FreeAgent and GDPR compliance

Version 1.1: This page was last updated in May 2025.

What is the GDPR?

The General Data Protection Regulation (GDPR) imposes strict controls on how all organisations collect and process personal data within the United Kingdom (UK) and European Union (EU) and/or process the personal data of persons in the UK and EU.

The enforcement of the GDPR is overseen by the UK’s supervisory authority, the Information Commissioner’s Office (ICO). It ensures that everyone is playing by the rules and that the rights of individuals - the people whose data is being processed - are correctly protected.

FreeAgent is required to comply with the GDPR as a data controller or as a data processor, depending on the circumstances. Our customers and accounting partners will often also have to comply, as they’ll likely process the data of other individuals as part of running their business.

How FreeAgent demonstrates compliance with the GDPR

We’re constantly improving the technical and organisational security measures we have in place to protect your data and are committed to being fully compliant with the GDPR. This also helps support you with your own compliance obligations regarding any customer data held within FreeAgent.

Awareness and accountability

We have a company-wide commitment to compliance with the GDPR. Everyone working at FreeAgent is given regular training on the GDPR and their responsibilities for compliance. We regularly review and discuss our compliance measures.

Audit

We have undertaken an extensive audit to clearly document what data we hold, where we hold it, where that data comes from and where it goes. This enables us to keep track of all data and helps us to make the right decisions when it comes to making sure that your data is always protected.

Policies

We set internal policies to control how, why, and where we process personal data. Our General Privacy Notice also explains this, as well as how to contact us for more information, to exercise your rights under the GDPR, or if you have any concerns on how your data is being processed.

Third parties

We perform due diligence checks on third-party vendors and, where needed, we use GDPR-compliant terms and contracts to protect your data. More information on our subprocessors can be found on our FreeAgent subprocessors page.

Individuals’ rights

Under the GDPR you have the right to see data that relates to you, and also the right to request that it is fully deleted from our system (although we may be required to keep some records to ensure that you are not contacted in future, or to comply with any legal obligations).

This is also true for the data you hold about your customers within FreeAgent - you need to be able to adhere to GDPR requirements too and we take steps to help you do that when it comes to the data you add to FreeAgent.

Keeping data secure

We are constantly improving our security measures to keep the information we hold within FreeAgent safe and whenever we work with third parties (subprocessors) to help us provide our service, we ensure that their security processes are as robust as our own.

We are continually adding features to our service to improve security. This includes features such as active sessions, login attempts, 2-Step Verification and adding known devices.

We will also only keep the data you input into FreeAgent for as long as you use your account. More information can be found in Section 5 of our General Privacy Notice.

How does FreeAgent help you comply with the GDPR?

If you’re a small business user, FreeAgent is the data controller for your data, and you are the data controller for your client and employee data

Keeping data accurate and up to date

FreeAgent makes it easy for you to maintain an accurate and up-to-date record of your contact and employee details. When you update a contact’s information on their contact card, FreeAgent automatically pulls the latest information through to any new invoices or emails. This only applies to newly created documents, however; any historic invoices or emails stored in FreeAgent will still contain the information that was correct at the time you created them. This is because HMRC says that you need to keep full copies of your historic information.

In order to allow employee access to your account, FreeAgent requires user profiles to be added for employees with the name and email address of that individual. The user profile created can also be enhanced further with the addition of personal information for that employee, such as their date of birth or tax details, though this information is only required if using FreeAgent payroll functionality, or when filing Self Assessment tax returns. When you update an employee’s information on their user profile, FreeAgent automatically pulls the latest information through to any payroll profile or payslips created for the individual.

Providing a copy of an individual’s data

Using the Export All Data feature on FreeAgent makes it easy to create a copy of all the data you hold. This feature exports all your data from your FreeAgent account along with all your files and attachments.

Deleting individuals’ data

You will also be a data controller for data you manage. If one of your contacts or employees asks FreeAgent to delete information about them from your FreeAgent account, we will refer them back to you. Your legal obligations to HMRC come before an individual’s right to be forgotten under the GDPR, and we’ve built safeguards into our software to make sure you balance both of these requirements.

Once you’ve created an accounting entry (e.g. an invoice, estimate, bill, project or timeslip) for a contact, you will be able to delete that contact once you’ve deleted all the transactions relating to them in FreeAgent. Once you have done this, you will see the option to ‘delete’ in that contact’s details screen.

Because HMRC requires self-employed professionals to keep a copy of their records for at least five or six years after the relevant Self Assessment submission date, and limited companies to keep a copy of their records for at least six years after their accounting year end, you should be careful when deleting a contact from FreeAgent with transactions that fall within these periods.

FreeAgent doesn’t allow you to delete transactions that are dated within a locked period or those that are attached to a filed VAT return. This means that you won’t be able to delete any contacts with transactions that fall into either of these categories. In this way, FreeAgent helps you to ensure that you are not deleting any information that you are required to keep for HMRC.

Please be aware that deleting transactions linked to a contact will have an effect on your accounts and once you’ve deleted any information in FreeAgent it can’t be restored. If you’re unsure whether or not to delete any data in FreeAgent then please check with your accountant.

If you’re an accountant, FreeAgent is the data controller for your data, and a data processor for client data

Keeping data accurate and up to date

FreeAgent makes it easy to maintain up-to-date records. Updating a client’s information on the client details page will automatically pull the latest information through to their account. Similarly if a client updates their information via their own account, this will pull through to your dashboard.

Providing a copy of a client’s data

Using the Export All Data feature makes it easy to create a copy of all the data you hold for a client on FreeAgent. This feature exports all account data from their FreeAgent account along with all files and attachments associated with that client.

Deleting a client’s data

If one of your clients asks for their information to be permanently removed from your records, they have the right to have their data deleted as fully as possible. If one of your clients, or one of their contacts asks FreeAgent to do this, we will refer them back to you.

You can remove your access to a client’s data directly from your Practice Dashboard. This will not delete the client’s data, but will transfer their account to one which is directly managed by them, removing your access to the data. The data held in the account is then their responsibility to manage or delete.

Contacting us

If you ever want to contact us about GDPR compliance, data protection or to find out more about how we process your data, please feel free to drop an email to privacy@freeagent.com and we will get back to you as soon as possible.

Where can I learn more about the GDPR?

The UK Information Commissioner’s Office website is a great resource for GDPR information: https://ico.org.uk