Fiverr or Upwork & GDPR: Why you shouldn’t hire Fiverr or Upwork freelancers

February 2021

On Fiverr there is an offer of numerous Freelancers for almost all services: Creating websites, setting up automation, creating logos or corporate designs, writing blog posts… Without platforms like Fiverr and Upwork, the digital economy would certainly look very bleak. People from all over the world can offer their services and customers from around the globe can request them. This creates a huge network in which almost every digital service is represented.

We admit: We enjoy using Fiverr as a freelancer platform ourselves. Especially small tasks that are not our core business can be requested easily there. Using the search function, you can filter by country, ratings, experience or spoken languages and select the right person from a vast number of freelancers. And we have had almost exclusively positive experiences.

However: inquiring and commissioning services via Fiverr involves a risk that most companies in Europe are probably only too familiar with: Privacy.

Hire a service provider instead of a Fiverr Freelancer now

Privacy when placing orders on Fiverr and UpWork

Yeah, again. With the (in world-wide comparison) strict data protection laws of the European Union, in particular the GDPR, entrepreneurs usually only have little fun. And also for the topic of Freelancers privacy plays a crucial role. We explain, why it is more useful and safer against this background, to hire European service providers instead of Freelancers for your project:

Point 1: Exchange passwords, access data and personal data on Fiverr vs GDPR

Article 32 paragraph 1 of the GDPR regulates the guarantee of a “level of security appropriate to the risk” and refers in particular to “pseudonymization and encryption of personal data“. For this purpose, it would be necessary that the controller and the processor take appropriate technical and organizational measures.

To put it more simple: exchanging passwords or access data in plain text via the chat in Fiverr could be considered very critical according to the GDPR.

The parties should also ensure that sensitive data would be protected accordingly. This is done by means of so-called technical and organizational measures, TOMs for short. Companies that operate in compliance with the GDPR should draft and disclose these TOMs, Sebastian Mertens says. In these, European service providers should disclose their infrastructure and thus allow conclusions to be drawn about their IT security. This could enable customers to assess how their data is being used.

Honestly, we have never experienced such a procedure on Fiverr. Passwords are simply exchanged and are not changed even after the end of the project. We have never personally received or read TOMs from freelancers on Fiverr.

Hire a service provider instead of a Fiverr Freelancer now

Point 2: Data processing agreements (DPA) with Fiverr freelancers

Article 28 of the GDPR bears the beautiful title “Processor”. This regulates that contractors only cooperate with such “processors”, i.e. persons, authorities, institutions or other bodies that process personal data on behalf of the data controllers, who provide “sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject“, Sebastian Mertens adds.

Such processors should include any services used that have access to customer data, such as Hosting, e-mail services, servers, CRM systems. With all these subprocessors, a European company should conclude individual DPAs. These agreements should specify how and for what purpose the customer data is to be stored, used and secured.

This means that even with Fiverr freelancers*, a company would theoretically need such an ADV contract as soon as access to Make, Zapier, Wordpress and so on is given, because very often personal data is exchanged in connection with orders, even if it is only a simple blog post.

We are not aware that we have ever received a DPA from freelancers on Fiverr. For this, it does not matter which EU or non-EU country the person came from.

Point 3: Liability issues when working with Freelancers on Fiverr or Upwork

As so often in life, in the end it’s all about the question of liability. And of course the GDPR also regulates this point. According to article 82, paragraph 1, “any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered“.

Immaterial damages could be, for example, discrimination or damage to reputation due to the processed data. However, immaterial damage would also be caused if the corresponding personal data becomes public and political opinions, world views, beliefs or ethnic origin emerge from them.

This means that, in the worst case, cooperation with freelancers, who do not process data according to GDPR standards, could have expensive consequences.

Conclusion: Freelancers need more support from Fiverr

We could go on like this forever now and quote individual articles from the GDPR, which show that the Fiverr or Upwork platforms could often be not suitable for privacy-compliant collaboration. And that is actually an extreme pity, because these services bring great benefits to many companies and offer almost endless possibilities. We don't know why Fiverr does not offer DPAs with subprocessors as a standard. However, it would be a simple solution for sure. Sebastian Mertens adds as a conceptual idea that documents could be made available as templates or an agreement on ADV, data protection and general terms and conditions could be obligatory before the project is awarded.

