rexa
EN
Sign in
BlogCompliance

What GDPR requires for business receipt storage

Daniel Reeves · 16 May 2026 · 7 min read

Business receipts contain personal data. A supplier invoice names a contact. An employee expense claim maps to an identified individual. A hotel bill includes a cardholder name. The moment those documents enter your storage environment — whether that is a cloud folder, an expense platform, or an accounting tool — GDPR applies.

Three articles govern most of what GDPR requires for business receipt storage: Art. 5 (data minimisation and storage limitation), Art. 7 (demonstrable consent), and Art. 28 (processor obligations). This article covers each one with specific reference to receipt management.

Art. 5 — Data minimisation and storage limitation

Art. 5(1)(c) — Data minimisation

Personal data must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed." For receipt storage, this means collecting only the fields you need for expense reporting and tax compliance: date, amount, currency, VAT amount, supplier name, and cost-centre. Collecting additional personal data from receipts — cardholder addresses, personal loyalty numbers — without a documented purpose introduces an Art. 5(1)(c) violation.

Art. 5(1)(e) — Storage limitation

Personal data must be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed." The storage limitation principle does not set an absolute period. It requires that you define one. For Dutch businesses, the Belastingdienst sets the floor: financial records must be retained for at least 7 years from the close of the relevant financial year. That 7-year obligation functions as your documented storage period under Art. 5(1)(e). Records beyond that window have no legal retention basis and should be deleted or anonymised.

Art. 7 — Demonstrable consent

Art. 7(1) — The demonstrability requirement

Where processing relies on consent as its legal basis, "the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data." The word "demonstrate" is the operative requirement. A privacy policy that states users consented is not demonstrable consent. Demonstrable consent requires an event-level audit trail: who consented, to what version of the terms or notice, when, and how the consent event was recorded.

Legal basis for receipt processing

Most business receipt storage does not rely on consent as its legal basis. The more common basis is Art. 6(1)(c) — processing is necessary to comply with a legal obligation, specifically the Belastingdienst 7-year retention requirement. Where that legal basis applies, the Art. 7 demonstrability requirement does not. However, if your receipt management platform also processes employee preference data, marketing consent, or cookie preferences, those processing activities do require demonstrable consent under Art. 7.

Art. 28 — Processor obligations

Art. 28(1) — Choosing a compliant processor

Any software platform that stores or processes personal data on your behalf is a data processor under Art. 28. The controller — your business — is required to "only use processors providing sufficient guarantees to implement appropriate technical and organisational measures" to protect that data. Before adopting a receipt management tool, you must verify that the vendor can provide these guarantees. The standard mechanism is a Data Processing Agreement.

Art. 28(3) — Written agreement requirement

Processing by a processor must be "governed by a contract or other legal act under Union or Member State law." The contract must specify the subject matter, duration, nature, and purpose of processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. A vendor without a signed DPA cannot legally process your receipt data. Verify before onboarding, not after.

Sub-processor obligations

Art. 28(2) requires that processors "shall not engage another processor without prior specific or general written authorisation of the controller." In practice, every receipt management vendor uses sub-processors: cloud storage providers, compute platforms, background job runners. The vendor's DPA must name these sub-processors or provide a mechanism for you to approve them. If a sub-processor is added or changed, the processor must notify the controller. A DPA that names no sub-processors and imposes no notification requirement for changes is not Art. 28-compliant.

Practical checklist for receipt storage compliance

The three articles above translate into seven operational requirements. Most Dutch SMBs are missing at least two.

  • Define the legal basis for each receipt-related processing activity before onboarding any tool — typically Art. 6(1)(c) for the 7-year retention obligation
  • Set a documented retention period: 7 years from the close of the relevant financial year for Dutch businesses
  • Collect only the receipt fields required for expense reporting and tax compliance — not supplementary personal data from receipt metadata
  • Require a signed DPA from every receipt management vendor before uploading documents
  • Review the vendor's sub-processor list; verify each sub-processor has an adequate transfer basis if based outside the EU or EEA
  • For any consent-based processing activities (cookie preferences, marketing opt-ins), verify that the vendor records consent server-side with an event-level log, not client-side only
  • Add a receipt-management entry to your Record of Processing Activities (RoPA) under Art. 30

Related

Rexa is designed for GDPR-first receipt management with EU data residency. If you are evaluating compliant receipt storage for your Dutch or EU business, join the waitlist to receive a notification when access opens.

Join the Rexa waitlist