Your company now wants to work with freelancers, i.e. independent contractors. There are several advantages, such as flexible deployment on an invoice basis without employment law obligations. At the same time, there are legal questions that need to be considered and clarified. Depending on how closely a freelancer is integrated into your business, completely different rules apply. And you should know them – otherwise you risk not only trouble with the data protection authority, but in the worst case also consequences under social security law.
This article focuses in particular on the data protection hurdles.
A Freelancer is Not Just a Freelancer
When you bring in external specialists and they process personal data for you or with you, this can take on very different legal forms. The GDPR recognises several models for classifying freelancers as data recipients in the context of data protection:
- Independent controller (Art. 24 GDPR)
- Joint controllers (Art. 26 GDPR)
- Processor (Art. 28 GDPR)
- Person subject to the authority of the controller (Art. 29 GDPR)
Which model applies to your situation depends on the specific working relationship. And this is where it gets interesting.
The Decisive Factor: How Much Control Do You Exercise Over a Freelancer?
The central question is: How much do you dictate to the freelancer what to do and how to do it?
A lot of autonomy
If the freelancer decides for themselves the purpose and manner in which they process data, they act as an independent controller. In that case, they are a third party under data protection law and bear full responsibility themselves. If you jointly determine the purpose and nature of the data processing, joint controllership applies. In both cases, a Data Processing Agreement is required – clearly regulating responsibilities and their limits.
Subject to instructions, but organisationally independent = Processor
The term “subject to instructions” is already tricky in the context of a freelancer contract. However, if a freelancer processes data on your behalf and that work is bound by your instructions, this constitutes order processing.
Caution! It is important to note here that even though someone works according to your content guidelines, they should still distance themselves from your organisation as much as possible – for example, by using their own tools or by independently deciding on their working hours and location. In this case, you absolutely need a Data Processing Agreement (DPA) that precisely governs what is to be done and how, and in particular that the instructions relate exclusively to data processing.
When Is a Freelancer to Be Classified as an Employee?
If your freelancer effectively works like an employee, they may qualify as a “person subject to the authority of the controller” within the meaning of Art. 29 GDPR. That sounds practical at first, but it has its pitfalls.
The following points indicate that someone is legally treated like an employee:
- Works with your hardware and software
- Has fixed working hours on your premises
- Uses your time-tracking systems
- Wears a staff ID badge
- Submits regular project reports
- Has little scope to exercise their own judgement in performing tasks
- Is integrated into workflows just like your permanent employees
Caution: Bogus Self-Employment!
Now it gets tricky: if someone is as closely integrated as an employee – why are they still “self-employed”? This is where the danger of bogus self-employment lurks, which can have massive employment, social security, tax, and even criminal law consequences for both parties.
Bogus self-employment exists when someone is formally engaged as self-employed but is in fact in a dependent employment relationship and would actually need to be employed subject to social security contributions.
Additional warning signs include:
- No work for other clients
- Non-competition and secondary employment restrictions
- No use of own capital or resources
- Inability to engage third parties to perform the service
Important to understand: The data protection classification is not identical to the social security law assessment. You can classify someone as a person subject to authority under Art. 29 GDPR without this automatically constituting bogus self-employment – but the areas overlap significantly. So: keep your eyes open when drafting contracts!
How to Avoid Mistakes
The different classifications require a careful case-by-case review. Our tip:
- Analyse the actual working relationship – not just what the contract says
- Clearly distinguish between order processing and Art. 29 GDPR – do not use Art. 29 as an excuse to avoid a proper DPA
- Document everything carefully – precise contracts are your best protection
- Review regularly – working relationships evolve, and so does their legal classification
Legal Living Hub Takes Care of It for You
Sounds complicated? It is. But that’s what we’re here for.
At Legal Living Hub, we help small businesses like yours stay on the safe side of the law. We analyse your freelancer collaboration, classify it correctly under data protection law, and create the appropriate contracts – whether DPA, joint controllership agreement, or confidentiality declarations.
That way, you can focus on your business, while we make sure you don’t receive any unpleasant correspondence from the data protection authority or the pension insurance provider.
Let’s talk about your freelancer situation – together we’ll find the legally clean solution for your company.
