External social media agencies need access—but it must be controlled. Learn which permissions are truly necessary, why admin access is risky, and how to stay GDPR-compliant with a DPA, least privilege, approval workflows, time-limited access, access reviews, and clean offboarding.
Working with an external social media agency is standard. The agency handles content creation, community management, or campaign coordination—and for that, it needs access to your channels and tools.
This is exactly where many companies have a blind spot: How much access does the agency get? In what form? How is access limited? What happens when the contract ends? And what are the GDPR implications if an agency gets access to customer data?
For convenience, agencies are often given maximum permissions: admin access, direct platform access, sometimes even shared passwords. That feels easy. In reality, it means:
- The agency can publish content without checking back—without an approval process.
- Account settings can be changed without the company noticing.
- When the contract ends, the agency may still have access for months.
- In a dispute, it’s impossible to trace who did what.
- There is no GDPR-compliant basis for sharing data.
The Principle of Least Privilege applies to external service providers as well. The question is always: What does the agency specifically need for its task?
Content creation: Create and edit drafts. No publishing rights, no access to analytics or account settings.
Community management: Reply to comments and messages. No right to create or publish new posts.
Campaign coordination: Access to the ads manager. No need for organic content access.
Full management: Expanded access with clear approval workflows. No admin access to account settings or user management.
No agency needs admin rights beyond its concrete task. Anyone with admin rights can manage the entire account—including deletion and suspension.
Sign a data processing agreement (DPA)
As soon as an agency processes personal data on behalf of the company—and in social media it almost always does—a DPA is required under Art. 28 GDPR. Without a DPA, sharing data with the agency is a GDPR violation.
Check the agency’s server location
Does the agency use tools with US-based servers? That may constitute a third-country transfer. Check which tools the agency uses and whether they are GDPR-compliant.
Document data access
What data does the agency have access to? This must be documented in the record of processing activities under Art. 30 GDPR.
1. Sign the DPA before granting any access.
2. Define the agency’s tasks clearly: What is it supposed to do?
3. Grant only the minimum necessary permissions—no admin access without a specific need.
4. Set up individual user accounts for agency staff (no shared passwords).
5. Set a time limit: access expires when the contract ends.
6. Establish an approval workflow: no agency post without internal approval.
7. Define offboarding at contract end: who disables which access, and when?
8. Plan access reviews: regularly check whether permissions are still appropriate.
- Deactivate all agency user accounts.
- Check whether the agency had direct platform access—if yes, change passwords.
- Secure and hand over ongoing drafts and scheduled posts.
- Document the end of access rights in the DPA documentation.
- Check whether the agency stored data that must be deleted.
Luceena enables the secure integration of external agencies with granular permissions: dedicated accounts, enforced approval workflows, and one-click offboarding.
External agencies are valuable. Uncontrolled access isn’t. With clear processes, individual accounts, and a defined approval workflow, you benefit from the agency’s expertise—without losing control over your channels, your data, and your compliance.