GDPR for the Self-Employed in 2026: What You Need to Comply With
GDPR doesn't only affect large corporations. If you issue invoices as a self-employed person, maintain a client database, send newsletters, or run a website, you are processing personal data — and GDPR applies to you. The good news is that obligations for sole traders are significantly simpler than for large companies. In this guide, we'll explain exactly what you need to comply with, what you don't need to worry about, and how to fulfil your obligations with a minimum of red tape.
What Is GDPR and Why Does It Apply to the Self-Employed
The General Data Protection Regulation (GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council) has been directly applicable in all EU member states since 25 May 2018. In the Czech Republic, GDPR is supplemented by Act No. 110/2019 Coll. on the processing of personal data. The supervisory authority is the Office for Personal Data Protection (ÚOOÚ).
Why Does GDPR Apply to Sole Traders?
GDPR applies to anyone who processes personal data — that is, any information relating to an identified or identifiable natural person. As a self-employed person, you process personal data at minimum by:
- Issuing invoices containing the name, address, and registration/VAT numbers of customers.
- Maintaining a client database — contact details, order history.
- Communicating by email — an email address is personal data.
- Running a website — visitors' IP addresses, cookies, contact forms.
- Having employees — payroll records contain sensitive personal data.
- Sending a newsletter — email addresses of subscribers.
OSVČ = data controller
In GDPR terminology, as a self-employed person you are a controller of personal data, because you determine the purposes and means of processing yourself. This applies even when your accountant handles your bookkeeping — in that case, the accountant is a processor, but responsibility for data protection remains with you.
What Personal Data Does a Self-Employed Person Typically Process
Before we get into the obligations, it's important to be aware of what data you actually work with as a sole trader:
📊Typical personal data processed by the self-employed
A sole trader's registration number is personal data
Note — a registration number assigned to a natural person (OSVČ) is considered personal data, because it directly identifies a specific individual. This means that even publicly available data from the trade register is subject to GDPR if you process it systematically.
Core GDPR Principles You Must Follow
GDPR is built on six fundamental principles for the processing of personal data (Article 5 GDPR). These principles apply to every controller regardless of their size:
📋6 principles of personal data processing
Legal Bases: On What Grounds May You Process Data
Every processing of personal data must have a legal basis (legal ground). GDPR defines six of them. For the self-employed, the following four are most relevant:
1. Performance of a contract (Art. 6(1)(b) GDPR)
This is the most common legal basis for the self-employed. If you enter into a contract with a client (even verbally or through an e-shop order), you may process the data necessary to fulfil it — name, delivery address, contact details for order-related communication.
2. Compliance with a legal obligation (Art. 6(1)(c) GDPR)
Much of the data you process is required by law. For example:
- Retaining tax documents (invoices) for 10 years — VAT Act, Accounting Act.
- Employee payroll records — Labour Code, Social Insurance Act.
- Records for the social security administration and health insurance funds.
3. Legitimate interests (Art. 6(1)(f) GDPR)
This legal basis allows processing where you have a legitimate interest that overrides the interests of the data subject. Examples include:
- Sending marketing communications to existing customers (who have already made a purchase).
- Property protection (CCTV systems).
- Debt recovery.
For legitimate interests, you must carry out a balancing test — a written assessment of whether your interest outweighs the data subject's right to privacy.
4. Consent (Art. 6(1)(a) GDPR)
You need consent when you have no other legal basis. Typically:
- Sending a newsletter to people who have not yet made a purchase from you.
- Processing data for marketing purposes beyond the scope of legitimate interests.
- Analytical and marketing cookies on your website.
Consent must be freely given and specific
Consent to the processing of personal data must be:
- Freely given — it must not be a condition for providing the service.
- Specific — it must relate to a specific purpose.
- Informed — the data subject must know what they are consenting to.
- Unambiguous — it requires an active opt-in (a pre-ticked box is not valid).
- Revocable — the data subject must be able to withdraw consent at any time, as easily as they gave it.
Records of Processing Activities
One of the key obligations is maintaining records of processing activities (Article 30 GDPR). This is an internal document describing what personal data you process, why, for how long, and how you protect it.
Do the Self-Employed Need to Keep Records?
GDPR includes an exemption for organisations with fewer than 250 employees — they are not required to keep records if the processing:
- is merely occasional,
- poses no risk to the rights and freedoms of data subjects,
- does not involve special categories of data (sensitive data).
The exemption almost never applies in practice
Even though you are self-employed with 0 employees, the exemption almost certainly does not apply to you. As soon as you process client data for invoicing or maintain a contact database, this constitutes systematic, not occasional, processing. We therefore recommend keeping records of processing activities — even if they amount to just one page.
