External Contractor Has Unrestricted Access to Customer Data
When an external IT contractor has access to all customer data — why missing access controls are a GDPR nightmare.
The Scenario
Hanse Finanz GmbH, a growing financial advisory firm based in Hamburg with 45 employees and approximately 2,800 private and business clients, manages insurance policies, retirement products, and real estate financing for its customers. Its internal database contains income statements, credit reports, bank statements, tax identification numbers, and detailed asset inventories.
When IT problems started mounting eighteen months ago — slow servers, frequent email outages, outdated software — managing director Martin Kessler decided to bring in an external IT contractor. He chose Stefan Nolte, a freelance IT consultant who came through a personal recommendation. An acquaintance from the golf club raved: "Stefan digitized my entire company, absolutely reliable."
The arrangement begins informally. Stefan Nolte receives remote access to the Hanse Finanz server — with full administrator privileges. He gets access to the complete customer database, the email system, the document management platform, and the backup infrastructure. No written contract exists, only an email confirming his agreed hourly rate of 95 euros. A Data Processing Agreement (DPA), required under GDPR Article 28, is neither discussed nor signed.
For eighteen months, the collaboration runs smoothly. Stefan Nolte resolves server issues, installs updates, and sets up new workstations. What nobody notices: using his administrator privileges, he has also created his own copy of the customer database. Nearly 2,800 customer records — with full names, addresses, dates of birth, income information, asset values, and contract numbers — sit on his private NAS system at home.
In March 2026, the collaboration ends abruptly. Hanse Finanz switches to a larger IT service provider with better availability. Stefan Nolte reacts angrily to the termination. Three weeks later, the new IT firm discovers during a security audit that Nolte's access was never revoked — he still has full remote access to all systems. An analysis of access logs reveals that over the past 18 months, large volumes of data were regularly exported, always late at night between 11 PM and 2 AM.
Management is in shock. Martin Kessler must notify the supervisory authority within 72 hours and inform all 2,800 customers about the potential data breach. The local press picks up the story. Customers cancel their contracts in droves.
The Risks
The Hanse Finanz case combines nearly every common mistake in dealing with external contractors — and shows how quickly convenience turns into catastrophe.
Unrestricted Access Without Necessity: Stefan Nolte's actual tasks — server administration, email configuration, software updates — did not require access to the customer database. The principle of least privilege was completely disregarded. Every external access should be limited to exactly those systems and data required for the specific task at hand.
Missing Data Processing Agreement: Without a DPA, there are no binding regulations about which data the contractor may process, for what purpose, and what must happen to the data when the engagement ends. A DPA is not an optional formality — it is a mandatory legal requirement under GDPR Article 28.
No Offboarding Process: When the engagement ended, the access was not revoked. There was no record of which access credentials Stefan Nolte held, and no checklist for the orderly termination of the relationship. In many companies, former contractor access credentials linger undetected in systems for years.
No Monitoring of Access Activities: The fact that large data volumes were regularly exported went unnoticed for 18 months. Without monitoring systems and anomaly detection, even obvious access patterns cannot be identified. A simple alert for unusual data exports would have uncovered the misuse within days.
Trust-Based Engagement: The decision to hire the contractor was based on a personal recommendation rather than a professional evaluation. References, certifications, insurance coverage, and the contractor's technical infrastructure were not assessed. When dealing with sensitive financial data, such an approach is negligent.
Legal Consequences
The case touches multiple dimensions of data protection and contract law, with potentially existential consequences for Hanse Finanz GmbH.
Art. 28 GDPR — Data Processing Agreements: The processing of personal data by an external service provider mandatorily requires a written Data Processing Agreement. The absence of this agreement is an independent legal violation — regardless of whether actual data misuse occurred. The supervisory authority can impose a fine solely for the missing DPA.
Art. 32 GDPR — Security of Processing: The company failed to implement appropriate technical measures: no access restrictions, no monitoring, no offboarding process. This constitutes a violation of the obligation to ensure security of processing. The fact that a single individual with remote access could export data undetected for 18 months documents a systemic failure.
Art. 33 and 34 GDPR — Notification Obligations: Upon discovering the incident, the company must inform the competent supervisory authority within 72 hours (Art. 33) and, due to the high risk to data subjects — financial data, asset information — individually notify all 2,800 customers (Art. 34). The cost and organizational effort of this notification are substantial.
