FabriqueFabrique
Get started
All articles

July 7, 2026 · 7 min read

GDPR and client document collection: what you need to know

Firms that collect client documents for a living — accountants, brokers, M&A advisers — rarely think of a request for a payslip or an ID scan as a "GDPR moment." It is one. Any document that identifies a person, directly or indirectly, is personal data, and collecting it triggers the same obligations as any other processing activity.

This isn't a substitute for legal advice on a specific situation, but here are the general principles that apply: legal basis, data minimization, retention, security, client rights, and the role a document collection tool plays as a data processor.

Why document collection is a GDPR matter

An ID card, a payslip, a bank statement, a KYC file — each one contains personal data, and requesting, storing or sharing it counts as processing under GDPR, regardless of whether it moves through email, a physical file or a dedicated platform. The format doesn't change the obligation; it changes how easy or hard the obligation is to actually meet.

Legal basis for processing

Two bases cover most of what a professional firm collects from clients. Performance of a contract applies when a document is genuinely necessary to deliver the service the client engaged the firm for — an accountant can't produce accounts without bank statements, a broker can't submit a loan file without income documents. Compliance with a legal obligation applies where the firm itself is required by law to hold certain records or run certain checks, such as retaining specific accounting evidence or carrying out identity verification.

Consent is rarely the right basis in this context: if a document is genuinely required to perform the engagement, the relationship isn't optional in a way that makes consent the natural fit. Where there's doubt about which basis applies to a specific document, that's a question worth putting to counsel rather than guessing.

Data minimization: request what's needed, nothing more

Data minimization means asking only for what's actually necessary for the purpose at hand — a full bank statement when only the account holder's name and IBAN are needed, for instance, arguably goes further than necessary. In practice, ad hoc email requests tend to over-collect, because it's easier to ask for "everything, just in case" than to specify exactly what's needed.

A defined checklist, matched to the actual purpose of the request, is one of the more effective ways to operationalize minimization: it forces the firm to decide in advance what's genuinely required, rather than accumulating documents by default.

How long these documents can be kept

Retention doesn't follow a single GDPR number — it follows whatever legal obligation applies to each document type, and that varies by document and by profession. Accounting and tax records, for instance, are generally subject to retention obligations running around a decade in many contexts, reflecting statutory limitation periods rather than a GDPR-specific rule. An identity document collected only to verify someone's identity once is a different case: once that purpose is served, there's little justification for keeping the scan indefinitely.

The practical takeaway is to define a retention period per document type, tied to why it was collected, rather than defaulting to keeping everything forever because deleting it is inconvenient. Where a specific retention obligation is unclear, it's worth confirming with counsel rather than assuming.

Security expectations

GDPR doesn't prescribe a fixed technical checklist, but it does require security measures appropriate to the sensitivity of the data — and documents like ID cards, bank statements and accounting records sit toward the sensitive end.

  • Encryption of documents in transit and at rest
  • Hosting within the EU, or under equivalent safeguards where it isn't
  • Access restricted to the people who genuinely need it, not the whole team by default
  • A log of who accessed what and when, rather than no record at all

Client rights

Clients retain the right to access the data held about them, to have inaccurate data corrected, and to request erasure where retention isn't otherwise legally required. Honoring those rights depends on actually being able to locate every copy of a document once a client asks — which is straightforward when documents live in one place, and considerably harder when they're scattered across inboxes, forwards and local downloads.

The document collection tool as a data processor

When a firm uses a platform to collect and store client documents, the firm remains the data controller — it decides why and how the data is processed — while the platform typically acts as a data processor, handling the data on the firm's behalf and instructions. GDPR expects a data processing agreement (DPA) to be in place between the two, covering the purpose of processing, the security measures applied, any subprocessors involved, and what happens to the data at the end of the contract.

Firms should check the specifics of whatever tool they use — where data is hosted, who the subprocessors are, what the DPA actually commits to — rather than assuming a given platform meets a particular standard by default.

Email versus a secure portal: comparing the real risk

Documents sent by email tend to sit, unencrypted or weakly protected, in whichever inbox they were sent to, often forwarded or cc'd further than intended. There's no access log, no easy way to tell who has actually opened a given attachment, and once a client exercises a right to erasure, purging every copy across every inbox and sent folder in the thread is, for practical purposes, close to impossible.

A secure portal narrows that gap considerably: documents live in one encrypted, access-controlled place, every view is logged, and deletion happens centrally rather than by chasing down copies scattered across a dozen mailboxes. It doesn't eliminate the underlying GDPR obligations — minimization, retention and legal basis still have to be worked out — but it removes most of the practical reasons those obligations are hard to honor with email.

Frequently asked questions

Is collecting a client's ID card a GDPR issue?
Yes. Any document that identifies a person is personal data, and requesting, storing or sharing it is processing under GDPR — regardless of whether it moves by email, paper or a dedicated platform.
What legal basis applies to collecting client documents?
Usually performance of a contract, where the document is genuinely necessary to deliver the engaged service, or compliance with a legal obligation, where the firm itself is required to hold certain records or run certain checks. Consent is rarely the right fit in this context.
How long can accounting documents be retained?
Retention depends on the specific legal obligation attached to each document type rather than a single GDPR rule — accounting and tax records are often subject to retention periods of around a decade in many contexts. Documents collected only to verify identity once shouldn't be kept indefinitely.
Is a document collection platform GDPR-responsible for the data it stores?
The firm using the platform remains the data controller, while the platform typically acts as a data processor under the firm's instructions. A data processing agreement should define the security measures, subprocessors and deletion terms involved.

Read next

Your next file can be complete without a single email.