What the Records Must Contain
📋Mandatory elements of a record of processing activities
Example processing record for a typical self-employed person
Processing purpose No. 1: Invoicing and tax record-keeping
- Data subjects: Clients (natural persons)
- Categories of data: Name, address, registration number, VAT number, email
- Legal basis: Performance of a contract + compliance with a legal obligation
- Recipients: Accountant (processor), tax authority
- Retention period: 10 years from the end of the tax period
- Security: Password-protected computer, backups, locked office
Processing purpose No. 2: Sending a newsletter
- Data subjects: Newsletter subscribers
- Categories of data: Email, name
- Legal basis: Consent / legitimate interests (existing customers)
- Recipients: Mailing tool (processor)
- Retention period: Until consent is withdrawn
- Security: Encrypted transmission, password-protected access
Information Obligation: What You Must Tell Clients
As a data controller, you are obliged to inform data subjects about how you process their data (Articles 13 and 14 GDPR). In practice, this means having personal data processing information on your website or in your terms and conditions (often referred to as a "privacy policy").
What the Information Must Include
| Requirement | Example | |-------------|---------| | Identity of the controller | John Smith, Reg. No.: 12345678, address, email | | Purposes of processing | Invoicing, contract fulfilment, marketing | | Legal basis | Performance of a contract, legitimate interests, consent | | Recipients of data | Accountant, hosting provider, mailing tool | | Retention period | Invoices 10 years, newsletter until consent is withdrawn | | Rights of data subjects | Right of access, rectification, erasure, restriction, portability, objection | | Contact for exercising rights | Email, phone | | Right to lodge a complaint | Office for Personal Data Protection (uoou.gov.cz) |
Does a Self-Employed Person Need a Data Protection Officer (DPO)?
In most cases, no. A DPO (Data Protection Officer) is only required by:
- Public authorities and public bodies.
- Controllers whose core activity involves large-scale, regular and systematic monitoring of data subjects.
- Controllers whose core activity involves large-scale processing of special categories of data (health data, biometric data, data relating to criminal offences).
A typical self-employed person doesn't need a DPO
If you're a graphic designer, programmer, accountant, tradesperson, consultant, or small e-shop owner, you do not need a data protection officer. Your core business is providing services or selling goods, not processing personal data. You would need a DPO if, for example, you operated a loyalty programme with millions of customers or ran a private investigation agency.
Securing Personal Data in Practice
GDPR requires you to implement appropriate technical and organisational measures to protect personal data. "Appropriate" means proportionate to the risks and nature of the data — self-employed individuals are not expected to maintain the same level of security as a bank.
Practical Security Checklist for the Self-Employed
📋Minimum personal data security for the self-employed
Cookies on Websites
If you run a website, you most likely use cookies. Since 1 January 2022, an amendment to the Czech Electronic Communications Act has required prior active consent (opt-in) for cookies that are not strictly necessary for the website to function.
Which Cookies Require Consent
📊Cookie categories and consent requirements
The cookie banner must allow refusal
The cookie banner must allow visitors to actively accept or decline non-essential cookies. Pre-ticked boxes do not constitute valid consent. Visitors must be able to use the site without consenting to analytical and marketing cookies. The "Decline" button must be just as easily accessible as the "Accept" button.
What to Do in the Event of a Data Breach
If a personal data security breach occurs (data loss, hacking, theft of a laptop with an unencrypted drive), you are obliged to:
📋Steps to take following a data breach
The 72-hour deadline runs from when you become aware
The 72-hour deadline for reporting a breach to the ÚOOÚ begins from the moment you become aware of it — not from the moment it occurred. If you are unable to report within 72 hours, you must state the reasons for the delay.
Rights of Data Subjects: How to Respond to Requests
Individuals whose data you process have a number of rights. You will most commonly encounter these:
| Right | What it means | Your response | |-------|--------------|---------------| | Right of access | The data subject wants to know what data you hold about them | Provide a copy of the data within 1 month | | Right to rectification | The data subject wants to correct inaccurate data | Correct it without undue delay | | Right to erasure | The data subject wants their data deleted | Delete it, unless a legal obligation prevents this (e.g. invoice archiving) | | Right to restriction of processing | The data subject wants processing temporarily paused | Flag the data and suspend processing until resolved | | Right to data portability | The data subject wants their data in a machine-readable format | Provide data in a common format (CSV, JSON) | | Right to object | The data subject contests processing based on legitimate interests | Reassess the legitimate interest or cease processing |
You must respond to a request within 1 month. In complex cases, the deadline can be extended by a further 2 months, but you must inform the data subject of this.
Data Processing Agreements
If you use third parties to process personal data (accountant, hosting provider, mailing tool), you are required to enter into a data processing agreement with them under Article 28 GDPR.