However, as long as this does not happen, we recommend working with service providers* who have a sufficient privacy policy,terms and conditions and DPAs.

Nevertheless, for projects and contracts involving personal data (and that's almost all of them), we advise you to work with European service providers who must comply with these regulations, have TOMs and DPA contracts and could process data with the required security.

Arrange a consultation appointment now

Disclaimer: This article is not legal advice, but only an editorial contribution - based on the experience and expertise of Sebastian Mertens. We are not lawyers and only carry out an IT technical evaluation based on the DSGVO and publicly available data, as well as projects known to us. We assume no liability for contents or derived recommendations for action.

Cloud Integration, iPaaS, SaaS, BPA… Ough, hard to keep track of all these terms. They are currently used frequently (and increasingly) in the context of automation, and it is sometimes difficult to make a clear distinction and distinction. We have already written blog posts on the terms iPaaS, SaaS and BPA, but we’ll take them up again here to make the difference.

But let’s start with cloud integration, because that’s the central umbrella term in which we embed all the other technologies in this blog post.

Arrange a free cloud integration consultation now

What does Cloud Integration mean?

What does Cloud Integration mean?


  • Is available in real time
  • Can be accessed from almost anywhere
  • Reduce potential sources of error by entering the same data multiple times
  • Require less installation and maintenance
  • Can optimize business processes

Arrange a free cloud integration consultation now

To illustrate these advantages, an example is suitable that we know well from our everyday work as an automation agency:

The central data to be used here is the data of a major customer. This can be the simplest information, such as the address. This address is required in numerous but completely different processes in the company: on the one hand, for correct invoicing in accounting. On the other hand, in the CRM system, where all the data of the large customer is also stored. But the address is also important in sales, for example, when employees go to the sales meeting on site.

Now the customer announces that the address of the company has changed after a move. This information will reach you by e-mail. There are now two options:

01. The e-mail is forwarded to all affected departments, accounting, sales, customer service, marketing… All persons open their corresponding program, CRM, accounting software, marketing tools (such as newsletter marketing) and change the data already stored there of the customer. This means that in multiple applications, different people do exactly the same thing: change one address.

02. But there is also an alternative: By connecting your applications, thus by integrizing them, the customer’s e-mail, or rather the information it contains about the address change, is automatically passed on to all affected applications: CRM, accounting, marketing, ERP. This does not require any clicks, because the cloud integration detects a trigger, i.e. address change, and thus automatically starts the process.

What sounds unimpressive in a single process becomes more effective when such a process occurs several times a day or weekly. Because there is a lot of data that is available in different applications and should always be correct. If these applications are cloud applications they are suitable for cloud integration.

But cloud integration doesn’t just happen. There are now a variety of applications that enable and implement this. Such tools usually allow us to link the relevant cloud applications on a central platform and define clear rules on when, how, where, how much data should be passed on and what happens to them.

IPaaS, SaaS, BPA, ABC – who can still see through it?

To realize cloud integration, there are various applications and technologies that are sometimes used interchangeably.

We have made a first distinction between iPaaS and BPA here.

We explain the term SaaS in more detail here.

Here the short version, again:
table icon

Cloud integration cannot be done without SaaS, iPaaS and BPA

Cloud integration is rather an umbrella term that includes numerous technologies, such as SaaS, iPaaS and BPA, and this is also absolutely necessary. Cloud integration is a concept that is made possible by appropriate technologies.

However, all terms share the commonality that they are cloud-based and thus offer enormous potential for growth and scaling. In addition, they are often cheaper to implement and maintain because changed requirements are easy to implement.

As an independent automation agency, we implement cloud integration according to your requirements. We use a variety of SaaS tools and iPaas (strictly speaking BPA) software. Together we find individual solutions that are flexible and scalable.

Arrange a free cloud integration consultation now

Automation consulting. Automate. Improve. Succeed.

We advise you independently and offer our expertise.
blog news image
wemakefuture abonnieren
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.


Automation consulting. Automate. Improve. Succeed.

We advise you independently and offer our expertise.