Fiverr or Upwork DSVGO: Why not Fiverr or Upwork?

October 2020
Fiverr or Upwork DSVGO: Why not Fiverr or Upwork?

On Fiverr, there are numerous freelancers offering almost all services: Creating websites, setting up automations, creating logos or corporate designs, writing blog posts... The digital economy would certainly look very barren without platforms like Fiverr and Upwork. People from all over the world can offer their services and clients from all over the globe can request them. This creates a huge network in which almost every digital service is represented.

We admit: We like to use Fiverr as a freelancer platform ourselves. Especially small tasks that are not our core business can be optimally requested there. Using the search function, you can filter by country, ratings, experience or languages spoken and thus choose the right person from a huge number of freelancers. And our experience has been almost exclusively positive.

However, requesting and commissioning services via Fiverr could entail a risk that most companies in Europe probably know only too well: Data protection.

Data protection when placing orders on Fiverr and UpWork

Yes, once again. The strict data protection rules of the European Union (compared to the rest of the world), especially the GDPR, are usually not much fun for entrepreneurs. And data protection also plays a decisive role when it comes to freelancers. We explain why it can be safer and more effective to hire European service providers instead of freelancers for a project:

Point 1: Exchanging passwords, access data and personal data on Fiverr vs. DSGVO

Article 32(1) of the GDPR regulates the guarantee of a "level of protection appropriate to the risk" and means in particular "the pseudonymisation and encryption of personal data". For this purpose, it is necessary that data controllers and processors take appropriate technical and organisational measures in this regard.

To put it more simply: exchanging passwords or access data in plain text via chat in Fiverr could be considered very critical under the GDPR.

The parties would also have to ensure that the sensitive data would be protected accordingly. This is usually done through so-called technical and organisational measures, or TOMs for short. Companies that want to operate in compliance with the GDPR must draw up and disclose these TOMs, says Sebastian Mertens. In these, European service providers would have to indirectly disclose their processing infrastructure and thus allow conclusions to be drawn about their IT security. This would allow customers to assess how their data is being used.

Honestly, we have never experienced such a procedure on Fiverr. Passwords are simply exchanged and not changed even after the end of the project. We have never personally received or read TOMs from freelancers on Fiverr.

Point 2: Commissioned data processing according to DSGVO (ADV) with Fiverr Freelancers

Article 28 of the GDPR has the nice title "Processor". It states that contractors can only work with "processors", i.e. persons, authorities, bodies or other entities that process personal data on behalf of data controllers, who provide "sufficient guarantees that appropriate technical and organisational measures will be implemented in such a way that the processing will comply with the requirements of this Regulation and ensure the protection of the rights of the data subject" - adds Sebastian Mertens.

Such processors included any services used that had access to the clients' data, such as hosting, email services, servers, CRM systems: Hosting, email services, servers, CRM systems. A European company would have to conclude individual ADV contracts with all these sub-processors. These would regulate how and for what purpose the customers' data would be stored, used and secured, Sebastian Mertens describes.

This means that even with Fiverr freelancers, a company would theoretically need such an ADV contract as soon as access to Make, Zapier, Wordpress and the like is given, because very often personal data is exchanged when orders are placed, and this is also the case when it is just a simple blog post.

We are not aware that we have ever received an ADV from freelancers on Fiverr. It doesn't matter which EU or non-EU country the person came from.

Point 3: Liability issues when working with service providers on Fiverr and UpWork

As is so often the case in life, in the end it is mainly a question of liability. And of course, the GDPR also regulates this point. According to Article 82(1 ),"any person who has suffered material or non-material damage as a result of an infringement of this Regulationshall beentitled to receive compensation from the controller or processor".

Non-material damage could mean, for example, discrimination or damage to reputation on the basis of the data processed. But also if the relevant personal data were to become public and political opinions, world views, convictions or ethnic origin could emerge from them, a non-material damage could possibly arise.

This means that in the worst case, working with freelancers who would not process data according to GDPR standards could have expensive consequences.

Conclusion: More support from Fiverr for freelancers

We could go on forever and quote individual articles of the GDPR, which we would use to establish that the Fiverr or Upwork platforms are often not suitable for data protection-compliant collaboration. And that is actually an extreme pity, because these services bring great benefits to numerous companies and offer sheer endless possibilities, why Fiverr does not offer DPAs with subprocessors as standard, we do not know, simple as a solution this would certainly be! For example, documents could be made available as templates or consent to ADV, data protection and GTCs could be mandatory before a project is awarded - adds Sebastian Mertens as a conceptual idea.