Civil Liability: Affected customers can assert compensation claims under Art. 82 GDPR. With financial data, there is also the risk of identity theft and consequential financial damages for which the company can be held liable. Even a small number of successful lawsuits from among 2,800 affected individuals can trigger a wave of litigation.
Criminal Dimension: Criminal charges can be filed against Stefan Nolte for unauthorized data access and unlawful data processing under applicable national criminal law. However, this does not affect the company's independent responsibility for the missing protective measures.
Financial Impact
The financial consequences of uncontrolled contractor access are far-reaching and can threaten the existence of a mid-sized company.
| Cost Item | Estimated Amount |
|---|---|
| Supervisory authority fine | 25,000 - 100,000 € |
| Forensic investigation and IT security audit | 8,000 - 25,000 € |
| Notification of all 2,800 affected individuals | 3,000 - 8,000 € |
| Legal fees and advisory costs | 10,000 - 30,000 € |
| Customer compensation claims | 15,000 - 80,000 € |
| Customer churn and revenue loss (first 12 months) | 40,000 - 150,000 € |
| Implementation of secure access systems | 5,000 - 15,000 € |
| Crisis management and PR measures | 3,000 - 12,000 € |
| Total Costs | 109,000 - 420,000 € |
For a financial advisory firm with 45 employees, costs of this magnitude are existentially threatening. The customer loss weighs particularly heavily: when financial advisors lose their clients' trust, they lose their business foundation entirely.
How to Prevent This
Secure collaboration with external contractors starts with the right tools. SendMeSafe enables companies to structure their work with external partners without surrendering control over sensitive data.
Controlled Document Exchange with Share Links: Instead of giving contractors full database access, use Share Links to provide only the specific documents needed for a particular task. Password protection, download limits, and automatic expiration dates ensure that access is bounded in both time and scope. If a contractor needs to analyze log files, they receive exactly those log files — not the entire customer database.
Secure Communication Through Connect: With Connect, you set up dedicated communication channels for external contractors. Files are exchanged securely, agreements are documented, and every access is logged. Unlike email or messenger services, you retain full control over shared content and can revoke access at any time.
Complete Audit Trail: Every interaction with external partners is recorded in a comprehensive audit trail. You can trace at any time which contractor accessed which data and when. During an inspection by the supervisory authority or in the event of a security incident, you have all relevant information immediately at hand.
Instant Access Revocation: When a contractor engagement ends, you deactivate all associated Share Links with a single click. No forgotten access credentials, no open backdoors. The clean break that every offboarding process requires.
Frequently Asked Questions
Do I really need a Data Processing Agreement for my IT contractor?
Yes, without exception. Article 28 GDPR obligates every data controller who has personal data processed by an external service provider to conclude a written Data Processing Agreement. This applies to IT contractors, cloud providers, hosting services, document destruction companies, and any other external entity that potentially has access to personal data. The absence of a DPA is an independent violation subject to fines — supervisory authorities regularly review this and impose significant penalties even without actual data misuse.
How do I implement the principle of least privilege with external contractors?
The principle of least privilege means that every user — internal or external — receives only the exact access rights needed for their specific task. For external contractors, this means: create a separate, time-limited access for each task. If an IT contractor needs to configure the email server, they receive access to the email server — not to the customer database, the document management system, and the accounting software. Review access rights regularly and revoke permissions that are no longer needed immediately. With SendMeSafe, you can provide specific documents through time-limited Share Links rather than granting broad system access.
What must I do if I discover a data breach by a contractor?
You must notify the competent data protection supervisory authority within 72 hours of becoming aware of the incident (Art. 33 GDPR). Where there is a high risk to affected individuals — which is regularly the case with financial data — you must additionally notify all affected individuals personally (Art. 34 GDPR). Commission a forensic investigation immediately to determine the scope of the data breach. Revoke all of the contractor's access credentials without delay. Document every step, as the supervisory authority will evaluate the adequacy of your response. File a criminal complaint against the contractor if appropriate.
How does SendMeSafe help with secure collaboration with external partners?
SendMeSafe replaces uncontrolled direct access to company systems with controlled, traceable interactions. Through Share Links, you provide contractors with exactly the documents they need — protected by passwords, download limits, and automatic expiration. Through Connect, you communicate securely with full documentation. The integrated audit trail captures every activity and enables you to demonstrate comprehensively that you implemented appropriate protective measures. This fulfills your obligations under GDPR Articles 28 and 32 without sacrificing efficient collaboration with external partners.
Frequently Asked Questions
Protect Your Business
Avoid data privacy incidents with secure upload and share links.
Start Free Trial