Logo
  • Home
  • Service
  • About LLH
  • FAQ
  • Contact

  • Data Protection for Freelancers: Avoiding Legal Pitfalls

    09.03.2026

    Your company now wants to work with freelancers, i.e. independent contractors. There are several advantages, such as flexible deployment on an invoice basis without employment law obligations. At the same time, there are legal questions that need to be considered and clarified. Depending on how closely a freelancer is integrated into your business, completely different rules apply. And you should know them – otherwise you risk not only trouble with the data protection authority, but in the worst case also consequences under social security law.

    This article focuses in particular on the data protection hurdles.

    A Freelancer is Not Just a Freelancer

    When you bring in external specialists and they process personal data for you or with you, this can take on very different legal forms. The GDPR recognises several models for classifying freelancers as data recipients in the context of data protection:

    • Independent controller (Art. 24 GDPR)
    • Joint controllers (Art. 26 GDPR)
    • Processor (Art. 28 GDPR)
    • Person subject to the authority of the controller (Art. 29 GDPR)

    Which model applies to your situation depends on the specific working relationship. And this is where it gets interesting.

    The Decisive Factor: How Much Control Do You Exercise Over a Freelancer?

    The central question is: How much do you dictate to the freelancer what to do and how to do it?

    A lot of autonomy

    If the freelancer decides for themselves the purpose and manner in which they process data, they act as an independent controller. In that case, they are a third party under data protection law and bear full responsibility themselves. If you jointly determine the purpose and nature of the data processing, joint controllership applies. In both cases, a Data Processing Agreement is required – clearly regulating responsibilities and their limits.

    Subject to instructions, but organisationally independent = Processor

    The term “subject to instructions” is already tricky in the context of a freelancer contract. However, if a freelancer processes data on your behalf and that work is bound by your instructions, this constitutes order processing.

    Caution! It is important to note here that even though someone works according to your content guidelines, they should still distance themselves from your organisation as much as possible – for example, by using their own tools or by independently deciding on their working hours and location. In this case, you absolutely need a Data Processing Agreement (DPA) that precisely governs what is to be done and how, and in particular that the instructions relate exclusively to data processing.

    When Is a Freelancer to Be Classified as an Employee?

    If your freelancer effectively works like an employee, they may qualify as a “person subject to the authority of the controller” within the meaning of Art. 29 GDPR. That sounds practical at first, but it has its pitfalls.

    The following points indicate that someone is legally treated like an employee:

    • Works with your hardware and software
    • Has fixed working hours on your premises
    • Uses your time-tracking systems
    • Wears a staff ID badge
    • Submits regular project reports
    • Has little scope to exercise their own judgement in performing tasks
    • Is integrated into workflows just like your permanent employees

    Caution: Bogus Self-Employment!

    Now it gets tricky: if someone is as closely integrated as an employee – why are they still “self-employed”? This is where the danger of bogus self-employment lurks, which can have massive employment, social security, tax, and even criminal law consequences for both parties.

    Bogus self-employment exists when someone is formally engaged as self-employed but is in fact in a dependent employment relationship and would actually need to be employed subject to social security contributions.

    Additional warning signs include:

    • No work for other clients
    • Non-competition and secondary employment restrictions
    • No use of own capital or resources
    • Inability to engage third parties to perform the service

    Important to understand: The data protection classification is not identical to the social security law assessment. You can classify someone as a person subject to authority under Art. 29 GDPR without this automatically constituting bogus self-employment – but the areas overlap significantly. So: keep your eyes open when drafting contracts!

    How to Avoid Mistakes

    The different classifications require a careful case-by-case review. Our tip:

    • Analyse the actual working relationship – not just what the contract says
    • Clearly distinguish between order processing and Art. 29 GDPR – do not use Art. 29 as an excuse to avoid a proper DPA
    • Document everything carefully – precise contracts are your best protection
    • Review regularly – working relationships evolve, and so does their legal classification

    Legal Living Hub Takes Care of It for You

    Sounds complicated? It is. But that’s what we’re here for.

    At Legal Living Hub, we help small businesses like yours stay on the safe side of the law. We analyse your freelancer collaboration, classify it correctly under data protection law, and create the appropriate contracts – whether DPA, joint controllership agreement, or confidentiality declarations.

