Blog
Published
Reading time
Author
An organization hiring independent contractors must be aware of the privacy law aspects of the collaboration. The General Data Protection Regulation (GDPR) provides for requirements to be taken into account by an organization. What should be kept in mind from a privacy law perspective when hiring independent contractors, from the start of the assignment relationship until its end?
Entering into an assignment relationship with an independent contractor
When personal data is processed by the independent contractor, the privacy qualification of the independent contractor must be considered. For instance, a data processing agreement may be required.
Three qualifications apply in an assignment relationship with an independent contractor:
1.Internal management
Internal management occurs when an independent contractor is subject to the organization’s authority or has a hierarchical relationship with the person responsible for the processing of personal data. This is the case, for example, if an independent contractor has been engaged by an organization to temporarily fulfil the duties of one of the employees (with the independent contractor working within the secure working environment). In that case, a data processing agreement is not required. However, it is recommended to make (contractual) agreements with the independent contractor about the processing of personal data and its confidentiality.
2. Controller
An independent contractor qualifies as a controller if the independent contractor, whether independently or in consultation with the organization, determines the purpose and essential means for the processing. A controller may be either an independent or a joint controller. In the case of joint controllership, the parties must agree on how to interpret the obligations under the GDPR. This will be the case when the purpose and means of the processing is determined by the organization and the independent contractor in mutual consultation, for example when a joint project is set up that requires the expertise of both the independent contractor and the organization. The agreements made between joint controllers are often laid down in an agreement.
3. Processor
An independent contractor qualifies as a processor if the independent contractor, within the framework of the assignment, processes personal data for the benefit of the organization, without being under the organization’s direct authority. This means that the independent contractor is obliged to follow the organization’s instructions for the processing of personal data. An example of a processor is an independent contractor who handles the payroll administration on behalf of an organization, where there is no relationship of authority (and therefore no internal management). In this case, a data processing agreement with a processor is mandatory.
The independent contractor’s onboarding
Under the GDPR, the organization is obliged to inform the engaged independent contractor about the processing of personal data. It is advisable to include this processing of personal data in the internal privacy statement and the privacy policy. In addition, it is recommended to provide the independent contractor with other privacy documentation, such as a data breach procedure, information security policy or GDPR training.
End of the independent contractor’s assignment
The organization’s responsibility does not end when the assignment of the independent contractor ends. Before an assignment relationship comes to an end, it is important to request an independent contractor to delete the personal data that the independent contractor has processed on behalf of the organization (please note: this does not apply if the independent contractor is a controller). The independent contractor must also be given instructions on how to handle business-sensitive information after the assignment has ended.
Our privacy experts will be happy to handle any questions you may have on this subject.
Want to know more about everything related to the topic of independent contractors? Click here!