Mappli / Resources / GDPR for Freelancers: What You Really Need to Know About Client Data

GDPR for Freelancers: What You Really Need to Know About Client Data

You store names, email addresses, bank details and project content of your clients. That puts you under the GDPR. The good news: it is less complicated than you think if you use the right tools.

Do I need to comply with the GDPR?

Yes. As soon as you process personal data of people in the EU, the GDPR applies. This affects every freelancer and agency with EU clients, regardless of where you are based.

Even if you are in Switzerland: the DSG (Swiss Data Protection Act) has been similarly strict since 2023. And if you have EU clients, the GDPR applies on top.

What counts as 'client data'?

Everything that makes a person identifiable:

  • Name, email address, phone number
  • Postal address and company address
  • Bank details (IBAN, BIC)
  • Project content, briefs, feedback
  • Chat messages and uploaded files

5 things you must do

No legal jargon, just what actually matters:

  1. Privacy policy. Your website must state which data you collect, why, and how long you store it.
  2. Data processing agreement (DPA). You need a DPA with every tool that processes client data. That includes your CRM, cloud storage, email service, accounting tool.
  3. Encrypt stored data. Client data must not sit in plaintext in a database. Encryption (e.g. AES-256) is the state of the art.
  4. Deletion concept. You must know when to delete which data. Invoices: 10-year retention requirement. Project data: delete after project ends if no reason remains.
  5. Right of access. Your client can ask at any time what data you have stored about them. You must be able to respond within 30 days.

What happens if you ignore it?

The GDPR allows fines of up to 20 million euros or 4% of annual revenue. For freelancers that is unrealistic, but cease-and-desist letters and loss of client trust are not.

The bigger risk: a client asks for their data and you cannot deliver. Or you use a US tool without a DPA and the client finds out. That costs trust, and trust is your most important asset.

GDPR vs. DSG (Switzerland)

The Swiss Data Protection Act (DSG) was revised in 2023 and is similar to the GDPR. Both require: transparency, purpose limitation, data minimisation and technical safeguards.

Main difference: the GDPR requires a data processing agreement (DPA), the DSG does not use this term explicitly but requires similar contractual guarantees. If you work GDPR-compliant, you are also safe under the DSG.

What Mappli solves for you

Mappli is built from the ground up for European data protection:

  • AES encryption for all sensitive client data in the database
  • Servers in the EU, no data transfers to third countries
  • GDPR hard delete: completely and immediately delete client data at the press of a button
  • Tenant isolation: every client is technically separated from others (fail-closed)
  • Audit logging: traceable who accessed which data and when

Data protection without the hassle

Mappli handles the technical GDPR requirements for you. Encryption, deletion, isolation. Try it free for 30 days.

30 days free · No credit card · EU-based servers