🐈
» Support » Product Release Notes » Upwork and GDPR Compliance
Page options

Upwork and GDPR Compliance

lenaellis
Community Member

 

We know there's been a ton of buzz out there around GDPR and not to worry, Upwork has been on top of it. We've done the necessary due diligence to be in compliance with these requirements. The General Data Protection Regulation (GDPR) comes into effect in Europe on May 25. This new legislation is all about giving EEA residents (EU countries + Iceland, Liechtenstein and Norway) more control over their personal data online. The upcoming changes impact EEA residents, but you may also be affected by these regulations if you do business with someone from Europe.

 

What does this mean for EU user data on Upwork?

 

First, we’d like to clarify how Upwork is complying with GDPR for EEA residents and summarize some of the changes we’ve made (these changes will be accessible on May 25th).

  • We’ve updated our privacy policy to be more transparent about how we obtain, store and process your personal data.
  • We’ve updated our processes to make it easier for you to control the data you provide to us. You can request access to your personal data and also request that any inaccuracies in your data be rectified.
  • We’ve given you the ability to readily delete your account data by completing our Subject Access Request, SAR, form.
  • We’ve added a GDPR area on our Legal page. We’ve also Included GDPR references in our Help Center and Hiring Headquarters, with articles explaining how to exercise your rights.

We value our users’ privacy and their rights to control their personal data. Regardless of where you call home, you may delete your account or request the deletion of all personal information we have about you at any time. However, we will only be following the requirements outlined by the General Data Protection Regulation (GDPR) for those living in the EEA. If you live elsewhere, we will be happy to delete your data to the extent we can reasonably do so.

 

Here in the Community forums and on our blogs, nothing will change for EEA users. If you participate, your comments and questions will be publicly displayed. Since your posts are public, others will have access to your forum content and may use it or share it with third parties. If you choose to voluntarily disclose Personal Information in these forums and have your profile visibility set so that your Community Forum profile links to your Upwork Profile, that information will be considered public information and the protections of the updated GDPR Privacy Policy will not apply. That being said, you can still request to have your personal information along with your posts removed from our blog or community forum, just contact us at https://support.upwork.com.

 

What does this mean for your business on Upwork?

 

The GDPR is a set of guidelines set out by the European Union, to give EEA residents more control over how companies collect and use their data. As mentioned previously, these will come into effect on May 25th, 2018. These guidelines not only give more rights to EEA residents, they also permit all businesses to operate under one set of clearly defined guidelines and rules. GDPR will apply to any company processing personal data belonging to EEA residents, no matter where they reside.

 

One of the most important steps that you can take is to familiarize yourself with the General Data Protection Regulation (GDPR), including the rights that it grants to EEA-based individuals and the obligations that it places on businesses that process these individuals’ personal data. That said, we can’t advise you on your specific legal obligations.

 

As a freelancer, if you are likely to process the personal data of someone living in the EEA as part of your work for your clients, you may want to take this Data Protection Self-Assessment offered by the UK Information Commissioner’s Office.

 

Clients, you may want to start with GDPR FAQs for Small Organizations, which is a great resource provided by the UK Information Commissioner’s Office, along with our Hiring Headquarters article. You may also want to reach out to an attorney or advisor if you have further questions.

29 Comments
claudiacezy
Community Member

I see it's possible to request Transfer/Port via the form ... I was wondering if Upwork has plans about "accepting" transfers.

 

Did any other freelance website show interest to collaborate and make transfers technically feasible?

 

 

 

 

e_luneborg
Community Member

So if I want to have all of my data deleted you will not keep any information about me at all? Does that mean that if my JSS goes to h*ll I can just delete my account and open a new one? How will you deal with issues like this? Or if I get suspended. Can I still have all of the personal information deleted?

 

Not planning on it of course, just curious...

AveryO
Community Manager

Hi Eve, 

 

Regardless of where you live, you may delete your account or request the deletion of all personal information we have about you at any time. However, we will only be following the requirements outlined by the General Data Protection Regulation (GDPR) for those living in EEA. If you live elsewhere, we will be happy to delete your data to the extent we can reasonably do so, but please know that some information will remain on Upwork, such as information you posted publicly (for example, in our Community or in Messages sent to others). For more details on our Privacy Policy, click here.

As stated in the Upwork User Agreement, users will not be allowed to have more than one account on Upwork. 

