What is the appropriate form – authorisation or data processing agreement – for an individual running a sole-trader business who provides services using the controller's equipment?

ANSWER

The controller grants an authorisation to process personal data to its employees engaged under an employment contract and to other individuals engaged on the basis of a contract of mandate or a contract for specific work. Where, however, an individual runs a sole-trader business, they are as a rule treated as an independent, external entity in relation to the controller's entity. In that case, a data processing agreement must therefore be concluded. An exception to this rule is working on the data controller's infrastructure, i.e., using an office, computer, software, or e-mail belonging to the controller, and simultaneously being subject to the controller's control, authority, and supervision; in such a situation, an authorisation to process personal data should be granted rather than a data processing agreement concluded.