The AVG and its importance for the self-employed

The General Data Protection Regulation (AVG) came into force in May 2018 and has since had a significant impact on how organisations, entrepreneurs and freelancers handle personal data. Previously, data handling was mainly an issue for larger companies, but it is now clear that self-employed people cannot ignore this European legislation either.

The AVG imposes requirements that directly affect your daily work. Why is this law so important and what exactly must you regulate to comply with the rules? We at Striive will tell you more about the matter, discuss the most relevant aspects of the AVG and give you practical tips for every self-employed person who wants to make his or her business AVG-proof.

The AVG is about more than just privacy

The AVG was developed with the aim of better protecting the personal data of European citizens. From email addresses and phone numbers to IP addresses and surfing habits: the law considers it all personal data. Rapid digitalisation and the increase in online interactions have only increased the importance of such protection.

For sole traders, this means that you not only bear responsibility for your own data, but also for certain data of your customers and relations. So it's all about trust. People feel a lot safer when they know that their data will not be out in the open.

How self-employed people have to deal with it

You might be thinking, ‘I hardly process any personal data, do I?’ Yet chances are you collect more data than you initially realise. For example, do you use a contact form on your website? Then you collect e-mail addresses and possibly names. Do you send invoices? That too is processing personal data. The AVG applies to large organisations with huge databases, but also to freelancers who are small in size. As soon as you register someone's data, you have to comply with the law.

The difference between controller and processor

In the AVG, there is a distinction between ‘controller’ and ‘processor’. The controller determines the purpose of, and means for, processing personal data, while the processor handles data on behalf of the controller. As a self-employed person, you are usually the data controller yourself, unless you are hired by another party who decides how and why the data is processed. So know well what role you have while carrying out a self-employed assignment and, if necessary, draw up a data processor agreement when processing data for them.

Why a privacy statement is indispensable

The AVG requires transparency on how you handle personal data. A privacy statement is therefore indispensable. This document states what data you collect, for what purpose and with what legal basis. You also explain how long you keep data and what security measures you take. It also states the rights of the data subject, such as the right to inspect, correct and delete data. For freelancers, it is important not to blindly copy this statement from another site, but to tailor it to your own situation. After all, every entrepreneur has different data flows and processing purposes.

How the law affects you and your clients

As a freelancer, you often work with different clients and suppliers. Maybe your web designer stores data in an external database or you use an email marketing tool. In such cases, it is important to enter into processor agreements. These clearly state who is responsible for which data and what happens if, for instance, there is a data breach.
You also agree on how long data is stored and whether there are sub-processors (for example, if your e-mail marketing tool runs on another software service). By arranging this properly, you avoid legal problems and show clients that you handle their data professionally.

Pay attention to data breaches and notification obligations

Part of the AVG is the obligation to report data breaches. In the unlikely event of unauthorised access to data (e.g. due to a phishing email or a forgotten laptop), this may constitute a data breach. In that case, you are obliged to report this to the Personal Data Authority within 72 hours. If there is a chance of serious consequences for data subjects, you must also inform them.
This sounds hefty, but the idea behind it is that data subjects can take their measures, such as changing passwords or being alert to identity fraud. So make sure you have a procedure ready so you know what to do in case of an emergency.

Take retention periods into account

Many self-employed professionals tend to keep data for as long as they want, ‘because it may come in handy one day’. Yet the AVG states that you should not keep personal data longer than necessary for the purpose for which you collected it. This means you should regularly check whether certain data is still relevant. Do you still have contact details of a customer who has not purchased services from you for years? Then it is wise to delete them.

Solutions you really should have in place

Provide a concise and understandable privacy statement, explaining what data you collect and why. Place this on your website, and refer to it in quotations or invoices if relevant. This way, customers and clients know immediately where they stand.
Do you work with external parties that have access to your data or your customers' data? Then enter into a processing agreement. You can use standard models, but adapt them to your own situation. Make sure it clearly states who is responsible for what.
Think about strong passwords and two-factor authentication for all your digital tools. Use antivirus software and make sure you have a good back-up system. It is better to keep physical documents containing personal data in a locked cupboard. With all these measures, you reduce the risk of data leaks.