Deploying freelancers is growingly popular. Whether start-ups, large corporations or agencies, advantages of freelancers are used in all industries and company sizes. Freelancers are self-employed workers who carry out orders within the framework of a service or work contract. As a rule, freelancers have no employees and work on their assignments personally. Companies can seek temporary support from freelancers and thus use their know-how. One advantage is time and costs saved training new employees. freelancers often have access to personal data of the client. Therefore, more and more companies struggle in defining the position of freelancers in terms of data protection.
1. Data Protection Classification
It is undisputed that deployment of freelancers having access to the company’s personal data involves data processing within the meaning of the General Data Protection Regulation (GDPR). However, it is questionable who is responsible for the processing of the data, in particular what role the freelancer plays here. Freelancers can be classified as a processor (see a.), as an employee of the company (see b.), as a controller (see c.) or as a joint controller with the company (see d.).
a. The Freelancer as Data Processor
There is a lot to be said for the fact that the freelancer is a processor within the meaning of Art. 28 GDPR if a freelancer processes personal data on behalf of the company, is bound by instructions from the company and is not located on the company premises. This leads to the need to conclude a data processing agreement (DPA). In practice, this often leads to problems, as the freelancer is obliged by the DPA to submit a concept for technical and organisational data protection, which the company must regularly monitor. This can lead to the inspection of the private premises of the freelancer. However, freelancers often do not have a concept for technical and organisational data protection or data protection documentation to meet the requirements. Also, for the company, the classification of the freelancer as a data processor and the conclusion of an DPA can be associated with problems. The freelancer would have to be listed as a subcontractor and possibly “approved” by the customer, if he is used in a customer project, for example. This makes the use of freelancers very complicated.
b. The Freelancer as “Employee” of the Company
The freelancer is comparable to the company’s own employees, if the freelancer works on the premises of the company during fixed working hours, at a workplace provided by the company. The transitions between the classification as “comparable with own employees” and data processors are fluid, so that a classification cannot always be made clearly. A VPN access of the freelancer can already lead to a reduction of the degree of self-responsibility of the freelancer and to his integration into the corporate structure of the company. The freelancer can therefore be treated in the same way as the own employees. In this case, the responsibility for the personal data remains with the company and the requirements for data processing do not have to be fulfilled. However, like regular employees, the freelancer should be obliged to maintain confidentiality and comply with all internal guidelines on data protection and data security. In this design, data protection problems are elegantly “circumvented”, but labour law challenges could arise, such as the avoidance of bogus self-employment. However, this will not be further elaborated here.
c. The Freelancer as Controller
Freelancers are deemed to be responsible within the meaning of the GDPR if they themselves determine the means and purposes of the processing of personal data. This can be assumed, for example, if the freelancer himself determines the working time and location as well as the systems used to process the personal data. In this case, freelancers must fulfil all the obligations and requirements of the GDPR with regard to data processing. This also includes the observance of the rights of the data subjects, e.g. the extensive information duties. For the company this has classification/design advantages, since neither requirements to the data processing nor the integration into the data protection organization are necessary like with own employees.
d. Joint Controller
There is a joint controllership according to Art. 26 GDPR, if the freelancer and the company jointly decide on the means and purposes of the processing. There is always a joint controllership if the data processing would very probably have been carried out differently without the participation of the other controller. In the case of joint controllership, a contract must be concluded between the two controllers which regulates and clearly allocates the responsibilities, in particular for the fulfilment of the rights of the data subjects, to the parties.
The following checklists are intended to help you classify freelancers in terms of data protection:
a. Is the Freelancer a Processor?
The freelancer is probably a data processor if
- he is bound by instructions to the company,
- the company decides on the means and purposes of the data processing,
- the processing of personal data is the main service of the freelancer and these can not only be seen casually.
b. Is the Freelancer comparable with the Company’s own Employees?
The freelancer is comparable to the company’s own employees if
- he works in the premises of the company,
- he works at a workplace provided by the company,
- he is bound to fixed working hours and the place of work,
- he works at least via e.g. a VPN connection on the company’s servers and does not store any personal data locally on his own hardware.
c. Is the Freelancer a Controller?
The freelancer is a controller if
- he himself determines the means and purposes of the data processing,
- he decides on working time and location,
- he determines the systems used for data processing,
- he stores personal data on his own hardware.
d. Is the Freelancer a Joint Controller?
The freelancer is a joint controller with the company if
- the company and the freelancer jointly determine the means and purposes of the data processing,
- the freelancer is therefore not bound by instructions from the company,
- he can determine his own working time and location.
The classification of freelancers under data protection law is directly related to the degree of personal responsibility with which the freelancer fulfils his order. A clear demarcation can be difficult. The freelancer can usually be classified as similar to an employee, if the freelancer is tied to a workplace specified by the company and receives concrete instructions for data processing. The freelancer is a data processor, if the he is bound by instructions to the controller, but can decide on e.g. working time and location. The freelancer becomes a controller, if he determines the means and purposes of the data processing himself. In certain cases, the freelancer and the company may be joint controllers. Freelancers and companies then jointly determine the means and purposes of the data processing.