Do freelancers and self-employed need to worry about GDPR?

Last year, the topic of GDPR continued to become more and more important than ever for business owners, freelancers and the self-employed and of course - none more so than those in the digital space. In many ways, we are coming to understand GDPR and the European approach to privacy and data protection essentially turns every business and person into a data business or a data set. And yes, freelancers and the self-employed DO need to worry about that.

Last year on the blog, we took a birds-eye look at GDPR - beginning to unpack some key terms and points of interest. In this article, we lay out what GDPR is, and the basics that apply to you. Essentially, European General Data Protection Regulation (GDPR) has been in effect in Germany since May 25, 2018 and replaces the previous data protection law. All companies now have to adapt to the new law. All companies? Yes, sole proprietorships and freelancers are also affected. The core of the GDPR is the protection of personal data. This is all data that can be assigned to a specific person - names, addresses, telephone numbers or even IP addresses.

So if you only process data about machines, you can sit back and relax? Caution: machine data can also be linked to personal data. For example, when workers have to log in before they can use a particular machine. And hey presto - there they are again, the personal data. So, imagine you are a solo freelance social media manager and need to use a content scheduler for a client? Yep, you need to keep an eye on GDPR. There are also special categories of personal data. These are set out in Art. 9 GDPR. This includes, for example, health data. Anyone who processes these, for example as a doctor or pharmacy, must handle them particularly carefully.

This is actually nothing new. Even under the old data protection law, it was not possible to simply put customers together in lists and, for example, send them a newsletter. The consent of the person concerned is not required for processes that are simply part of the business, such as invoicing. But as soon as I get the idea to do something else with the addresses, telephone numbers or e-mail addresses, I need the consent of my customer.

Now, let’s get into some more acute details and approach this systemically. As intense as it can sound, it is the case of being prepared on a few specific topics that apply to freelancers and the self-employed - and you should be good to go!

A processing directory

The documentation requirements that the GDPR prescribes are quite annoying. But they are also extremely useful. This can be said above all about the processing directory. Here companies have to list which personal data they are processing exactly, which groups of people are affected and what they are doing to protect the data technically and organizationally. That was already there before, called the directory of procedures, but also only applied to automated processes.

Now all forms of processing are included, pretty from anything from customer business cards or other paper files. Anyone who still thinks: there must be exceptions - that's true. In Art. 30, para. 5 of the GDPR legislation it is said that there should be an exception from the requirement for companies with fewer than 250 employees. But: There are so many restrictions on this exception that it is almost meaningless. After all, who can say with certainty, for example, that the processing of personal data that has been carried out does not pose a risk to the rights and freedoms of the data subjects, as is required there.

Processing contracts

Very few companies manage to do their work without the help of external service providers. In certain cases, these service providers process personal data: customer data, patient data, employee data. Then there is order processing, which is specially treated by the GDPR. Because in the case of order processing, the data subjects do not have to give consent to the use of their data.

The service provider is treated as if he were the client's extended arm. In order to guarantee a certain level of data protection, the GDPR now requires the conclusion of a contract for order processing. You can find a good sample at the GDD, here , and even as a Word document that you can adapt yourself.

Data economy

Like its predecessors, the GDPR has laid down the principle of data economy. Companies need a deletion concept for the data that they no longer need. A good reason to think about a paper shredder. Incidentally, a right to deletion. You can request the person responsible to delete your personal data immediately, for example if you have withdrawn your consent. However, data that was collected on the basis of a legal basis are not affected by the right to deletion.

Statutory retention requirements also conflict with the right to erasure. For example, invoices must be kept for ten years. But, a customer could in theory ask the same of you - so you need to ensure you have that protocol in place.

Do I need a data protection officer?

As a rule, lone fighters do not need a data protection officer. According to the law, a data protection officer must be appointed if, as a rule, at least 20 people are constantly involved in the automated processing of personal data. But: if a data protection impact assessment is required in accordance with Article 35 GDPR, a data protection officer is required for one person or more. This data protection impact assessment is required whenever special categories of data are processed.

