GDPR for Freelancers: What Nobody Tells You
GDPR applies to freelancers and sole traders too. But the obligations are often much simpler than you'd think — and the real risk isn't necessarily where you expect it. This guide debunks the myths and gives you the strict minimum to work in compliance.
Yes, GDPR applies to you too
The confusion is widespread: many freelancers think GDPR is reserved for large companies or organizations with an IT department. That's wrong. GDPR applies as soon as you process personal data in a professional context — which includes a client file, a contact form, or a prospect database.
The good news: obligations are proportionate to size and risk. A freelance developer accessing an e-commerce client's database and a banking group don't have the same obligations. Article 30-5 of the GDPR even provides a partial exemption from the processing register for organizations of fewer than 250 people — which covers all freelancers.
The bad news: certain obligations have no size exception — notably subcontracting clauses (DPAs) and data security. And above all, the B2B market is evolving: more and more clients require GDPR compliance from their service providers as a contractual prerequisite. Not being in order can cost you contracts.
Your real obligations in 2026
Here's what GDPR actually requires of a freelancer, without inflating the list:
- Processing register (simplified) — document your non-occasional processing activities. For most freelancers: client management, invoicing, website. A shared spreadsheet suffices, no specific software required.
- DPA clause in your contracts — mandatory whenever you process data on behalf of a client (Art. 28 GDPR). Can be a 10-line paragraph in your service contract.
- Data security — technical measures proportionate to risk: encryption of client files, strong passwords, no client data on unsecured consumer tools.
- Privacy policy on your website — mandatory if your site collects data (form, analytics, newsletter). Can be short and simple.
- Cookie banner — if you use analytics or third-party scripts on your site. No non-essential cookie before consent.
Check your freelance site in 60 seconds
Cookies before consent, non-compliant banner, unframed non-EU transfers — RGPDScan detects what to fix immediately.
The real risk: commercial above all
Large companies (mid-market, major accounts, public sector) now integrate GDPR compliance into their vendor due diligence. A freelancer who cannot produce a DPA, privacy policy or processing register may be excluded from a tender or assignment. This trend accelerated after 2023 and the first public CNIL sanctions affecting processors.
A freelancer can receive a CNIL complaint from a prospect who considers their data was used without legal basis (prospecting without consent, long retention of unsigned quote). CNIL handles these complaints and may contact the freelancer. The risk of direct fine remains low, but the procedure takes time and can damage reputation.
CNIL does not launch proactive checks on micro-structures. It targets organizations processing data at scale (millions of people) or sensitive data (health, payment). A solo freelancer managing dozens or hundreds of contacts will not be on CNIL's radar unless there's a direct complaint or connection to a larger client case.
Action plan: get compliant in 1 day
Step 1 — Inventory your processing activities (2h)
- List your tools containing people's data: CRM, invoicing tool, client spreadsheet, email, newsletter
- For each tool: what data, how many people, where hosted, how long retained
- Create a simple register in a spreadsheet (free CNIL template available on cnil.fr)
Step 2 — Client contracts: add the DPA clause (1h)
- Include an Art. 28 clause in your standard contract: nature of data processed, purpose, duration, your security measures, your sub-processors
- For ongoing assignments: send a DPA amendment by email. Keep the client's agreement
- If your client imposes their own DPA (large companies): read it before signing, check your incident notification obligations
Step 3 — Website and tools (2h)
- Audit your site: which cookies, which analytics, which forms? RGPDScan does this in 60 seconds
- Draft or update your privacy policy (short, clear, specific to your activity)
- Replace Google Analytics without consent with Plausible (no cookie, no banner needed, €9/month)
- Check where your tools are hosted: prefer EU tools or those with signable DPA (Notion EU, Proton, Infomaniak)
Preferred tools for a GDPR-compliant freelancer
| Need | Risky | EU Alternative |
|---|---|---|
| Analytics | Google Analytics | Plausible, Matomo |
| Professional email | Gmail (personnel) | Proton Mail, Infomaniak Mail |
| File storage | Dropbox (US) | Infomaniak kDrive, Nextcloud |
| Invoicing | US tools without DPA | Pennylane, Freebe, Zoho EU |
| Notes / docs | Notion (US par défaut) | Notion EU, Outline, Obsidian |
Going further
- GDPR compliance checklist 2026: 42 points to check
- Compliant privacy policy template 2026
- 10 SaaS tools that put your GDPR at risk
- GDPR for small businesses: compliance guide
- Data transfers outside the EU: are you in violation?