Whether startups, medium-sized companies, or large corporations – many businesses are now strategically utilizing freelancers. As independent workers, they bring additional expertise and professional competence. With their knowledge and skills, they assist companies in projects and specific tasks. But how does data protection play into collaborating with a freelancer?
Freelancers enter into various forms of employment relationships when collaborating. This not only involves legal requirements regarding labor law but also numerous data protection regulations and rules that must be strictly adhered to.
Violating current data protection laws can lead to substantial fines and other severe penalties. You can learn about what you need to consider regarding data protection and freelancers and how to best proceed in different situations in the following article.
Who is Considered a Freelancer by Law?
Generally, according to § 18 para. 1 no. 1 sentence 2 EStG (German Income Tax Act), independently performed scientific, educational, teaching, literary, and artistic activities are included. The legislator explicitly defines independently performed or freelance activities in the so-called catalog professions.Â
This spectrum ranges from doctors and lawyers to engineers and architects, as well as auditors, tax consultants, and journalists. However, IT freelancers, in their freelance activities, are not automatically classified under these catalog professions.Â
Nevertheless, there is a possibility that the offered IT services fall into the category of similar professions. Examples of such IT services include:Â
- Consulting and planning of IT infrastructure and systemsÂ
- IT security and data protectionÂ
- Installation and configuration of software and hardwareÂ
- Data management and backup solutionsÂ
- Server and network managementÂ
- Proactive repair and maintenance of IT systemsÂ
- Helpdesk and support servicesÂ
- Cloud computing and hosting servicesÂ
- Training and educational programs for company employeesÂ
KEY POINTS
- Freelancers must consider different data protection responsibilities depending on their working method and adherence to company instructions.
- A careful review and adjustment of contractual agreements are crucial to comply with GDPR guidelines when collaborating with freelancers.
- The correct classification of the working relationship between companies and freelancers is essential to implement adequate data protection measures.
The Processing of Personal Data by Freelancers
Data protection law particularly focuses on the possible processing of personal data. Depending on the extent of processed personal data, an order processing agreement (short: DPA) is often required for such an employment relationship. Important aspects for classifying freelance work also include instruction and location dependency and the responsibility of the freelancers.Â
What Status do Freelancers Have Regarding Data Protection?
To fully comply with GDPR guidelines in an employment relationship with a freelancer, these three aspects play a crucial role. Always keep this principle in mind: The less personal data processed by the freelancer working for your company, the simpler the entire employment relationship from a data protection perspective. You can choose between three models to employ a freelancer in GDPR-compliant ways.Â
1. Freelancer as an Independent Contractor
If the freelancer works at set times with company-owned hardware at a workspace provided by your company, they take on the status of a quasi-permanent company employee. This has the advantage that you don’t need an AVV for data protection reasons in this case.Â
However, this also makes them a person subordinate to you. This means the data protection responsibility lies solely with you or your company, as explicitly formulated in Art 29 GDPR. Naturally, the freelancer must comply with the respective company guidelines.Â
These guidelines are usually specified in the main contract, often accompanied by a confidentiality agreement and the obligation of data protection confidentiality on the part of the freelancers, insofar as they process personal data in their activities.Â
2. Freelancer as a Data Processor
The situation is different if freelancers determine their own workplace and working hours and use their own hardware. In this case, they are legally considered as self-employed or external service providers. If processing personal data is a focal task, a freelancer operates as a data processor commissioned by you according to Art. 4 para. 7 GDPR.Â
However, this poses a problem for you and your company: The autonomous processing of personal data by the freelancer is difficult to control. To stay on the safe side, it is advisable to conclude an AV contract according to Art. 28 GDPR with the external service provider.Â
At the same time, a potentially concluded AVV also covers the transmission of personal data. This ensures that the freelancer processes, captures, and forwards or transmits all personal data exactly according to your instructions.Â
3. Freelancer Works Independently and Autonomously
In practice, there is another case: Your company provides the data, but otherwise, the freelancer is relatively free in their decisions and determines the framework conditions of personal data processing themselves. This means: The freelancer does not strictly follow instructions from your company and therefore must independently fulfill GDPR requirements in their activity.Â
It is particularly important that they reliably and comprehensively fulfill their information obligations. But, for example, managing inquiries from data subjects also falls within the freelancers’ area of responsibility. Nevertheless, you should additionally secure your company. This way, you can contractually fix crucial points such as the confidentiality and purpose limitation of the data.Â
Challenging Classification: Various Legal Bases are Possible
This also applies to the transmission of personal data by your company to the freelancer. In many cases, a written agreement on joint responsibility (GVV) provides a secure legal basis for processing and transmission. In some cases, a regular AV contract is also sufficient. In certain case-specific situations, Art. 6 para. 1 lit. f GDPR (legitimate interest) applies from the outset.Â
Find Your Next Freelance Project!
