On Fiverr there is an offer of numerous Freelancers for almost all services: Creating websites, setting up automation, creating logos or corporate designs, writing blog posts… Without platforms like Fiverr and Upwork, the digital economy would certainly look very bleak. People from all over the world can offer their services and customers from around the globe can request them. This creates a huge network in which almost every digital service is represented.
We admit: We enjoy using Fiverr as a freelancer platform ourselves. Especially small tasks that are not our core business can be requested easily there. Using the search function, you can filter by country, ratings, experience or spoken languages and select the right person from a vast number of freelancers. And we have had almost exclusively positive experiences.
However: inquiring and commissioning services via Fiverr involves a risk that most companies in Europe are probably only too familiar with: Privacy.
Privacy when placing orders on Fiverr and UpWork
Yeah, again. With the (in world-wide comparison) strict data protection laws of the European Union, in particular the GDPR, entrepreneurs usually only have little fun. And also for the topic of Freelancers privacy plays a crucial role. We explain, why it is more useful and safer against this background, to hire European service providers instead of Freelancers for your project:
Point 1: Exchange passwords, access data and personal data on Fiverr vs GDPR
Article 32 paragraph 1 of the GDPR regulates the guarantee of a “level of security appropriate to the risk” and refers in particular to “pseudonymization and encryption of personal data“. For this purpose, it would be necessary that the controller and the processor take appropriate technical and organizational measures.
To put it more simple: exchanging passwords or access data in plain text via the chat in Fiverr could be considered very critical according to the GDPR.
The parties should also ensure that sensitive data would be protected accordingly. This is done by means of so-called technical and organizational measures, TOMs for short. Companies that operate in compliance with the GDPR should draft and disclose these TOMs, Sebastian Mertens says. In these, European service providers should disclose their infrastructure and thus allow conclusions to be drawn about their IT security. This could enable customers to assess how their data is being used.
Honestly, we have never experienced such a procedure on Fiverr. Passwords are simply exchanged and are not changed even after the end of the project. We have never personally received or read TOMs from freelancers on Fiverr.
Point 2: Data processing agreements (DPA) with Fiverr freelancers
Article 28 of the GDPR bears the beautiful title “Processor”. This regulates that contractors only cooperate with such “processors”, i.e. persons, authorities, institutions or other bodies that process personal data on behalf of the data controllers, who provide “sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject“, Sebastian Mertens adds.
Such processors should include any services used that have access to customer data, such as Hosting, e-mail services, servers, CRM systems. With all these subprocessors, a European company should conclude individual DPAs. These agreements should specify how and for what purpose the customer data is to be stored, used and secured.
This means that even with Fiverr freelancers*, a company would theoretically need such an ADV contract as soon as access to Integromat, Zapier, WordPress and so on is given, because very often personal data is exchanged in connection with orders, even if it is only a simple blog post.
We are not aware that we have ever received a DPA from freelancers on Fiverr. For this, it does not matter which EU or non-EU country the person came from.
Point 3: Liability issues when working with Freelancers on Fiverr or Upwork
As so often in life, in the end it’s all about the question of liability. And of course the GDPR also regulates this point. According to article 82, paragraph 1, “any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered“.
Immaterial damages could be, for example, discrimination or damage to reputation due to the processed data. However, immaterial damage would also be caused if the corresponding personal data becomes public and political opinions, world views, beliefs or ethnic origin emerge from them.
This means that, in the worst case, cooperation with freelancers, who do not process data according to GDPR standards, could have expensive consequences.
Conclusion: Freelancers need more support from Fiverr
We could go on like this forever now and quote individual articles from the GDPR, which show that the Fiverr or Upwork platforms could often be not suitable for privacy-compliant collaboration. And that is actually an extreme pity, because these services bring great benefits to many companies and offer almost endless possibilities. We don’t know why Fiverr does not offer DPAs with subprocessors as a standard. However, it would be a simple solution for sure. Sebastian Mertens adds as a conceptual idea that documents could be made available as templates or an agreement on ADV, data protection and general terms and conditions could be obligatory before the project is awarded.
Nevertheless, for projects and contracts involving personal data (and that’s almost all of them), we advise you to work with European service providers who must comply with these regulations, have TOMs and DPA contracts and could process data with the required security.
Disclaimer: This article is not legal advice, but only an editorial contribution – based on the experience and expertise of Sebastian Mertens. We are not lawyers and only carry out an IT technical evaluation based on the DSGVO and publicly available data, as well as projects known to us. We assume no liability for contents or derived recommendations for action.