However, since Art. 37 Para. 1 c GDPR indicates that a data protection officer must be appointed if the "core activity of the person responsible or the processor is the extensive processing of special categories of data", most healthcare companies are (one-man - Doctors' offices or pharmacies) excluded. In Art. 91 GDPR it says in sentence 4:

“The processing of personal data should not be considered extensive if the processing concerns personal data of patients or clients and is carried out by a single doctor, other member of a health professional or a lawyer. "

The fact that sole proprietorships and freelancers are not forced to get a data protection officer does not mean that advice is not useful. You can solve many things yourself - but this is no substitute for talking to an expert. If you think the type of business or trade class your business operates under could be included in this category, please talk to a professional adviser.

Apart from sole proprietorships, freelancers and freelancers, in particular, have to adhere to the provisions of the GDPR. Freelance work is to be understood as an independently performed scientific, artistic, teaching, writing or educational activity, as well as professional activities of other groups, such as lawyers, tax consultants, architects or doctors. 

In contrast, freelancers, and freelancers called self-employed workers, performing missions and projects for companies under contract or contract for work and fair person. For the above-mentioned professional groups, both the General Data Protection Regulation and the Federal Data Protection Act contain extensive requirements that must be observed when processing personal data. The law does not provide for any exceptions or relief for sole proprietorships. EU bodies and institutions as well as the member states and their supervisory authorities required to take into account the special needs of micro-enterprises as well as small and medium-sized enterprises when applying the GDPR regulations.

Entrepreneurs must always be able to prove that they take technical and organizational measures to ensure compliance with data protection regulations. This obligation arises from Art. 5 Para. 2 GDPR. According to this, the data processing company is responsible for complying with the data protection principles for the processing of personal data from Art. 5  Para. 1 GDPR and must provide evidence of their compliance. For this, all processes should be documented that allow conclusions to be drawn about your own GDPR compliance.

If the person concerned or the supervisory authority makes a request, the company must be able to fully demonstrate compliance with data protection regulations. In this respect, it is advisable to document all measures that are initiated in your own company or freelance business with regard to data protection. All training measures, seminars, further education or instructions for action should be recorded. It is advisable to keep a processing directory for this purpose.  

Most freelancers and self-employed people have websites, which means you need Cookie Notices

Most of all, most freelancers and self-employed people have a website - this means you’ll need to ensure you have a complaint Cookie notice. The so-called "Cookie Directive" regulates the legal handling in the EU. To explain: EU directives are not automatically "law", but must be implemented by the E.U. countries.

The EU Commission had declared that the cookie directive does not actually have to be implemented in Germany, as the current regulations in Germany already meet the requirements of the cookie directive. That sounds strange because the German rules do not provide for consent (i.e. click on " Yes, I agree" ), but only provide a reference to the right to object. But, you need it anyway if you want to be complaint on the E.U. level. Yep, I understand - it makes no sense, but also - is exactly how one could expect it to be!

The legally safest answer: handle cookies as per the highest standard, regardless

Site operators must obtain the consent of the users of their website. You cannot ignore this cookie notice. The consent text for a cookie notice should be displayed the first time the page is accessed (cookie warning). The text for the use of cookies should say as specifically as possible what data it is about, what it is used for and to whom this data and information may be passed on. The user must be informed in detail about the services that set cookies and transfer data. He must expressly confirm that they agree to. And very important: no data may be transferred before the user has given his / her consent.

But also - again with the nuances - you do not need the consent of the users of your website for all cookies. You do not need your consent if you cannot otherwise make your service available to the user. In other words: you do not need consent for technically necessary cookies. But, the overall advice is to play it safe. You are on the safe side if you obtain real consent for cookies and tracking tools on your website. There are so-called cookie consent or consent management tools are available for this purpose.

What is a consent tool?

With a consent tool, website operators can obtain user consent to use their personal data with one click. With a consent tool, you determine which user data is saved and processed and gives users the opportunity to manage and revoke the consent they have given. There are countless providers of cookie consent tools to obtain user consent on websites. 

Consent is not required for all cookies.

A refresher on our above note: session cookies, cookies for logins or shopping carts that do not pass on any data can be covered by the legitimate interests of the website operator. Third-party tracking and advertising cookies require consent. These are mainly cookies that are not absolutely necessary for the actual functions of the website and then possibly link or share the data with other data and services.

GDPR is a long and detailed topic, and on the blog we hope to cover more of it off in 2022. For now though, we hope you understand the core of your obligations the most basic protections you need in the form of Cookies Notice & Consent for your website. As with most things in the digital revolution, from taxes to shipping, you’ll need to be sure you are keeping up to date and compliant!