Practical guide 9 min read·

GDPR for Freelancers: What Nobody Tells You

GDPR applies to freelancers and sole traders too. But the obligations are often much simpler than you'd think — and the real risk isn't necessarily where you expect it. This guide debunks the myths and gives you the strict minimum to work in compliance.

Yes, GDPR applies to you too

The confusion is widespread: many freelancers think GDPR is reserved for large companies or organizations with an IT department. That's wrong. GDPR applies as soon as you process personal data in a professional context — which includes a client file, a contact form, or a prospect database.

The good news: obligations are proportionate to size and risk. A freelance developer accessing an e-commerce client's database and a banking group don't have the same obligations. Article 30-5 of the GDPR even provides a partial exemption from the processing register for organizations of fewer than 250 people — which covers all freelancers.

The bad news: certain obligations have no size exception — notably subcontracting clauses (DPAs) and data security. And above all, the B2B market is evolving: more and more clients require GDPR compliance from their service providers as a contractual prerequisite. Not being in order can cost you contracts.

Your real obligations in 2026

Here's what GDPR actually requires of a freelancer, without inflating the list:

  • Processing register (simplified)document your non-occasional processing activities. For most freelancers: client management, invoicing, website. A shared spreadsheet suffices, no specific software required.
  • DPA clause in your contractsmandatory whenever you process data on behalf of a client (Art. 28 GDPR). Can be a 10-line paragraph in your service contract.
  • Data securitytechnical measures proportionate to risk: encryption of client files, strong passwords, no client data on unsecured consumer tools.
  • Privacy policy on your websitemandatory if your site collects data (form, analytics, newsletter). Can be short and simple.
  • Cookie bannerif you use analytics or third-party scripts on your site. No non-essential cookie before consent.

Check your freelance site in 60 seconds

Cookies before consent, non-compliant banner, unframed non-EU transfers — RGPDScan detects what to fix immediately.

The real risk: commercial above all

Growing B2B requirement

Large companies (mid-market, major accounts, public sector) now integrate GDPR compliance into their vendor due diligence. A freelancer who cannot produce a DPA, privacy policy or processing register may be excluded from a tender or assignment. This trend accelerated after 2023 and the first public CNIL sanctions affecting processors.

Client/prospect complaint risk

A freelancer can receive a CNIL complaint from a prospect who considers their data was used without legal basis (prospecting without consent, long retention of unsigned quote). CNIL handles these complaints and may contact the freelancer. The risk of direct fine remains low, but the procedure takes time and can damage reputation.

What CNIL generally doesn't check

CNIL does not launch proactive checks on micro-structures. It targets organizations processing data at scale (millions of people) or sensitive data (health, payment). A solo freelancer managing dozens or hundreds of contacts will not be on CNIL's radar unless there's a direct complaint or connection to a larger client case.

Action plan: get compliant in 1 day

Step 1 — Inventory your processing activities (2h)

  • List your tools containing people's data: CRM, invoicing tool, client spreadsheet, email, newsletter
  • For each tool: what data, how many people, where hosted, how long retained
  • Create a simple register in a spreadsheet (free CNIL template available on cnil.fr)

Step 2 — Client contracts: add the DPA clause (1h)

  • Include an Art. 28 clause in your standard contract: nature of data processed, purpose, duration, your security measures, your sub-processors
  • For ongoing assignments: send a DPA amendment by email. Keep the client's agreement
  • If your client imposes their own DPA (large companies): read it before signing, check your incident notification obligations

Step 3 — Website and tools (2h)

  • Audit your site: which cookies, which analytics, which forms? RGPDScan does this in 60 seconds
  • Draft or update your privacy policy (short, clear, specific to your activity)
  • Replace Google Analytics without consent with Plausible (no cookie, no banner needed, €9/month)
  • Check where your tools are hosted: prefer EU tools or those with signable DPA (Notion EU, Proton, Infomaniak)

Preferred tools for a GDPR-compliant freelancer

NeedRiskyEU Alternative
AnalyticsGoogle AnalyticsPlausible, Matomo
Professional emailGmail (personnel)Proton Mail, Infomaniak Mail
File storageDropbox (US)Infomaniak kDrive, Nextcloud
InvoicingUS tools without DPAPennylane, Freebe, Zoho EU
Notes / docsNotion (US par défaut)Notion EU, Outline, Obsidian

Going further

Frequently asked questions

Is a freelancer a data controller or a data processor?
Both, depending on context. When the freelancer processes data for their own account (accounting, client base, newsletter), they are a controller. When they process data on behalf of a client (app development, marketing data management), they are a processor. In the latter case, a DPA must be signed with the client. A freelancer can therefore be both simultaneously.
Does my freelance processing register need to be complex?
No. For small structures (fewer than 250 employees), GDPR provides a partial exemption: only non-occasional processing, or involving sensitive data, or likely to create risk for individuals, must appear in the register. In practice, a solo freelancer often has 3-5 processing activities to document: client/quote management, accounting, possible newsletter. A spreadsheet is sufficient.
Do I need to sign a DPA with every client whose data I process?
Yes, if you access their users' or employees' personal data as part of your work (database access, analytics, CRM tool). The DPA (or processing agreement Art. 28 GDPR) can be a clause in your service contract. Many freelance contracts lack this — a gap that enterprise B2B clients are beginning to require corrected.
Which SaaS tools are problematic for a GDPR-compliant freelancer?
US tools without a signed DPA or adequate certifications: some online invoicing tools, Notion (US data unless EU configured), communication tools (free Slack, some Teams versions), appointment booking tools collecting more data than necessary. Priority: check where client data is hosted when you use these tools in their projects.
Does the CNIL monitor freelancers and sole traders?
Rarely proactively. CNIL primarily targets organizations processing millions of people. For a freelancer, real risk comes from individual complaints (a disgruntled client or prospect) or an inspection triggered by a client themselves in difficulty with CNIL. Direct regulatory risk is low; commercial risk (losing demanding B2B contracts) is more concrete.
Do I need a privacy policy on my freelance website?
Yes, if your site collects data (contact form, Google Analytics, newsletter). The policy must mention purposes, retention periods, your processors (host, email tool), and individuals' rights. If your site collects strictly nothing (static showcase without cookies, forms or analytics), a policy is still recommended but not legally mandatory.

Check your GDPR compliance in 60 seconds

Freelancer or small business, RGPDScan analyzes your site and gives you a prioritized correction list. Free, no installation.