Virtual assistants occupy a unique position under GDPR. Unlike most freelancers, VAs regularly access the most sensitive parts of a client's business: their inbox, calendar, CRM, social media accounts, and customer contact lists. Every time you log into a client's email account or update a spreadsheet of customer names, you are processing personal data. That makes GDPR directly relevant to your work — not as background noise, but as a live compliance obligation with real consequences for both you and your clients.
This guide covers everything a VA needs to know: from data processor obligations and mandatory Data Processing Agreements to secure offboarding, sub-processor rules, and what to do if there is a data breach.
Are Virtual Assistants Data Processors?
Yes — almost always. Under GDPR, a data processor is any person or organisation that processes personal data on behalf of a data controller. When you access a client's email account to manage their inbox, you are processing personal data (emails contain names, contact details, and often sensitive communications) on behalf of the client. The client is the data controller; you are the processor.
The distinction matters because Article 28 of GDPR places specific legal obligations on data processors. You cannot simply agree to help with someone's admin and assume GDPR is the client's problem. As a processor, you have independent obligations — and if you breach them, you can be held directly liable by data protection authorities.
Mandatory Data Processing Agreements with Every Client
Before you access any personal data on a client's behalf, there must be a Data Processing Agreement (DPA) in place. This is not optional. Article 28(3) of GDPR states that processing by a processor shall be governed by a contract that is binding on the processor. Without one, you are in breach of GDPR from the moment you first touch a client's data.
A DPA between you and your client must cover:
- The subject matter, duration, nature, and purpose of the processing
- The types of personal data being processed and the categories of data subjects
- Your obligation to process data only on documented instructions from the client
- Confidentiality obligations for all staff or contractors who process the data
- Security measures appropriate to the risk
- Rules on engaging sub-processors (tools and platforms you use on the client's behalf)
- Assistance to the client in fulfilling data subject rights requests
- What happens to the data when the contract ends (deletion or return)
- Your obligations in the event of a data breach
Many VAs operate under an NDA with their clients and assume this covers GDPR. It does not. An NDA addresses confidentiality — it does not establish the processor obligations required under GDPR. You need both documents.
Types of Personal Data VAs Typically Handle
- Customer email correspondence — emails contain names, contact details, complaints, purchase history
- Contact lists and CRM data — customer and prospect databases
- Booking and scheduling data — appointment details, client names, service types
- Social media direct messages — DMs can contain personal disclosures and customer data
- Financial records — invoices, expense reports, and payment details
- HR and payroll data — if you support an employer who asks you to manage staff records
Accessing Client Inboxes: GDPR Obligations
Inbox management is one of the most common VA tasks — and one of the most data-intensive. Your obligations when managing client email:
- Process only what is necessary for the task
- Do not forward emails containing personal data to your own account without necessity
- Do not download contact lists or attachments to personal devices
- Apply strong security standards: two-factor authentication, no public Wi-Fi access
Credential Management: LastPass, 1Password, and GDPR
When you store client login credentials in a password manager, that password manager becomes a sub-processor. You should use a business account, enable 2FA, and check the provider offers a DPA.
Sub-Processor Obligations
Any tool you use to process a client's personal data is a sub-processor:
- Project management tools (Asana, ClickUp, Trello)
- Communication tools (Slack, Microsoft Teams)
- Cloud storage (Google Drive, Dropbox)
- AI assistants — if you paste client data into prompts
- Transcription tools (Otter.ai, Fireflies)
- Scheduling tools (Calendly, Acuity)
NDA vs DPA: Understanding the Difference
An NDA protects confidential business information under contract law. A DPA is a GDPR-mandated contract governing your obligations as a data processor. You need both — they serve different purposes.
Data Breach Obligations as a Processor
If you experience a breach, notify the client immediately — without undue delay. Do not wait to gather all the facts. The client must notify the ICO within 72 hours of becoming aware, and your prompt disclosure is essential.
Secure Offboarding Checklist
When wrapping up a VA contract:
- Confirm in writing that all personal data has been returned or deleted
- Revoke your access to email, calendar, social media, and CRM systems
- Remove the client's shared vault from your password manager
- Delete any project management tasks or boards containing personal data
- Clear any locally cached files or downloads
Sole Trader VA vs VA Agency: Different Obligations
Sole trader VAs have lighter administrative obligations and may not need a full ROPA. VA agencies employing multiple VAs need a ROPA, staff training, and more complex sub-processor management.
Getting Your GDPR Compliance in Order
- Get a DPA signed with every client who shares personal data — before the engagement begins
- Audit the tools you use on client work and confirm which are sub-processors
- Review your own website's privacy compliance
- Put a data breach response procedure in place
- Create a secure offboarding checklist
Run a free privacy scan of your website at Custodia — no signup required, results in under a minute.
Originally published at https://app.custodia-privacy.com/blog/gdpr-virtual-assistants-guide
Top comments (0)