Who You Need a Data Processing Agreement With
- Accountant/tax adviser — processes data from invoices and payroll records.
- Web hosting provider — data from your website is stored on their servers.
- Mailing tool (Mailchimp, Ecomail, etc.) — processes subscriber email addresses.
- Cloud storage (Google Drive, OneDrive) — if you store documents containing personal data there.
- Payroll software / payroll firm — processes employee data.
Major platforms have agreements ready to go
Most major service providers (Google, Microsoft, Mailchimp, Shopify, etc.) have a Data Processing Agreement/Addendum ready as part of their terms of service. You don't need to negotiate a bespoke agreement — simply accept their DPA, usually found in your account settings. With an accountant or smaller firm, we recommend drawing up a separate data processing agreement.
Fines for GDPR Violations
GDPR sets maximum fines of up to €20 million or 4% of global annual turnover. In practice, however, the ÚOOÚ imposes significantly lower fines on Czech sole traders and small businesses — typically in the range of thousands to tens of thousands of CZK.
The ÚOOÚ takes a proportionate approach to sole traders
The Czech Office for Personal Data Protection has stated that it does not intend to put small sole traders out of business. Fines for the self-employed are a fraction of those imposed on large companies. That said, it's still worth avoiding fines — even a 10,000 CZK penalty is unpleasant, and it comes with an obligation to remedy the situation.
Frequently Asked Questions (FAQ)
Do I need a GDPR statement on my website even if it doesn't collect any data?
If your website collects no data at all (no contact form, no cookies, no analytics), you technically have no information obligation. In practice, however, almost every website uses at least basic analytics or a contact form, so we recommend always having a privacy policy in place.
Can I send marketing emails to existing customers without their consent?
Yes, the Act on Certain Information Society Services (No. 480/2004 Coll.) allows marketing communications to be sent to existing customers without prior consent, provided the communication relates to similar products or services and the customer has the option to unsubscribe from each message. This represents an implementation of legitimate interests.
How long can I retain data from invoices?
Tax documents (invoices) must be retained for 10 years from the end of the tax period under the VAT Act. Accounting documents must be kept for 5 years under the Accounting Act (for individuals maintaining tax records). After these periods have elapsed, you should delete or anonymise the data.
Do I need consent to process personal data from every client?
Not always. If you process a client's data to fulfil a contract (issuing an invoice, delivering goods) or to comply with a legal obligation (archiving documents), you do not need consent. Consent is typically required for marketing purposes in relation to individuals who have not yet made a purchase from you.
What if a client asks me to delete all their data?
The right to erasure is not absolute. You cannot delete data that you are legally required to retain (invoices for 10 years). However, you can delete data for which you have no other legal basis — for example, removing the client from your marketing database or deleting their contact details from your CRM once the period needed for invoicing has passed.
Keep Your Documents in Order with DokladBot
GDPR requires your data to be in order — and that starts with keeping your documents in order. DokladBot helps you stay on top of invoices, payments, and deadlines. Simply photograph a document via WhatsApp and DokladBot will process it automatically. No lost paperwork, no missed deadlines.
Try DokladBot at dokladbot.cz — the accounting assistant that's always at hand.
Official Sources
- Office for Personal Data Protection (ÚOOÚ) — Basic Guide to Data Protection
- ÚOOÚ — Cookies — Questions and Answers
- Ministry of the Interior — Guide for Preparing Small and Medium-Sized Businesses for GDPR
- Ministry of Industry and Trade — A Clear and Simple GDPR Manual for Entrepreneurs
- GDPR Regulation — full text
This article serves as a general informational guide and does not constitute legal advice. The information is based on GDPR (Regulation EU 2016/679) and Act No. 110/2019 Coll. as in force as of February 2026. For advice on your specific situation, we recommend consulting a data protection specialist or solicitor.
Nechcete ztrácet čas s papírováním?
Vyzkoušejte DokladBot - účetnictví přes WhatsApp. První týden zdarma.
Related articles
Bogus Self-Employment 2026: Signs, Penalties and How to Avoid It
Bogus self-employment is the most common form of illegal work in the Czech Republic. Since 2024, even a single instance is enough to trigger a violation, and from 2025 a ban on business activities was added as a penalty. Find out what signs inspectors look for and how to set up a legal working arrangement.
Complete Overview of Changes for Entrepreneurs in 2026
2026 has brought a number of changes that affect virtually every entrepreneur and OSVČ. Read the complete overview of all updates in one place.
Data Mailbox for OSVČ: obligations and how to use it
A data mailbox has been mandatory for all OSVČ since 2023. Find out how to activate it, what obligations come with it, and how to use it effectively in your day-to-day business.