GDPR for Trade Businesses: Handling Customer Data Right

As a tradesperson you collect personal data all day without thinking about it: a name and address when someone books, a phone number to call ahead, photos of the bathroom, a personal identity number on the ROT paperwork, and maybe years of invoice history. All of it falls under GDPR. The good news is that a normal electrical, plumbing or carpentry business doesn't need a legal department to get this right. You need to understand a few core principles and clean up the sloppiest habits.

This guide is written for owners of smaller trade businesses in Sweden. The supervisory authority is the Swedish Authority for Privacy Protection (IMY, Integritetsskyddsmyndigheten), which is where both complaints and serious incidents are reported. The rules rarely change, but because they are interpreted on an ongoing basis you should verify the details against imy.se before making any important decision.

What data does a trade business actually handle?

Personal data is anything that can be linked to a living person. For a typical field-service business that usually means:

• Contact details — name, address, phone and email from bookings and enquiries.
• Job-site photos — an image of someone's home can itself be personal data, especially if it shows the living environment.
• Personal identity numbers — often needed for the ROT deduction and invoicing, but should only be used when truly necessary.
• Invoices and payment history — which are also covered by bookkeeping rules.
• Employee data — hours, clock-ins, sometimes location data from a geofenced time clock.

Note that personal identity numbers have extra protection in Sweden: they may only be processed when clearly justified, for example for secure identification or tax documentation. Writing a personal identity number in an email subject line or an open chat is a classic mistake.

You need a legal basis — and you usually already have one

GDPR requires that every processing activity rests on a legal basis. You don't need to collect consent for everything — consent is actually often the weakest basis, because it can be withdrawn. For trade businesses, these three are the most common:

• Contract — you need the customer's details to carry out and invoice the job. This covers most of the customer relationship.
• Legal obligation — the Bookkeeping Act and tax rules require you to keep invoice records, which gives you lawful grounds to retain them.
• Legitimate interest — for example contacting a former customer with a service offer, provided their privacy interest doesn't outweigh yours. Here you should do a simple balancing test and be able to justify it.

The point isn't to fill in forms. It's that for each type of data you can answer the question: why do we hold this, and on what basis?

How long can you keep data — and when must you delete it?

This is the question that causes the most confusion, because two sets of rules pull in different directions. GDPR says you shouldn't keep personal data longer than necessary (storage limitation). At the same time the Bookkeeping Act requires you to keep accounting records for seven years after the end of the financial year — and that law takes precedence, because it is exactly the kind of legal obligation GDPR makes an exception for.

In practice this means:

• If you've invoiced a customer, the invoice records may and should stay for seven years. So you don't have to delete a customer just because they ask, if the data sits in your accounts.
• If you haven't invoiced a contact — just an enquiry that went nowhere — there's no bookkeeping basis. That data should be cleared out once it no longer serves a purpose.
• Once the seven years have passed, accounting data containing personal data should be deleted, unless you have another valid basis to keep it.

A good pattern is to separate: keep active customers in your working tool, and archive closed invoices so they aren't sitting in daily operations. Always confirm the exact retention periods and any exceptions with the Swedish Tax Agency (Skatteverket) and the Swedish Accounting Standards Board (Bokföringsnämnden), as the details can change.

Five concrete steps you can take this week

You don't have to do everything at once. Start here:

• Write a record of processing. A simple list of what data you process, why, on what basis and for how long. It has to exist in writing and be available to show IMY. A single page goes a long way for a small company.
• Tidy up email and phones. Stop sending personal identity numbers in plain text. Make sure old phones with customer photos are wiped before they're replaced.
• Limit who sees what. Not every employee needs access to the whole customer register. Access permissions are one of the cheapest security measures there is.
• Check your subcontractors. Bookkeeping software, cloud storage and booking systems process data on your behalf — for these you need a data processing agreement.
• Have an incident plan. If someone loses an unlocked phone, or an email with customer data goes to the wrong recipient, that can be a personal data breach that must be reported to IMY within 72 hours if it poses a risk to the people affected.

Much of this gets easier when your systems are built for it from the start. In FieldApp, booking, ROT paperwork, invoicing and field documentation sit in one tenant-isolated system with access controls, and invoicing syncs to Fortnox where the bookkeeping lives — so accounting data ends up in the right place instead of scattered across loose email threads.

What happens if you don't get it right?

Most small trade businesses aren't facing record fines, but the penalties are real. Under GDPR an administrative fine for the most serious infringements can reach EUR 20 million or 4 percent of global annual turnover, whichever is higher; for less serious cases the ceiling is EUR 10 million or 2 percent. In practice the fine can land anywhere from zero up to that ceiling, and IMY takes into account the size of the business and how serious the failing is.

The most common reality isn't a huge fine but a complaint from a customer or a neighbour who feels their data was handled carelessly — and that's when you want to be able to show you have your house in order. Being able to answer what you store, why and for how long is 90 percent of the job.

Want to bring booking, ROT paperwork and invoicing into one system built for Swedish tradespeople from the ground up? Try FieldApp free for 14 days and see how much calmer data handling becomes when it all hangs together.