GDPR taloushallinnossa: henkilötiedot, oikeusperuste ja rekisteriseloste
Taloushallinto käsittelee väistämättä henkilötietoja: asiakkaiden nimiä, osoitteita ja pankkitilinumeroita. Käymme läpi, mitä pienyrityksen taloushallinnon on otettava huomioon GDPR:n kannalta.
""Financial management inevitably processes personal data: customer names, addresses, bank account numbers, and payroll data. The EU General Data Protection Regulation (GDPR) sets clear requirements for the processing of this data. In this article, we will go through what small business financial management needs to consider.""
""Personal data in financial management – what is it?""
""According to GDPR, personal data is any information relating to an identified or identifiable natural person. Typical personal data in financial management includes:""
- ""Names, addresses, and business IDs of customers and suppliers (for sole proprietorships)""
- ""Bank account numbers""
- ""Email addresses and phone numbers of invoice contact persons""
- ""Payroll data and personal identification numbers (for payroll)""
- ""Travel and expense report details""
""Base giuridica per il trattamento dei dati personali""
""GDPR requires that there is a legal basis for every processing of personal data. In financial management, the following are generally used:""
- ""Fulfillment of contract: sending invoices and receiving payments""
- ""Obbligo legale: obblighi di conservazione previsti dalla normativa contabile, dichiarazioni fiscali""
- ""Legitimate interest: debt recovery, credit risk assessment""
For a small business, this practically means: you have the right to process your customer's data for invoicing and accounting purposes without separate consent, because the processing is based on a contract and law.
Tempi di conservazione dei documenti amministrativi finanziari
GDPR requires that data not be stored longer than necessary. In financial administration, retention periods are primarily determined by the Accounting Act:
| Asiakirjatyyppi | Säilytysaika | Peruste |
|---|---|---|
| Kirjanpitokirjat (tase, tuloslaskelma, pääkirja) | 10 vuotta tilikauden päättymisestä | Kirjanpitolaki 2:10 |
| Tositteet (laskut, kuitit) | 6 vuotta tilikauden päättymisestä | Kirjanpitolaki 2:10 |
| Palkka-aineistot | 10 vuotta | Ennakkoperintälaki, eläkelait |
| ALV-aineisto | 6 vuotta | Arvonlisäverolaki |
When the statutory retention period ends, personal data must be deleted or anonymized.
Mini-checklist for a small business
- Create a privacy policy (data protection statement) where you state what personal data you process and why
- Define retention periods by document type
- Ensure that your financial management software (e.g. Eemel Accounting) is GDPR compliant
- Limit access to personal data only to those who need it
- Agree on a data processing agreement with the accounting firm and other processors
- Delete outdated information regularly
Practical example: sole proprietor and privacy policy
A sole proprietor maintained a customer register in Excel and invoiced with PDF invoices. From a GDPR perspective, the situation was problematic: no privacy policy, no data security, no tracking of retention periods.
The adoption of Eemel Accounting solved most of the problems:
- Customer data is in a secure system, not in an open Excel file
- Access restricted by username and password
- Financial management software provides a template for the privacy policy
- Old data can be deleted systematically
Try it in practice
Eemel Accounting is designed with GDPR requirements in mind. Personal data is secure and processing is under control.
Try 14 daysFrequently Asked Questions
Does a small business need a privacy policy?
Yes, if you process personal data (e.g., customer names and addresses for invoicing). A privacy policy must be available.
Can accounting material be deleted based on GDPR?
Not before the statutory retention period ends. The Accounting Act takes precedence over GDPR in this case.
Is a data processing agreement needed with the accounting firm?
Yes. The accounting firm processes personal data on your behalf, so GDPR requires a written agreement.
How does GDPR affect bank connections?
Account transactions fetched via bank connection contain personal data. Processing is based on contract and law. Leggi di più in our PSD2 article.
Do I need to ask the customer for consent to process invoicing data?
Not usually. Processing of invoicing data is based on fulfilling the contract, not consent.
This article is general in nature and does not constitute legal advice.