On Fiverr there is an offer of numerous Freelancers for almost all services: Creating websites, setting up automation, creating logos or corporate designs, writing blog posts… Without platforms like Fiverr and Upwork, the digital economy would certainly look very bleak. People from all over the world can offer their services and customers from all over the world can request them. This creates a huge network in which almost every digital service is represented.

We admit: We enjoy using Fiverr as a freelancer platform ourselves. Especially small tasks that are not our core business can be requested easily there. Using the search function, you can filter by country, ratings, experience or spoken languages and select the right person from a vast number of freelancers. And we have had almost exclusively positive experiences.

However: inquiring and commissioning services via Fiverr involves a risk that most companies in Europe are probably only too familiar with: Privacy.

Privacy when placing orders on Fiverr

Yeah, again. With the (in world-wide comparison) strict data protection laws of the European Union, in particular the GDPR, entrepreneurs usually only have little fun. And also for the topic of Freelancers privacy plays a crucial role. We explain, why it is more useful and safer against this background, to hire European service providers instead of Freelancers for your project:

Point 1: Exchange passwords, access data and personal data on Fiverr

Article 32 paragraph 1 of the GDPR regulates the guarantee of a “level of security appropriate to the risk” and refers in particular to “pseudonymization and encryption of personal data“. For this purpose, it is necessary that the controller and the processor take appropriate technical and organizational measures.

To put it more simple: exchanging passwords or access data in plain text via the chat in Fiverr is considered very critical according to the GDPR.

The parties must also ensure that sensitive data is protected accordingly. This is done by means of so-called technical and organizational measures, TOMs for short. Companies that operate in compliance with the GDPR must draft and disclose these TOMs. In these, European service providers must disclose their infrastructure and thus allow conclusions to be drawn about their IT security. This enables customers to assess how their data is being used.

Honestly, we have never experienced such a procedure on Fiverr. Passwords are simply exchanged and are not changed even after the end of the project. We have never personally received or read TOMs from freelancers on Fiverr.

Point 2: Data processing agreements (DPA) with Fiverr freelancers

Article 28 of the GDPR bears the beautiful title “Processor”. This regulates that contractors only cooperate with such “processors”, i.e. persons, authorities, institutions or other bodies that process personal data on behalf of the data controllers, who provide “sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject“.

Such processors include any services used that have access to customer data, such as Hosting, e-mail services, servers, CRM systems. With all these subprocessors, a European company must conclude individual DPAs. These agreements must specify how and for what purpose the customer data is to be stored, used and secured.

This means that even with Fiverr freelancers, a company would theoretically need such a DPA, because very often personal data is exchanged during projects.

We are not aware that we have ever received a DPA from freelancers on Fiverr. For this, it does not matter which EU or non-EU country the person came from.

Point 3: Liability issues when working with Freelancers

As so often in life, in the end it’s all about the question of liability. And of course the GDPR also regulates this point. According to article 82, paragraph 1, “any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered

Immaterial damages are, for example, discrimination or damage to reputation due to the processed data. However, immaterial damage is also caused if the corresponding personal data becomes public and political opinions, world views, beliefs or ethnic origin emerge from them.

This means that, in the worst case, cooperation with freelancers who do not process data according to GDPR standards can have expensive consequences.

Conclusion: Freelancers need more support from Fiverr

We could go on like this forever now and quote individual articles from the GDPR, which show that the Fiverr or Upwork platforms are often not suitable for privacy-compliant collaboration. And that is actually an extreme pity, because these services bring great benefits to numerous companies and offer almost endless possibilities.

Nevertheless, for projects and contracts involving personal data (and that’s almost all of them), we advise you to work with European service providers, who must comply with these regulations, have TOMs, DPAs and process data with the required security.

We would like to see Fiverr provide better support to freelancers who wish to offer their services in compliance with the GDPR. For example, necessary documents could be made available as templates, or approval of the DPA, privacy and general terms and conditions could be mandatory before projects are awarded.

However, as long as this does not happen, we recommend working with service providers* who have a sufficient privacy policy, terms and conditions and DPAs.

Disclaimer: This article does not constitute legal advice, but only an editorial contribution. We are no lawyers and only carry out an IT-technical assessment based on the GDPR and publicly available data. We do not assume any liability for contents or derived recommendations for action.