However, as long as this does not happen, we recommend working with service providers who can demonstrate a sufficient data protection declaration, GTCs and ADVs .

Nevertheless, for projects and contracts involving personal data (which is almost all of them), we advise working with European service providers who are required to comply with these regulations, have TOMs and ADV contracts in place and can process data with the required security.

Disclaimer: This article does not constitute legal advice, but merely an editorial contribution - based on the experience and expertise of Sebastian Mertens. We are not lawyers and only carry out an IT-technical assessment based on the GDPR and publicly available data, as well as projects known to us. We do not assume any liability for the content or the recommendations for action derived from it.

Fiverr or Upwork DSVGO: Why not Fiverr or Upwork?

Fiverr or Upwork DSVGO: Why not Fiverr or Upwork?

Cloud Integration, iPaaS, SaaS, BPA… Ough, hard to keep track of all these terms. They are currently used frequently (and increasingly) in the context of automation, and it is sometimes difficult to make a clear distinction and distinction. We have already written blog posts on the terms iPaaS, SaaS and BPA, but we’ll take them up again here to make the difference.

But let’s start with cloud integration, because that’s the central umbrella term in which we embed all the other technologies in this blog post.

Arrange a free cloud integration consultation now

What does Cloud Integration mean?

What does Cloud Integration mean?


  • Is available in real time
  • Can be accessed from almost anywhere
  • Reduce potential sources of error by entering the same data multiple times
  • Require less installation and maintenance
  • Can optimize business processes

Arrange a free cloud integration consultation now

To illustrate these advantages, an example is suitable that we know well from our everyday work as an automation agency:

The central data to be used here is the data of a major customer. This can be the simplest information, such as the address. This address is required in numerous but completely different processes in the company: on the one hand, for correct invoicing in accounting. On the other hand, in the CRM system, where all the data of the large customer is also stored. But the address is also important in sales, for example, when employees go to the sales meeting on site.

Now the customer announces that the address of the company has changed after a move. This information will reach you by e-mail. There are now two options:

01. The e-mail is forwarded to all affected departments, accounting, sales, customer service, marketing… All persons open their corresponding program, CRM, accounting software, marketing tools (such as newsletter marketing) and change the data already stored there of the customer. This means that in multiple applications, different people do exactly the same thing: change one address.

02. But there is also an alternative: By connecting your applications, thus by integrizing them, the customer’s e-mail, or rather the information it contains about the address change, is automatically passed on to all affected applications: CRM, accounting, marketing, ERP. This does not require any clicks, because the cloud integration detects a trigger, i.e. address change, and thus automatically starts the process.

What sounds unimpressive in a single process becomes more effective when such a process occurs several times a day or weekly. Because there is a lot of data that is available in different applications and should always be correct. If these applications are cloud applications they are suitable for cloud integration.

But cloud integration doesn’t just happen. There are now a variety of applications that enable and implement this. Such tools usually allow us to link the relevant cloud applications on a central platform and define clear rules on when, how, where, how much data should be passed on and what happens to them.

IPaaS, SaaS, BPA, ABC – who can still see through it?

To realize cloud integration, there are various applications and technologies that are sometimes used interchangeably.

We have made a first distinction between iPaaS and BPA here.

We explain the term SaaS in more detail here.

Here the short version, again:
table icon

Cloud integration cannot be done without SaaS, iPaaS and BPA

Cloud integration is rather an umbrella term that includes numerous technologies, such as SaaS, iPaaS and BPA, and this is also absolutely necessary. Cloud integration is a concept that is made possible by appropriate technologies.

However, all terms share the commonality that they are cloud-based and thus offer enormous potential for growth and scaling. In addition, they are often cheaper to implement and maintain because changed requirements are easy to implement.

As an independent automation agency, we implement cloud integration according to your requirements. We use a variety of SaaS tools and iPaas (strictly speaking BPA) software. Together we find individual solutions that are flexible and scalable.

Arrange a free cloud integration consultation now

Automation consulting. Automate. Improve. Succeed.

We advise you independently and offer our expertise.
blog news image
wemakefuture abonnieren
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.


Automation consulting. Automate. Improve. Succeed.

We advise you independently and offer our expertise.