GDPR and Hiring Freelancers in the EU

Articles
August 26, 2021
Admins

The General Data Protection Regulation (GDPR) came into effect in May 2018, replacing the previous 1995 data protection directive. This EU regulation covers privacy and security of data, and it is vital to ensure that your business is compliant with GDPR when it hires freelancers or other employees.

GDPR Principles

There are seven GDPR principles which should be followed by all businesses operating within the EU. These are:

Fairness and transparency – you must comply with GDPR laws.

Purpose limitation – you must explain what you will do with any data gathered, and you cannot resell data to third parties without explicit permission.
Data minimization – you must only collect the amount of data that your business requires.
Accuracy – you must give opportunities for clients to update their information.
Data deletion – you must only keep data for the time required to fulfill the product or service they have acquired from you.
Security – you must keep data secure and implement good practices in your business.

Accountability – you must be able to show how you comply with GDPR.

How Does GDPR Apply When Hiring Freelancers?

GDPR rules are specific about the data that can be stored and who it can be shared with. This means that when you hire freelancers, you must ensure that you are complying with GDPR rules with regard to the data that you collect about them. These are the particular points that you must cover in order to be compliant:

Proof of consent – you need to be able to prove where data has come from, and that each person gave you their explicit consent to store that data.
Use of processors – if you use companies’ services to process data (e.g. CRM or accounting software), you must have written agreements in place to ensure that they only act in accordance with your instructions.

Profiling – there are certain restrictions surrounding the automatic processing of personal data to evaluate a data subject. If you use automatic processing, you will need to ensure that you comply with these.
Data subject rights – individuals can ask you to provide access to all of the data that you hold about them, and they can request that data be corrected, deleted, frozen or made portable.
Breach notification – if there is a data breach, individuals must be notified as soon as possible, and no later than 72 hours after the company is aware of the breach.
Data protection officer – if your company regularly monitors data subjects, you must appoint a Data Protection Officer (or appoint one on the basis of a service contract).

If you are found not to be compliant, you can be fined up to €20 million or 4% of the company’s annual global revenue.

As well as considering GDPR implications in the hiring process, it is important to consider whether any freelancers will be handling data and what you need to put in place to ensure that your company is compliant here.

If you require assistance or support with hiring freelancers in the Nordic region, please contact us.