    That way, you can focus on your business, while we make sure you don’t receive any unpleasant correspondence from the data protection authority or the pension insurance provider.

    Let’s talk about your freelancer situation – together we’ll find the legally clean solution for your company.

  • GEMA vs. OpenAI: Landmark Ruling on Copyright in the AI Era

    26.11.2025

    The Case That’s Shaking the AI Industry

    On November 11, 2025, the Munich Regional Court issued a decision* that could have far-reaching consequences for the development of artificial intelligence. GEMA, Germany’s largest music rights management organization, had sued OpenAI – and won. The allegation: ChatGPT had used copyrighted song lyrics without a license and reproduced them almost verbatim.

    *LG München I, Endurteil v. 11.11.2025 – 42 O 14139/24– can be found here: gesetze-bayern.de

    The Core Question: What is Text & Data Mining?

    In its defense, OpenAI had invoked so-called Text & Data Mining (TDM). This exception anchored in copyright law generally allows the use of protected works for automated analysis of large data sets. The idea behind it: science and research should be able to recognize patterns and correlations in texts without having to acquire a license for each individual text.

    GEMA vs. OPENAI

    However, the Munich court made it clear: What OpenAI was doing goes beyond pure TDM. The crucial difference lies in the type of use. TDM typically analyzes data and derives new insights from it. ChatGPT, however, had apparently processed the song lyrics in such a way that they could later be output almost word-for-word.

    The Problem of “Memorization”

    A central concept in this legal dispute is so-called “memorization.” This refers to the process by which AI systems go beyond simply learning patterns from training data. Instead, they effectively store this content and can later reproduce it.

    In large language models like ChatGPT, memorization can occur under specific conditions. This happens when certain texts are processed so frequently during training or are so distinctive that the model essentially “memorizes” them. The system then develops the ability to reproduce these texts almost identically. This process is similar to a human who has memorized a poem.

    It was precisely this memorization that became OpenAI’s undoing. The court’s argumentation addressed a crucial distinction in AI usage. When an AI internalizes copyrighted works so strongly that it can reproduce them verbatim, it crosses a legal boundary. This is no longer permissible analysis, but constitutes unauthorized reproduction and public communication.

    The Legal Classification

    The Munich Regional Court established a clear boundary in AI copyright law. When AI training results in content being permanently retained or later reproduced word-for-word, it exceeds the scope of the TDM exception. This exception is intended only for pure analysis, not for the reproduction of protected works.

    Therefore, if an AI application uses and reproduces song lyrics without a license, developers violate German copyright law. This directly interferes with the economic exploitation interests of the creators. Users could then access texts via AI instead of purchasing them from licensed providers.

    Reactions and Outlook

    Dr. Tobias Holzmüller, CEO of GEMA, was combative after the verdict: The internet is not a self-service store and human creative achievements are not free templates. They had created a precedent that makes clear – operators of AI tools must also comply with copyright law. Therefore GEMA sees the verdict as a successful defense of musicians’ livelihoods (Zitat: gema.de)..

    The verdict is not yet legally binding. OpenAI could appeal, and it remains to be seen whether higher courts will share the Regional Court’s assessment.

    What Does This Mean for the Future?

    This decision could have profound implications for the development and deployment of AI systems. Companies may need to rethink their training methods and ensure that their models cannot memorize and reproduce protected content. This could lead to technical adjustments, such as filters that prevent copyrighted texts from being output.

    At the same time, the verdict raises fundamental questions: How can AI developers ensure that their systems do not violate copyrights? What technical measures are necessary and practicable? And how can innovation in AI development be reconciled with the protection of creative works?

    In any case, the Munich verdict makes one thing clear: The message “Copyright remains in force – even in the AI age” has reached the courts. Song lyrics and other creative works are not free training resources for artificial intelligence. Those who want to use them must pay for it – or find technical ways that exclude memorization and reproduction.

    You want to read more about AI? Check out our articles on “What is an AI System?” and “CRA vs. AI Act“.

    Do you have questions about using AI systems? Secure your free initial consultation now!

    Secure a free 30-minute initial consultation

Copyright 2024

  • Imprint
  • Privacy Notice
Cookie Consent
Legal Living Hub uses cookies to ensure the website functions reliably and to collect information for statistical analysis. You can change your cookie settings at any time in the footer of the website. For more information, please refer to our privacy notice.