The European Court of Justice has followed the requests of the Advocate General with its decision (Judgement of 01.10.2019, no. C-673/17) on the consent to the setting of cookies and demands a clear active consent by the user, so that a preset check box is not sufficient.Read More
Deploying freelancers is growingly popular. Whether start-ups, large corporations or agencies, advantages of freelancers are used in all industries and company sizes. Freelancers are self-employed workers who carry out orders within the framework of a service or work contract. As a rule, freelancers have no employees and work on their assignments personally. Companies can seek temporary support from freelancers and thus use their know-how. One advantage is time and costs saved training new employees. freelancers often have access to personal data of the client. Therefore, more and more companies struggle in defining the position of freelancers in terms of data protection.
1. Data Protection Classification
It is undisputed that deployment of freelancers having access to the company’s personal data involves data processing within the meaning of the General Data Protection Regulation (GDPR). However, it is questionable who is responsible for the processing of the data, in particular what role the freelancer plays here. Freelancers can be classified as a processor (see a.), as an employee of the company (see b.), as a controller (see c.) or as a joint controller with the company (see d.).
a. The Freelancer as Data Processor
There is a lot to be said for the fact that the freelancer is a processor within the meaning of Art. 28 GDPR if a freelancer processes personal data on behalf of the company, is bound by instructions from the company and is not located on the company premises. This leads to the need to conclude a data processing agreement (DPA). In practice, this often leads to problems, as the freelancer is obliged by the DPA to submit a concept for technical and organisational data protection, which the company must regularly monitor. This can lead to the inspection of the private premises of the freelancer. However, freelancers often do not have a concept for technical and organisational data protection or data protection documentation to meet the requirements. Also, for the company, the classification of the freelancer as a data processor and the conclusion of an DPA can be associated with problems. The freelancer would have to be listed as a subcontractor and possibly “approved” by the customer, if he is used in a customer project, for example. This makes the use of freelancers very complicated.
b. The Freelancer as “Employee” of the Company
The freelancer is comparable to the company’s own employees, if the freelancer works on the premises of the company during fixed working hours, at a workplace provided by the company. The transitions between the classification as “comparable with own employees” and data processors are fluid, so that a classification cannot always be made clearly. A VPN access of the freelancer can already lead to a reduction of the degree of self-responsibility of the freelancer and to his integration into the corporate structure of the company. The freelancer can therefore be treated in the same way as the own employees. In this case, the responsibility for the personal data remains with the company and the requirements for data processing do not have to be fulfilled. However, like regular employees, the freelancer should be obliged to maintain confidentiality and comply with all internal guidelines on data protection and data security. In this design, data protection problems are elegantly “circumvented”, but labour law challenges could arise, such as the avoidance of bogus self-employment. However, this will not be further elaborated here.
c. The Freelancer as Controller
Freelancers are deemed to be responsible within the meaning of the GDPR if they themselves determine the means and purposes of the processing of personal data. This can be assumed, for example, if the freelancer himself determines the working time and location as well as the systems used to process the personal data. In this case, freelancers must fulfil all the obligations and requirements of the GDPR with regard to data processing. This also includes the observance of the rights of the data subjects, e.g. the extensive information duties. For the company this has classification/design advantages, since neither requirements to the data processing nor the integration into the data protection organization are necessary like with own employees.
d. Joint Controller
There is a joint controllership according to Art. 26 GDPR, if the freelancer and the company jointly decide on the means and purposes of the processing. There is always a joint controllership if the data processing would very probably have been carried out differently without the participation of the other controller. In the case of joint controllership, a contract must be concluded between the two controllers which regulates and clearly allocates the responsibilities, in particular for the fulfilment of the rights of the data subjects, to the parties.
The following checklists are intended to help you classify freelancers in terms of data protection:
a. Is the Freelancer a Processor?
The freelancer is probably a data processor if
- he is bound by instructions to the company,
- the company decides on the means and purposes of the data processing,
- the processing of personal data is the main service of the freelancer and these can not only be seen casually.
b. Is the Freelancer comparable with the Company’s own Employees?
