GDPR for Proposals and Customer Data
Which customer data you may store, retention periods, and the appropriate legal bases for your data processing.
As a freelancer, you process your customers' personal data daily – from contact details to project information. The GDPR sets clear requirements for this processing. This guide explains what you need to consider to work in compliance with data protection regulations.
Basic Principles of GDPR
Data Minimization (Art. 5 GDPR)
The most important principle: Only collect data that you actually need. Ask yourself for each data field:
- Do I need this information for creating the proposal?
- Do I need it for contract execution?
- Is there a legal obligation to store it?
If all answers are "No," you should not collect the data.
Purpose Limitation
Data may only be used for the purpose for which it was collected. Customer data from a proposal may not be used for marketing without further ado.
Storage Limitation
Data must be deleted as soon as the purpose is fulfilled – unless legal retention obligations exist.
Which Data May Be Stored?
Necessary Data for Proposal Creation
This data is required for contract initiation and may be stored without additional consent:
| Data | Purpose | Legal Basis |
|---|---|---|
| Company name | Recipient information | Art. 6(1)(b) |
| Business address | Recipient information, invoicing | Art. 6(1)(b) |
| Email address | Communication, delivery | Art. 6(1)(b) |
| Contact person name | Personalization | Art. 6(1)(b) |
| Project description | Proposal creation | Art. 6(1)(b) |
Optional Data (with Additional Legitimation)
For this data, you need either a legitimate interest or consent:
| Data | Legal Basis | Note |
|---|---|---|
| Phone number | Art. 6(1)(f) (legitimate interest) | For quick inquiries |
| Project history | Art. 6(1)(f) | For better follow-up care |
| Personal notes | Art. 6(1)(f) | No sensitive information |
| Newsletter signup | Art. 6(1)(a) (consent) | Active opt-in required |
Data You Should Not Store
- Private contact details (personal mobile, personal email)
- Health data
- Political or religious beliefs
- Financial data irrelevant to your proposal
Retention Periods
Changes from the 4th Bureaucracy Relief Act (2025)
From 2025, some retention periods were shortened:
| Document Type | Retention Period | Legal Basis |
|---|---|---|
| Proposals (without contract) | 3 years | Statute of limitations under BGB |
| Proposals (with contract) | 6 years | § 257 HGB |
| Invoices | 8 years (previously 10) | § 257 HGB (new from 2025) |
| Accounting documents | 8 years (previously 10) | § 257 HGB (new from 2025) |
| Annual financial statements | 10 years | § 257 HGB |
| Contracts | 6 years | § 257 HGB |
Start of Period
The period begins at the end of the calendar year in which the document was created.
Example: A proposal from March 15, 2025, must be retained until December 31, 2031 (6 years from end of 2025).
Deletion Obligation After Expiry
After the retention period expires, there is a deletion obligation under Art. 17 GDPR. Deletion should occur within 6-12 months.
Tip: Set up an annual reminder to review and delete expired data.
Legal Bases for Processing
Every data processing requires a legal basis under Art. 6 GDPR:
Art. 6(1)(b) – Contract Performance
When applicable: When processing is necessary for the performance of a contract or for pre-contractual measures.
Examples:
- Customer data for proposal creation upon request
- Contact details for project execution
- Invoice data for billing
Art. 6(1)(c) – Legal Obligation
When applicable: When there is a legal obligation to process.
Examples:
- Retention of invoices for tax authorities
- Tax number on proposals
- Documentation for warranty claims
Art. 6(1)(f) – Legitimate Interest
When applicable: When you have a legitimate interest in processing and the interests of the data subject do not override it.
Examples:
- Storing project history for better follow-up care
- Phone number for quick inquiries
- Internal notes on customer relationship
Important: With legitimate interest, you must document a balancing of interests.
Art. 6(1)(a) – Consent
When applicable: When no other legal basis applies and the data subject consents.
Examples:
- Newsletter to prospects
- Marketing emails after project completion
- Publication of references with customer name
Consent requirements:
- Voluntary and informed
- Active opt-in (no pre-filled checkboxes)
- Revocable at any time
- Documented
Data Processing Agreement (DPA)
When is a DPA Required?
When you as a freelancer process personal data on behalf of a customer (e.g., marketing campaigns, web development with customer data), you need a Data Processing Agreement under Art. 28 GDPR.
Proposal Air as Data Processor
When you use Proposal Air, we process customer data on your behalf. We provide a DPA that includes:
- Subject and duration of processing
- Type of personal data
- Categories of data subjects
- Obligations and rights of the controller (you)
- Technical and organizational measures
- Regulations on sub-processors
- Deletion/return after contract end
Data Subject Rights
Your customers have the following rights under GDPR:
| Right | Article | Your Obligation |
|---|---|---|
| Access | Art. 15 | Respond within one month |
| Rectification | Art. 16 | Correct incorrect data |
| Erasure | Art. 17 | Delete data (if no retention obligation) |
| Restriction | Art. 18 | Restrict processing |
| Data portability | Art. 20 | Provide data in machine-readable format |
| Objection | Art. 21 | Stop processing (with legitimate interest) |
Tip: Prepare templates for data subject requests to respond quickly.
Tips for Proposal Air
How to work GDPR-compliant with Proposal Air:
- Only capture necessary data – Use only the fields you really need
- Maintain customer data – Keep data current and delete outdated entries
- Use export function – For access requests, you can export customer data
- Use delete function – Delete customers when no retention obligation exists
- Sign DPA – Ensure the DPA with us is concluded
Checklist for GDPR-Compliant Proposals
- Only necessary customer data captured
- Legal basis for processing identified
- Retention periods documented
- Deletion process for expired data established
- Privacy notice on website/in emails
- DPA with Proposal Air concluded
- Process for data subject requests prepared
Related Topics
- Electronic Signatures – Data protection in digital signing
- Best Practices – Mandatory information on proposals
- Taxes & Legal – Tax retention obligations
Electronic Signatures
The three signature levels according to eIDAS, when which signature is sufficient, and why canvas signatures are legally valid for most freelance contracts.
Conversion Optimization for Proposals
Statistics on acceptance rates, psychological persuasion techniques like 3-tier pricing, and follow-up best practices for more contracts.