EemelEemel Accounting
    Blog
    Compliance16.2.2026

    GDPR taloushallinnossa: henkilötiedot, oikeusperuste ja rekisteriseloste

    Taloushallinto käsittelee väistämättä henkilötietoja: asiakkaiden nimiä, osoitteita ja pankkitilinumeroita. Käymme läpi, mitä pienyrityksen taloushallinnon on otettava huomioon GDPR:n kannalta.

    Financial management inevitably processes personal data: customer names, addresses, bank account numbers, and payroll data. The EU General Data Protection Regulation (GDPR) sets clear requirements for the processing of this data. In this article, we go through what a small business' financial management needs to consider.

    Personal data in financial management – what is it?

    According to GDPR, personal data is any information relating to an identified or identifiable natural person. Typical personal data in financial management includes:

    • Names, addresses, and business IDs (for sole proprietorships) of customers and suppliers
    • Bank account numbers
    • Email addresses and phone numbers of invoice contact persons
    • Payroll data and personal identification numbers (payroll accounting)
    • Travel and expense report data

    Legal basis for processing personal data

    GDPR requires a legal basis for every processing of personal data. In financial management, the following are generally used:

    • Fulfillment of a contract: sending invoices and receiving payments
    • Legal obligation: retention obligations under the Accounting Act, tax reporting
    • Legitimate interest: debt collection, credit risk assessment

    For a small business, this practically means: you have the right to process your customer's data for invoicing and accounting purposes without special consent, as the processing is based on a contract and law.

    Retention periods for financial administration documents

    GDPR requires that data not be stored longer than necessary. In financial administration, retention periods are primarily determined by the Accounting Act:

    AsiakirjatyyppiSäilytysaikaPeruste
    Kirjanpitokirjat (tase, tuloslaskelma, pääkirja)10 vuotta tilikauden päättymisestäKirjanpitolaki 2:10
    Tositteet (laskut, kuitit)6 vuotta tilikauden päättymisestäKirjanpitolaki 2:10
    Palkka-aineistot10 vuottaEnnakkoperintälaki, eläkelait
    ALV-aineisto6 vuottaArvonlisäverolaki

    When the statutory retention period expires, personal data must be deleted or anonymized.

    Mini-checklist for a small business

    1. Create a privacy statement (data protection statement) where you explain what personal data you process and why
    2. Define retention periods by document type
    3. Ensure that your financial management software (e.g. Eemel Accounting) is GDPR-compliant
    4. Restrict access to personal data only to those who need it
    5. Agree on a data processing agreement with the accounting firm and other processors
    6. Delete outdated data regularly

    Practical example: sole proprietor and privacy statement

    A sole proprietor kept customer records in Excel and invoiced with PDF invoices. From a GDPR perspective, the situation was problematic: no privacy statement, no data security, no monitoring of retention periods.

    Implementing Eemel Accounting solved most of the problems:

    • Customer data is in a protected system, not an open Excel file
    • Access restricted by username and password
    • The financial management software provides a basis for a privacy statement
    • Old data can be systematically deleted

    Try it in practice

    Eemel Accounting is designed with GDPR requirements in mind. Personal data is secure and processing is under control.

    Try for 14 days

    Frequently asked questions

    Does a small business need a privacy statement?

    Yes, if you process personal data (e.g., customer names and addresses for invoicing). The privacy statement must be available.

    Can accounting material be deleted based on GDPR?

    Not before the statutory retention period expires. The Accounting Act takes precedence over GDPR in this regard.

    Is a data processing agreement needed with the accounting firm?

    Yes. The accounting firm processes personal data on your behalf, so GDPR requires a written agreement.

    How does GDPR affect banking connections?

    Account transactions retrieved through a banking connection contain personal data. Processing is based on a contract and law. Read more in our PSD2 article.

    Do I need to ask a customer for consent to process billing information?

    Generally no. The processing of billing information is based on fulfilling a contract, not on consent.

    This article is general in nature and does not constitute legal advice.

    Eemel is backed by Epic Invoicing Oy | Business ID: 2571844-9 | VAT ID: FI25718449

    Wholly Finnish-owned company | Domicile: Tampere, Finland