GDPR taloushallinnossa: henkilötiedot, oikeusperuste ja rekisteriseloste
Taloushallinto käsittelee väistämättä henkilötietoja: asiakkaiden nimiä, osoitteita ja pankkitilinumeroita. Käymme läpi, mitä pienyrityksen taloushallinnon on otettava huomioon GDPR:n kannalta.
"Financial management inevitably processes personal data: customer names, addresses, bank account numbers, and payroll data. The EU General Data Protection Regulation (GDPR) sets clear requirements for the processing of this data. In this article, we will go through what small business financial management needs to take into account."
"Personal data in financial management – what is it?"
"According to GDPR, personal data is any information relating to an identified or identifiable natural person. In financial management, typical personal data includes:"
- "Customer and supplier names, addresses, and business IDs (for sole proprietorships)"
- "Bank account numbers"
- "Email addresses and phone numbers of invoice contact persons"
- "Salary data and personal identity codes (payroll)"
- "Travel and expense report details"
Isikuandmete töötlemise õiguslik alus
"GDPR requires a legal basis for every processing of personal data. In financial management, the following are generally used:"
- "Fulfillment of a contract: sending invoices and receiving payments"
- "Seadusest tulenev kohustus: raamatupidamisseaduse säilitamiskohustused, maksuaruandlus"
- "Legitimate interest: collection activities, credit risk assessment"
For a small business, this practically means: you have the right to process your customer's data for invoicing and accounting without separate consent, as the processing is based on agreement and law.
Finantsdokumentide säilitustähtajad
GDPR requires that data is not stored longer than necessary. In financial administration, retention periods are primarily determined by the Accounting Act:
| Asiakirjatyyppi | Säilytysaika | Peruste |
|---|---|---|
| Kirjanpitokirjat (tase, tuloslaskelma, pääkirja) | 10 vuotta tilikauden päättymisestä | Kirjanpitolaki 2:10 |
| Tositteet (laskut, kuitit) | 6 vuotta tilikauden päättymisestä | Kirjanpitolaki 2:10 |
| Palkka-aineistot | 10 vuotta | Ennakkoperintälaki, eläkelait |
| ALV-aineisto | 6 vuotta | Arvonlisäverolaki |
When the statutory retention period expires, personal data must be deleted or anonymized.
Mini-checklist for a small business
- Create a privacy statement (tietosuojaseloste) where you explain what personal data you process and why
- Define retention periods by document type
- Ensure that your financial accounting software (e.g. Eemel Accounting) is GDPR compliant
- Limit access to personal data only to those who need it
- Agree on a data processing agreement with the accounting firm and other processors
- Delete outdated data regularly
Practical example: sole trader and privacy statement
A sole trader kept a customer register in Excel and issued invoices as PDFs. From a GDPR perspective, the situation was problematic: no privacy statement, no data security, no tracking of retention periods.
Implementing Eemel Accounting solved most problems:
- Customer data is in a secure system, not an open Excel file
- Access is restricted by username and password
- Financial accounting software provides a template for a privacy statement
- Old data can be systematically deleted
Try it in practice
Eemel Accounting is designed with GDPR requirements in mind. Personal data is safe and processing is under control.
Try for 14 daysFrequently asked questions
Does a small business need a privacy statement?
Yes, if you process personal data (e.g. customer names and addresses for invoicing). The privacy statement must be available.
Can accounting material be deleted based on GDPR?
Not before the statutory retention period expires. The Accounting Act takes precedence over GDPR in this case.
Is a data processing agreement needed with the accounting firm?
Yes. The accounting firm processes personal data on your behalf, so GDPR requires a written agreement.
How does GDPR affect bank connections?
Account transactions retrieved via a bank connection contain personal data. Processing is based on agreement and law. Loe lisaks in our PSD2 article.
Do customers need to be asked for consent to process invoicing data?
Typically, no. The processing of invoicing data is based on fulfilling the contract, not on consent.
This article is general in nature and does not constitute legal advice.