private use of business IT devices or the business use of private IT devices becomes effective by signing the supplementary agreement "Application and authorisation form for the use of private devices for business purposes / business devices for private purposes" (see info portal).

Basic safety measures

TU Braunschweig is obliged to use only state-of-the-art IT devices in all organisational units (OUs) and for all employees in order to minimise the risk of an IT security incident. All devices used for official purposes must therefore fulfil certain requirements (excerpt and examples):

  • Devices must have a password lock and automatically lock when inactive.
  • Only software from trustworthy sources (e.g. manufacturer's website or GITZ) may be installed.
  • Updates to the operating system and installed software must be carried out regularly.
  • Storage media (e.g. hard drives) must be encrypted.
  • An internet connection may only be established via secure connections.
  • The loss of devices must be reported immediately.

How can a private device be used for business purposes?

In principle, the OU management or the supervisor must authorise this use.

Authorisation is granted via the supplementary agreement "Application and authorisation form for the use of private devices for business purposes / business devices for private purposes". Among other things, employees undertake to do so:

  • to take the above-mentioned security measures,
  • strictly separate business and private data on the device,
  • hand over all work-related data and delete it from the device when the employment relationship ends or the private device is changed,
  • to grant the office access to the device in the event of an IT security incident (in compliance with the GDPR and the protection of private data).

Access to the device and the official data by the department only takes place in accordance with the information security regulations in the event of information security incidents in the context of hazard prevention and for technical clarification and, if necessary, by order of the relevant state investigating and supervisory authorities, as well as if necessary in the event of data protection enquiries and data protection incidents in accordance with the EU GDPR.  Of course, all applicable laws are observed during the inspection. Service Agreement No. 54 on this topic also ensures the involvement of the Staff Council and the protection of employee rights.

How can a business device be used for private purposes?

In principle, authorisation from the head of the OU or the supervisor is also required here.

Authorisation is also granted via the supplementary agreement "Application and authorisation form for the use of private devices for business purposes / business devices for private purposes".

The above-mentioned security measures are set up by GITZ for centrally managed devices.In the case of decentrally managed devices, the OU is responsible for administration and acts in an advisory or direct configuration capacity (see DV54, §6 Para. 1). Employees must ensure that

  • private and business data are strictly separated on the device and
  • private data is completely deleted when the device is returned.