Who is Responsible for the Data Protection of Freelancers?
In addition to the question of location and instruction dependency, responsibility is a particularly central point from a data protection perspective. The responsibility for corresponding GDPR compliance should always be clearly regulated contractually in advance. The nature of such a contractual agreement depends on the freelancer’s work deployment and performance. You have four data protection configurations available:Â
1. Responsibility Lies Solely with the Company
If freelancers are classified as employees for the reasons mentioned earlier, your company is solely responsible for GDPR compliance and data protection. In this case, you treat the freelancer like a regular employee. Like your permanent employees, a freelancer in this configuration should sign a corresponding data protection declaration and participate in regular training or similar activities.Â
2. Responsibilities are Often Regulated through a Data Processing Agreement (DPA) for Data Processors
If, on the other hand, freelancers use their own technical equipment and work in their own premises, they are considered data processors. Usually, freelancers of this type sign a data processing agreement, in which the obligations around data protection for freelancers are detailed.Â
For cooperation with pure data processors, such as printing companies, an DPA is then also the best solution. But if you only commission a single freelancer, an AV contract often cannot correctly reflect reality. Because the DPA fundamentally defines comprehensive obligations for the freelancer.Â
However, sometimes this does not fit the actual work relationship at all. Fulfilling these obligations is hardly feasible for solo self-employed or one-person companies. Moreover, depending on the case, there may be a responsibility that is not covered by an DPA at all. Therefore, additional agreements are sometimes necessary.Â
3. Joint Responsibility with Individual Purpose Pursuit
Since May 25, 2018, the GDPR also allows for shared or joint responsibility for personal data. This regulation comes into play when you as the client and the freelancer pursue their own purposes with respect to the personal data.Â
A typical example of this is customer addresses. Because these are not only a significant business basis for your company but can also be used by freelance IT or marketing service providers for their own purposes. A classic DPA is not sufficient as a legal basis here.Â
Instead, in such situations, you must define exactly in the main contract how and for what purpose the freelancer may use the provided data. This results in a joint responsibility that can be individually adapted on a case-by-case basis. Corresponding contractual agreements are also possible for more than two contract partners.
4. The Freelancer Bears Sole Responsibility
If the commissioned freelancer determines their working hours and location entirely independently, they usually also bear full responsibility for data protection. This is due in part to the fact that your company cannot adequately control compliance with data protection regulations in this constellation.Â
Conclusion
A working relationship between a company and a freelancer can take different forms. This also brings various requirements regarding data protection regulations.Â
This is particularly reflected in determining the responsibility for processing personal data. Although there is a schema that allows for case-specific assignments, the boundaries can be somewhat blurred.Â
Because when you work with a freelancer or specifically entrust them with various tasks, individual work relationships are created each time. Therefore, it’s essential to identify and select the precisely fitting solution approach for data protection and GDPR compliance for each constellation.Â
No. Pure data processing only exists when the company alone determines the means and purposes of processing data with personal content. Additionally, the freelancer must be strictly bound by the instructions of the company as the client.Â
This question cannot be answered generally. Here, it is necessary to distinguish case-specifically between four different configurations:Â
- Responsibility lies solely with the company (Freelancer is treated like a permanent employee)
- Responsibility lies solely with the freelancer (Freelancer determines work time and location independently)
- Responsibility is regulated through a data processing agreement (particularly applicable in the case of pure data processors)
- Responsibility is jointly exercised (solution approach when both contractual partners pursue their own purposes with regard to the provided data)
Both the companies and the freelancers are obligated, depending on the contractually agreed responsibility, to strictly implement all data protection regulations. If there are violations, the authorities impose, in addition to temporary data processing bans, additionally hefty fines. Depending on the offense, company size, and turnover, fines can amount to several million euros.Â