 

jr-translation
Community Member

@Avery O wrote:

Hi Eve, 

 

Regardless of where you live, you may delete your account or request the deletion of all personal information we have about you at any time. However, we will only be following the requirements outlined by the General Data Protection Regulation (GDPR) for those living in the EU. If you live elsewhere, we will be happy to delete your data to the extent we can reasonably do so, but please know that some information will remain on Upwork, such as information you posted publicly (for example, in our Community or in Messages sent to others). For more details on our Privacy Policy, click here.

As stated in the Upwork User Agreement, users will not be allowed to have more than one account on Upwork. 

 


 Again, it is the EEA, not the EU, not Europe. Please be precise.

versailles
Community Member

@Jennifer R wrote:


 Again, it is the EEA, not the EU, not Europe. Please be precise.


While you are technically 100% right when you point out that the three entities, EU (European Union), Europe (the geographical continent) and EEA (European Economic Area) don't refer to the same territory, it is understandable that the distinction may be hard to grasp for people who don't live in Europe, and heck, even for those who live here.

 

The GDPR being a law passed by the political body named European Union, we can pardon people for mentioning the EU even if non-EU countries that are part of the EEA have decided to implement this law as well.

 

 

jr-translation
Community Member

In a general disussion I would not insist that much but if Avery or any other UW representative says:

However, we will only be following the requirements outlined by the General Data Protection Regulation (GDPR) for those living in the EU. If you live elsewhere,

It is either wrong information or not complient with the GDPR. Depending on the context the use of the correct term is important.

 

e_luneborg
Community Member

EU, EEA - I don't care about that.

What I do care about is that Avery didn't answer my question at all. 

But I assume some information will be stored even if you want to delete the account. As there are also transactions of money involved I guess they will have to keep some information for AML reasons for at least 5 years, as I assume AML overrules the GDPR.

 

Anyway, I was just curios, as this might be a perfect opportunity for a lot of scammers to come back to the site. Just delete the old account, and start fresh. But as it is that is probably only possible if you never made any money on Upwork. Or?

versailles
Community Member

@Eve L wrote:

So if I want to have all of my data deleted you will not keep any information about me at all? Does that mean that if my JSS goes to h*ll I can just delete my account and open a new one? How will you deal with issues like this? Or if I get suspended. Can I still have all of the personal information deleted?

 

Not planning on it of course, just curious...


 No. GDPR has provisions that allow the processor of the data (the controller) to retain some data under some circumstances. 

 

 

Article 6
Lawfulness of processing
1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(...)

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

(...)

 

This part has been discussed in lengths, but my understanding (*) is that it does allow a data processor to retain some information provided that they can prove and document that such retention is necessary for the purposes of the legitimate interests, and that there exist real basis supporting the legitimacy of the said interests.

 

It seems sensible from a legal standpoint that Upwork may consider that the retention of some of its customers' data, for instance their e-mail and their bank accounts identifiers, as being necessary in order to prevent the circumvention of the parts of the company's terms of service that protects the company from people trying to create duplicate accounts.

 

(*) This is my own interpretation and shall not be taken as a legal advice. I may be proven wrong and in all honesty, I still need to dig deeper into the GDPR.

 

I decline all responsibility for any consequences that may arise from people listening to me and blindly accepting my ignorant, unsupported and generally useless points of view despite the fact that my IQ is slightly above the IQ of an ant, which at least has a purpose in the great scheme of things. I specifically decline all responsibility for any biblical event, including but not limited to the invasion of Locusts, death of firstborns, darkness for three days, etc, that may arise from people mistaking my advice for legal advice or even anything more than useless verbiage. Any reproduction of this content, with or without the consent of its author would constitute a serious waste of time.

AveryO
Community Manager
Hi Eve, Our ability to delete data is evaluated on a case-by-case basis. For example, we are required by law to keep all escrow-related documentation (including copies of the contract, escrow instructions, and payment information) for five years from the date of close of escrow. If a dispute is filed, we are required to keep documentation of the dispute until all appeal periods have passed. As per our Privacy Policy, Section 3. Data Retention states that "...Unless you request that we delete certain information (see Your Choices and Rights below), we retain the information we collect for at least 5 years. Your information may persist in copies made for backup and business continuity purposes for additional time." If you require more information about suspended users, who requested to delete their profiles under GDPR, and comes back creating a new account, I will go ahead and check this with the team and come back to you with more information. Feel free to ask further questions about the topic if you have any, and our team will try our best to answer your questions to the best of our ability.
carpenter-will
Community Member

This also represents an opportunity for freelancers as companies in the EEA will need a company GDPR policy written.