The freelancer is comparable to the company’s own employees if
- he works in the premises of the company,
- he works at a workplace provided by the company,
- he is bound to fixed working hours and the place of work,
- he works at least via e.g. a VPN connection on the company’s servers and does not store any personal data locally on his own hardware.
c. Is the Freelancer a Controller?
The freelancer is a controller if
- he himself determines the means and purposes of the data processing,
- he decides on working time and location,
- he determines the systems used for data processing,
- he stores personal data on his own hardware.
d. Is the Freelancer a Joint Controller?
The freelancer is a joint controller with the company if
- the company and the freelancer jointly determine the means and purposes of the data processing,
- the freelancer is therefore not bound by instructions from the company,
- he can determine his own working time and location.
The classification of freelancers under data protection law is directly related to the degree of personal responsibility with which the freelancer fulfils his order. A clear demarcation can be difficult. The freelancer can usually be classified as similar to an employee, if the freelancer is tied to a workplace specified by the company and receives concrete instructions for data processing. The freelancer is a data processor, if the he is bound by instructions to the controller, but can decide on e.g. working time and location. The freelancer becomes a controller, if he determines the means and purposes of the data processing himself. In certain cases, the freelancer and the company may be joint controllers. Freelancers and companies then jointly determine the means and purposes of the data processing.
Online review platforms such as Yelp, Trustpilot and getting increasingly popular. They are available for practically every situation in life, every service and every product. In our purchase decisions, we increasingly rely on such recommendation. Read More
After last year, when the General Data Protection Regulation (GDPR) came into force for companies, the focus was on the implementation of the requirements there, the forthcoming entry into force of the new Trade Secrets Act should bring a new important topic into the focus of management: Measures to protect own trade secrets.Read More
Save the date: On 19 June 2019, the Hamburg Law Applicants’ Day will take place. The event offers young lawyers the opportunity to get to know the law firms presenting themselves in an informal atmosphere and to make initial contacts or consolidate existing contacts. PLANIT // LEGAL will also be there.Read More
Influencer activities are becoming an increasingly important marketing approach. Companies and influencers often assume they were operating a legal grey area and that it would be unclear to which extent they must label their publishing as commercial. In fact mistakes in this legal assessment can have severe consequences. The following article describes obligations to label influencer activities as being commercials and latest judgements in the field of influencer marketing. Read More
The Higher Regional Court (OLG) Munich (decision of 10 January 2019 – 29 U 1091/18) has decided that the conclusion of a consumer goods purchase via the Amazon-Dash-Button is intransparent and the contractual provisions unreasonably disadvantage the consumer. It has therefore condemned Amazon to refrain from its business practice at the request of the North Rhine-Westphalian center of consumer protection (“Verbraucherschutz-zentrale NRW”). It is not to be expected that the decision of the Higher Regional Court will constitute an obstacle to innovative business models. On the contrary, the implementation of the legal requirements will make a decisive contribution to “multichannel shopping” in line with consumers’ and service providers’ interests.
The following article summarizes the court’s decision and provides information on how the transparency requirements can be implemented into the Dash-Button in a legally secure manner. Read More
The General Data Protection Regulation (GDPR) widely expands application of European data protection law. Thus, non-European companies will fall increasingly within the scope of European data protection law. The scope of application in detail remains uncertain and can pose serious legal challenges to non-European companies. Where European data protection law claims its application there is a serious likelihood of conflicts with the rules of their national (data protection) law.Read More
The General Data Protection Regulation (GDPR) is a legal instrument of importance for the European Economic Area (EEA). Pursuant to Article 7(a) of the Main Agreement on the EEA (EEA Agreement), all EEA-States are obliged to adopt the GDPR domestically. This applies not only to the EU member states but also to the EFTA States Iceland, Lichtenstein and Norway. The following article shows the detailed composition of the EEA (1.), on which basis the GDPR will apply in the EEA (2.) and how the corresponding incorporation procedure is structured (3.).
Customer data is one of the most important assets of many asset deals. If they are not transferred correctly, however, they are worthless for the buyer. In addition, it can be expensive for both the selling and acquiring company.