Hiring freelancers has many advantages for companies: they do not have to pay social security contributions for them, they can be used flexibly, are often specialized in a certain subject area and can be implemented for projects that arise at short notice.
However, for companies it is almost impossible to avoid sharing personal data with their freelancers, who can come from all kinds of areas: journalists, copywriters, consultants, programmers, graphic designers and so on. We are talking about employees who only work part of their total working time in the company or who are recruited for certain projects.
They almost always have limited access to company documents, still data protection must seriously be taken into consideration: what do those involved have to consider and who is responsible for data processing in each individual case?
From a data protection point of view, we have to differentiate between freelance employees who work like regular employees, then there are those who act as contract processors, or some take on data protection responsibility together with the client.
To classify the freelancer in one of these three categories, two questions must be answered in terms of data protection: can the freelancer benefit from the personal data? And secondly: does the freelancer carry out orders independently or according to instructions? In other words: what power does the freelancer have over the data of the respective company?
The factual power that a freelancer receives over personal data defines his data protection status in the cooperation.
Category one: freelancers who are to be treated like permanent employees
Freelance workers who have little room for maneuver, who often come to the company and use the infrastructure there, should be classified as kind of employees – but of course, that is independent and has nothing to do with the labor law status. With freelancers of this type, the company remains largely in control of the data: the self-employed is neither considered a processor nor is the freelancer together with the client responsible for data protection. He should be treated like an employee, receive regular training, and sign a data protection declaration - like the permanent workforce.
Category two: contract processors
Contract processors are freelancers who work much more independently. For example, they use their own technical equipment in their own or rented rooms. As a rule, freelancers of this type sign an order processing contract, but be careful: the data protection officer should check before signing whether this contract really fits the respective work relationship. Because the data processing agreement is only suitable to a limited extent for self-employed people since it defines obligations that one-man or one-woman companies can hardly fulfill. Sometimes, there may be even responsibilities that the contract does not cover.
Category three: shared responsibility
The joint responsibility for personal data is one of the innovations of the GDPR, which has been in effect since May 25, 2018. In this context, the GDPR states that freelancers and clients must share responsibility for personal data if both the freelancer and their "client" (from the perspective of the employment relationship - not in terms of data protection law) pursue their own purposes. Because data sets that come from a shared database, for instance, can be used for different purposes.
An example: a freelance marketing employee could use data, such as a customer's address information, for his own purposes. In this case, a data processing agreement is not enough; both parties must set joint responsibility down in writing in the main contract. On the other hand, a printer that deletes the data after a circular has been printed can be regarded as a pure processor for whom the conclusion of a data processing agreement is sufficient. In the case of the marketing expert, the contract should specify the purposes for which the data provided may and may not be used. The joint responsibility can be individually adapted and can also apply to more than two contracting parties.
Deficient contracts, in which the status of the freelancer is not recorded or incorrectly assessed, disregard the information subject to data privacy from a data protection point of view. A so-called diffusion of responsibility arises in which the provisions of the GDPR are violated - it is not clearly regulated who takes responsibility for the rights of the data subjects. In practice, it often happens that e.g. a data processing agreement is signed even though an agreement on joint responsibility would have been necessary instead.
In principle, the following applies: the handling of personal data records must always be critically scrutinized - especially when working with freelancers – and data minimization and data economy are essential. The data protection officer of a company must correctly assess the data protection status of the freelancer to be able to conclude a contract that is appropriate to the situation.