EU receipt management: GDPR compliance for Dutch SMBs

GDPR and business receipts

GDPR applies to business receipts because they contain personal data. A supplier invoice includes at minimum a contact name and business address. A restaurant receipt from a business lunch often names the person who booked it. An employee expense claim maps directly to an identified individual. Even a fuel receipt tied to a company card can be traced to a driver when it is cross-referenced with fleet records.

The relevant GDPR obligations for receipt management are:

These obligations apply from the moment a receipt enters your possession — whether a cardholder photographs it at the point of purchase or the finance team downloads it from a statement portal at month-end.

The 7-year retention rule

Dutch tax law requires that financial records — including receipts and underlying source documents — are retained for at least 7 years from the end of the financial year in which the transaction occurred. This applies to all SMBs subject to Dutch corporate or personal income tax.

This retention obligation takes precedence over GDPR's storage limitation principle. Article 17(3)(b) of GDPR provides an explicit carve-out for retention required by a legal obligation under Union or Member State law, and the 7-year Belastingdienst rule qualifies. The consequence is direct: you cannot delete receipts after 2 or 3 years to demonstrate GDPR compliance. The GDPR obligation is to protect the data during the 7-year retention period — not to reduce that period.

For companies operating on a calendar year, a receipt dated 15 March 2024 must be retained until at least 1 January 2032. The clock resets with the financial year, not the transaction date. Many SMBs miscalculate this and delete records too early.

Data residency: what EU-hosted means

GDPR does not explicitly mandate EU-hosted storage as the only compliant approach. Transfers of personal data to countries outside the EU and EEA are permitted where additional safeguards are in place — most commonly Standard Contractual Clauses (SCCs) or an adequacy decision from the European Commission. A small number of countries hold an adequacy decision, meaning transfers to providers in those countries are permitted without SCCs.

In practice, EU-hosted storage has become the standard expectation for Dutch SMBs for three reasons:

1. A DPA with a non-EU provider requires you to identify all sub-processors and their locations. For a SMB finance team, this due diligence burden exists without corresponding benefit — most processing that must happen in the EU can happen at EU-hosted providers.
2. Dutch companies are increasingly expected by clients, insurers, and auditors to confirm EU-only data processing. Non-EU receipt storage creates a gap in that confirmation that requires SCCs to close.
3. The Autoriteit Persoonsgegevens (AP) applies EU residency as a reference point when reviewing SMB data processing practices. Deviation is not automatically non-compliant, but it requires documented justification.

EU-hosted means data is processed and stored on servers physically located in the EU or EEA, by a provider incorporated in and subject to EU law. Hosting infrastructure in Ireland or the Netherlands while the provider entity is incorporated outside the EU does not satisfy the EU-data-residency expectation without additional contractual safeguards.

Where Dutch SMBs typically fall short

Receipt management compliance gaps tend to cluster in four areas. Most Dutch SMBs have at least two of the following:

What a compliant receipt workflow looks like

A receipt management workflow that satisfies both the Belastingdienst retention requirement and GDPR data-protection obligations has six characteristics. None of them are technically complex. Most require policy decisions as much as software choices.

• Capture with structured metadata at point of submission — date, amount, currency, VAT amount, supplier name, cost-centre — rather than retroactively at month-end
• EU-hosted storage with a signed DPA naming the provider and sub-processors
• Role-based access: finance leads see all receipts, cost-centre owners see their area, cardholders see their own submissions
• A documented 7-year retention schedule with a defined deletion trigger at the end of the period
• An immutable audit log: every access, change, or deletion is timestamped and tied to a user identifier
• An export path to your bookkeeping platform that carries structured metadata, not raw image files

The export path to your bookkeeping platform is often the weakest link. Many SMBs handle receipt capture and storage reasonably well but then break the data chain at the point where receipts need to become ledger entries. Receipts emailed to an accountant, or exported as image files and re-entered manually, lose the structured metadata and audit trail that were present in the receipt management system.

A compliant workflow preserves metadata — amount, VAT, supplier, cost-centre — through to the bookkeeping platform, where it maps to journal entries without manual re-keying. This is where the two regulatory obligations connect: the Belastingdienst wants the source document (the receipt) to match the ledger entry. That match is harder to demonstrate when the receipt is an image in a shared folder and the ledger entry was typed in by hand.

Exact Online and your receipt data

Exact Online is the dominant bookkeeping platform among Dutch SMBs. If your ledger is in Exact Online, your receipt workflow needs to end there — with structured data that maps to journal entries, not with a stack of images that an accountant processes manually once a quarter.

The compliance implication: the path from receipt capture to Exact Online ledger entry must preserve EU data residency throughout. A receipt captured on a device, processed by a non-EU OCR provider, then pushed to Exact Online introduces a gap in the residency chain that requires SCCs or an adequacy decision to close. Most SMBs have not documented this gap, let alone closed it.

Rexa is designed to integrate with Exact Online. When the integration ships, receipt metadata — date, amount, VAT, supplier, cost-centre — will be structured at capture and mapped to journal entries via EU-hosted processing throughout the chain.

Your processing register entry

Article 30 of GDPR requires most organisations to maintain a Record of Processing Activities (RoPA). Receipt management is a processing activity that belongs in that register, and it is one of the entries most commonly missing from Dutch SMB RoPAs.

The entry should state:

• What personal data is processed: names, VAT numbers, contact details, and other personal identifiers embedded in receipts and invoices
• Purpose: financial record-keeping to satisfy Belastingdienst requirements
• Legal basis: legal obligation under Article 6(1)(c) GDPR
• Retention period: 7 years from close of the relevant financial year
• Data processor: the receipt management software provider, with DPA reference and sub-processor list
• Transfer safeguards: EU-hosted, or SCCs where non-EU sub-processors are in scope

An AP inquiry into a Dutch SMB's data processing practices will check for the RoPA first. A missing entry for receipt management — a near-universal processing activity at every company — is an immediate finding. The entry itself takes less than an hour to write; the delay is usually that no one has been assigned to own it. Assign it to the person who owns your bookkeeping software relationship. They have all the information required.