EemelEemel Accounting
    Blog
    Compliance16.2.2026

    RGPD dans la gestion financière : données personnelles, base légale et politique de confidentialité

    La gestion financière traite inévitablement des données personnelles : noms des clients, adresses, numéros de compte bancaire et données de paie. Le RGPD de l’UE fixe des exigences claires. Cet article présente ce qu’un…

    "Financial management inevitably processes personal data: customer names, addresses, bank account numbers, and payroll data. The EU's General Data Protection Regulation (GDPR) sets clear requirements for the processing of this information. Dans cet article, nous passons en revue what small business financial management needs to consider."

    "Personal data in financial management – what is it?"

    "According to GDPR, personal data is any information relating to an identified or identifiable natural person. In financial management, typical personal data includes:"

    • "Names, addresses, and business IDs (for sole proprietorships) of customers and suppliers"
    • "Bank account numbers"
    • "Email addresses and phone numbers of invoice contact persons"
    • "Payroll information and personal identity codes (payroll)"
    • "Travel and expense report details"

    "Lawful basis for processing personal data"

    "GDPR requires that every processing of personal data has a lawful basis. In financial management, the following are generally used:"

    • "Performance of a contract: sending invoices and receiving payments"
    • "Obligation légale : obligations de conservation prévues par la loi comptable, déclarations fiscales"
    • "Legitimate interest: debt collection, credit risk assessment"

    "For a small business, this practically means: you have the right to process your customer's data for invoicing and comptabilité without separate consent, as the processing is based on an agreement and law."

    "Retention periods for financial administration documents"

    "GDPR requires that data not be stored longer than necessary. In financial administration, retention periods are primarily determined by comptabilité law:"

    AsiakirjatyyppiSäilytysaikaPeruste
    Documents comptables (bilan, compte de résultat, grand livre)10 ans après la clôture de l'exerciceLoi comptable finlandaise 2:10
    Pièces justificatives (factures, reçus)6 ans après la clôture de l'exerciceLoi comptable finlandaise 2:10
    Données de paie10 vuottaLoi sur l'impôt à la source, institution de retraite
    Données TVA6 vuottaLoi sur la TVA

    "When the statutory retention period ends, personal data must be deleted or anonymized."

    "Mini-checklist for a small business"

    1. "Create a privacy policy (data protection statement) where you explain what personal data you process and why"
    2. "Define retention periods by document type"
    3. "Ensure that your financial management software (e.g. Eemel Accounting) is GDPR-compliant"
    4. "Restrict access to personal data only to those who need it"
    5. "Conclude a data processing agreement with the comptabilité firm and other processors"
    6. "Delete outdated information regularly"

    "Practical example: sole proprietor and privacy policy"

    "A sole proprietor maintained a customer register in Excel and issued PDF invoices. From a GDPR perspective, the situation was problematic: no privacy policy, no data security, no monitoring of retention periods."

    "Implementing Eemel Accounting solved most of the problems:"

    • "Customer data is in a secure system, not an open Excel file"
    • "Access restricted by username and password"
    • "Financial management software provides a basis for a privacy policy"
    • "Old data can be systematically deleted"

    "Try it in practice"

    "Eemel Accounting is designed with GDPR requirements in mind. Personal data is secure and processing is under control."

    "Try for 14 days"

    "Frequently asked questions"

    "Does a small business need a privacy policy?"

    "Yes, if you process personal data (e.g., customer names and addresses for invoicing). A privacy policy must be available."

    "Can comptabilité material be deleted based on GDPR?"

    "Not before the statutory retention period ends. Comptabilité law takes precedence over GDPR in this regard."

    "Is a data processing agreement required with the comptabilité firm?"

    "Yes. The comptabilité firm processes personal data on your behalf, so GDPR requires a written agreement."

    "How does GDPR affect bank connections?"

    "Bank transactions retrieved via a bank connection contain personal data. Processing is based on agreement and law. Lire la suite in our PSD2 article."

    "Does consent need to be requested from the customer for processing invoicing data?"

    "Not usually. Processing of invoicing data is based on fulfilling a contract, not consent."

    "This article is general in nature and does not constitute legal advice."

    Epic Invoicing Oy est derrière Eemel | Numéro d'entreprise: 2571844-9 | N° de VAT: FI25718449

    Société entièrement détenue par des Finlandais | Siège social : Tampere, Finlande