GDPR for Trade Contractors in Europe: A Practical Compliance Guide

The General Data Protection Regulation — Regulation (EU) 2016/679, universally known as GDPR — has been in force since May 2018 and applies to every business in the EU that processes personal data, with no exemption for small or micro businesses. A self-employed electrician in Warsaw, a two-person plumbing company in Dublin, and a ten-person HVAC firm in Vienna are all data controllers under GDPR. The regulation has a reputation for complexity, but the core obligations for trade contractors are manageable if approached practically. This guide sets out what GDPR actually requires of a typical European trade contracting business, without the legal jargon that makes most GDPR guidance inaccessible to practitioners.

What Personal Data Do Trade Contractors Process?

Before addressing obligations, it is worth being clear about what data is actually in scope. Personal data means any information that identifies or can identify a living individual. For a trade contractor, the personal data inventory typically includes: client names, addresses, telephone numbers, and email addresses (collected when quoting); property addresses (which may be residential addresses, identifying the homeowner); photographs of work in progress or completion (which may incidentally capture people or identify specific residences); employee names, payroll data, national insurance numbers, and health information (particularly relevant for construction workers where health and safety documentation exists); and subcontractor personal details. Most of this data is collected legitimately as part of conducting business, but GDPR requires that it be processed with a valid legal basis, stored no longer than necessary, and protected from unauthorised access.

Legal Bases for Processing Client Data

GDPR requires every act of data processing to be grounded in one of six legal bases set out in Article 6. For trade contractors, the most relevant bases are: performance of a contract (processing necessary to fulfil a quote, deliver the work, or invoice for it); legal obligation (processing required to comply with tax, accounting, or health and safety law — invoice retention is the clearest example); and legitimate interests (processing where the contractor has a genuine business interest that outweighs the individual's privacy interest, such as keeping a record of past clients for warranty purposes). Consent is often cited as the default legal basis for marketing, but for the operational data of a trade contracting business — client records, invoices, project files — consent is rarely the right basis and is in fact the weakest, because clients can withdraw consent at any time.

Record of Processing Activities

Article 30 of GDPR requires data controllers to maintain a Record of Processing Activities (RoPA). For businesses with fewer than 250 employees, there is a partial exemption, but it is narrow: the exemption only applies if the processing does not carry a risk to data subjects' rights, is only occasional, and does not include special categories of data (such as health information). For most trade contractors, at least some of their processing — particularly employment data and health and safety records — falls within categories that require a RoPA regardless of business size. A RoPA does not need to be complex: a structured spreadsheet or document describing each category of data (clients, employees, subcontractors), the purpose, the legal basis, how long the data is kept, and who it is shared with is sufficient for most small businesses. EU data protection authorities — including the Belgian DPA (APD/GBA), the Dutch AP, the German Datenschutzkonferenz, and the French CNIL — have all published templates for RoPA for small businesses.

Retention Periods: How Long to Keep Invoice Data

One of the most practically important GDPR questions for trade contractors is how long to retain client and invoice data. GDPR requires data to be kept no longer than necessary for the purpose for which it was collected (the storage limitation principle). However, tax law in every EU member state imposes minimum retention periods for financial records that effectively set the floor. In Germany, the GoBD requires commercial invoices to be retained for ten years. In France, Article L.123-22 of the Code de Commerce requires ten years for accounting documents. In Belgium, the VAT Code requires seven years. In the Netherlands, Article 52 of the Algemene Wet inzake Rijksbelastingen requires seven years. In Spain, the Ley General Tributaria requires four years for tax purposes but five or six years for other purposes. In Poland, the Kodeks spółek handlowych requires five years. The practical approach is to retain all invoice and client data for at least the longest applicable period in your jurisdiction — typically seven to ten years — and then delete or anonymise it thereafter.

Right to Erasure and Conflicting Obligations

GDPR Article 17 gives individuals the right to request erasure of their personal data — the right to be forgotten. However, this right is not absolute: it does not apply where retention is necessary for compliance with a legal obligation. For a trade contractor, this means that if a former client requests erasure of all their data, the contractor can and must retain invoice data for the legally required period (seven to ten years, as above) even against the client's wishes, because tax law creates a legal retention obligation. What the contractor can do is erase data that is not subject to legal retention obligations — marketing preferences, unnecessary correspondence, photographs taken beyond warranty documentation purposes — while retaining the invoice archive. Documenting the basis for retained data and providing a clear explanation to the client who made the request is both legally required and good practice.

Data Breach Notification

Article 33 of GDPR requires data controllers to notify their national data protection authority of a personal data breach within 72 hours of becoming aware of it, where the breach is likely to result in a risk to the rights and freedoms of individuals. A data breach in the context of a trade contracting business might include: an employee laptop containing client records being stolen; a cloud storage account being accessed without authorisation; or an invoice containing personal data being sent to the wrong email address. The 72-hour clock starts from the moment the controller becomes aware of the breach, not from the moment it occurred. For contractors using cloud-based invoicing and project management tools, the cloud provider's own security practices and breach notification procedures are critical — the controller (the contractor) bears ultimate responsibility even if the breach occurs at the processor (the software provider) level. Reputable SaaS providers publish their security certifications and breach notification procedures in their data processing agreements.

Practical Steps for a Small Trade Business

The practical GDPR checklist for a small trade contracting business in Europe includes: using a privacy notice on your website and quoting process that explains what data you collect and why; ensuring your invoicing software or CRM provider has a compliant Data Processing Agreement (DPA) in place; setting a document retention schedule and enforcing it (ideally via automatic deletion in your software); restricting access to client data to those staff who need it; using password protection and two-factor authentication on all systems containing client data; and keeping a basic RoPA in a spreadsheet that you update annually. None of these steps require a legal qualification or a dedicated data protection officer. The key is proportionality: the GDPR expects small businesses to take reasonable, documented steps rather than implementing enterprise-scale privacy programmes.

How QuotCraft Supports GDPR Compliance

QuotCraft is designed with GDPR compliance requirements for European trade contractors built into its architecture. The platform processes client and project data under a Data Processing Agreement that meets the requirements of GDPR Article 28, and QuotCraft acts as a processor on behalf of the contractor (the data controller). Data is stored in EU-based data centres, meaning no data is transferred outside the European Economic Area without appropriate safeguards. QuotCraft supports configurable data retention policies, allowing contractors to set automatic deletion schedules for client records once the legally required period has elapsed. The platform also supports granular access control, so that employees or subcontractors can be given access only to the data they need. For contractors who receive a client's right-to-erasure request, QuotCraft's data export and deletion tools make it straightforward to identify, review, and remove non-mandatory data while retaining legally required records.