RGPD en la gestión financiera: datos personales, base jurídica y aviso de privacidad
La gestión financiera procesa inevitablemente datos personales: nombres de clientes, direcciones, números de cuenta bancaria y datos de nóminas. El RGPD de la UE establece requisitos claros para su tratamiento. En este…
"Financial administration inevitably processes personal data: customer names, addresses, bank account numbers, and payroll data. The EU's General Data Protection Regulation (GDPR) sets clear requirements for the processing of this data. En este artículo repasamos what small business financial administration needs to consider."
"Personal data in financial administration – what is it?"
"According to GDPR, personal data is any information relating to an identified or identifiable natural person. In financial administration, typical personal data includes:"
- "Names, addresses, and business IDs of customers and suppliers (for sole proprietorships)"
- "Bank account numbers"
- "Email addresses and phone numbers of invoice contact persons"
- "Payroll data and personal identification numbers (payroll)"
- "Travel and expense report details"
Base jurídica para el tratamiento de datos personales
"GDPR requires that there is a legal basis for every processing of personal data. In financial administration, the following are generally used:"
- "Fulfillment of a contract: sending invoices and receiving payments"
- "Statutory obligation: storage obligations under contabilidad law, tax reporting"
- "Legitimate interest: debt collection activities, credit risk assessment"
For a small business, this practically means: you have the right to process your customer's data for billing and contabilidad purposes without separate consent, because the processing is based on a contract and law.
Plazos de conservación de los documentos de administración financiera
GDPR requires that data not be stored longer than necessary. In financial administration, retention periods are primarily determined by the Contabilidad Act:
| Asiakirjatyyppi | Säilytysaika | Peruste |
|---|---|---|
| Registros contables (balance, cuenta de resultados, libro mayor) | 10 años desde el cierre del ejercicio | Ley contable finlandesa 2:10 |
| Comprobantes (facturas, recibos) | 6 años desde el cierre del ejercicio | Ley contable finlandesa 2:10 |
| Registros de nóminas | 10 vuotta | Ley de retención, institución de pensiones |
| Registros de IVA | 6 vuotta | Ley del IVA |
When the statutory retention period ends, personal data must be deleted or anonymized.
Mini-checklist for a small business
- Create a privacy policy (data protection statement) where you state what personal data you process and why
- Define retention periods by document type
- Ensure your financial management software (e.g. Eemel Accounting) is GDPR compliant
- Limit access to personal data only to those who need it
- Agree on a data processing agreement with your contabilidad firm and other processors
- Delete outdated information regularly
Practical example: sole trader and privacy policy
A sole trader kept a customer register in Excel and issued PDF invoices. From a GDPR perspective, the situation was problematic: no privacy policy, no data security, no monitoring of retention periods.
Implementing Eemel Accounting solved most of the problems:
- Customer data is in a protected system, not an open Excel file
- Access restricted by username and password
- Financial management software provides a basis for a privacy policy
- Old data can be systematically deleted
Try it in practice
Eemel Accounting is designed with GDPR requirements in mind. Personal data is secure and processing is under control.
Try for 14 daysFrequently asked questions
Does a small business need a privacy policy?
Yes, if you process personal data (e.g. customer names and addresses for billing). A privacy policy must be available.
Can contabilidad material be deleted based on GDPR?
Not before the statutory retention period ends. The Contabilidad Act takes precedence over GDPR here.
Is a data processing agreement required with an contabilidad firm?
Yes. The contabilidad firm processes personal data on your behalf, so GDPR requires a written agreement.
How does GDPR affect bank connections?
Account transactions retrieved via bank connection contain personal data. Processing is based on contract and law. Leer más in our PSD2 article.
Do I need to ask the customer for consent to process billing information?
Not usually. The processing of billing information is based on fulfilling the contract, not on consent.
This article is general in nature and does not constitute legal advice.