EemelEemel Accounting
    Blog
    Compliance16.2.2026

    GDPR taloushallinnossa: henkilötiedot, oikeusperuste ja rekisteriseloste

    Taloushallinto käsittelee väistämättä henkilötietoja: asiakkaiden nimiä, osoitteita ja pankkitilinumeroita. Käymme läpi, mitä pienyrityksen taloushallinnon on otettava huomioon GDPR:n kannalta.

    "Financial administration inevitably handles personal data: customer names, addresses, bank account numbers, and payroll data. The EU General Data Protection Regulation (GDPR) sets clear requirements for processing this data. In this article, we will go through what small business financial administration needs to consider."

    "Personal data in financial administration – what is it?"

    "According to GDPR, personal data means any information relating to an identified or identifiable natural person. In financial administration, typical personal data includes:"

    • "Names, addresses, and business IDs of customers and suppliers (for sole proprietorships)"
    • "Bank account numbers"
    • "Email addresses and phone numbers of invoice contact persons"
    • "Salary data and personal identity codes (payroll)"
    • "Travel and expense report details"

    Retsgrundlag for behandling af personoplysninger

    "GDPR requires that every processing of personal data has a legal basis. In financial administration, the following are generally used:"

    • "Performance of a contract: sending invoices and receiving payments"
    • "Retlig forpligtelse: opbevaringspligter efter bogføringsloven, skatterapportering"
    • "Legitimate interest: debt collection, credit risk assessment"

    "For a small business, this practically means: you have the right to process your customer's data for invoicing and accounting purposes without separate consent, as processing is based on an agreement and law."

    "Retention periods for financial administration documents"

    "GDPR requires that data not be stored longer than necessary. In financial administration, retention periods are primarily determined by the Accounting Act:"

    AsiakirjatyyppiSäilytysaikaPeruste
    Kirjanpitokirjat (tase, tuloslaskelma, pääkirja)10 vuotta tilikauden päättymisestäKirjanpitolaki 2:10
    Tositteet (laskut, kuitit)6 vuotta tilikauden päättymisestäKirjanpitolaki 2:10
    Palkka-aineistot10 vuottaEnnakkoperintälaki, eläkelait
    ALV-aineisto6 vuottaArvonlisäverolaki

    "When the statutory retention period ends, personal data must be deleted or anonymized."

    "Mini-checklist for a small business"

    1. "Create a privacy policy (data protection statement) where you state what personal data you process and why"
    2. "Define retention periods by document type"
    3. "Ensure that your financial management software (e.g. Eemel Accounting) is GDPR compliant"
    4. "Limit access to personal data only to those who need it"
    5. "Agree on a data processing agreement with your accounting firm and other processors"
    6. "Delete outdated information regularly"

    "Practical example: sole proprietor and privacy policy"

    "A sole proprietor maintained a customer register in Excel and issued PDF invoices. From a GDPR perspective, the situation was problematic: no privacy policy, no data security, no tracking of retention periods."

    "Adopting Eemel Accounting solved most of the problems:"

    • "Customer data is in a secure system, not an open Excel file"
    • "Access limited by username and password"
    • "Financial management software provides a template for a privacy policy"
    • "Old data can be systematically deleted"

    "Try it in practice"

    "Eemel Accounting is designed with GDPR requirements in mind. Personal data is secure and processing is under control."

    "Try for 14 days"

    "Frequently asked questions"

    "Does a small business need a privacy policy?"

    "Yes, if you process personal data (e.g., customer names and addresses for invoicing). A privacy policy must be available."

    "Can accounting material be deleted based on GDPR?"

    "Not before the statutory retention period ends. The Accounting Act takes precedence over GDPR in this case."

    "Is a data processing agreement required with an accounting firm?"

    "Yes. An accounting firm processes personal data on your behalf, so GDPR requires a written agreement."

    "How does GDPR affect bank connections?"

    "Account transactions retrieved via a bank connection contain personal data. Processing is based on an agreement and law. Læs mere in our PSD2 article."

    "Do you need to ask for customer consent to process invoicing data?"

    "Not usually. The processing of invoicing data is based on the fulfillment of a contract, not consent."

    "This article is general in nature and does not constitute legal advice."

    Bag Eemel står Epic Invoicing Oy | CVR-nummer: 2571844-9 | Momsnummer: FI25718449

    Fuldt finsk-ejet virksomhed | Hjemsted: Tampere, Finland