Back to blog
ComplianceFebruary 14, 20268 min read

GDPR-Compliant Document Collection: What You Actually Need to Get Right

A no-nonsense walkthrough of GDPR requirements for teams that collect documents from clients, partners, and vendors in the EU.

GDPR and Document Collection: Why It Matters

If you collect documents from clients or partners in the EU — tax returns, ID copies, signed contracts, proof of address — you're handling personal data. That means GDPR applies to you, even if your own company is based outside the EU. The regulation covers any processing of EU residents' personal data, regardless of where the processor sits.

This isn't a topic most small businesses get excited about. But getting it wrong can mean fines, broken client trust, and a lot of cleanup work. The good news: the core principles are straightforward once you strip away the legal jargon.

This article is a practical walkthrough. We'll cover the main things you need to get right when collecting documents, and we'll show how we've built FolioDoc to handle the heavy lifting on the technical side. We're not lawyers — this isn't legal advice — but we've spent a lot of time making sure our platform does the right thing by default.

This article is a practical guide, not legal advice. For your specific situation, consult a data protection officer or lawyer.

Controller vs Processor: Who's Responsible for What?

GDPR splits responsibility between two roles. The Controller is the organization that decides what personal data to collect and why. The Processor is the organization that handles that data on the Controller's behalf. When you use FolioDoc to collect documents from your clients, you are the Controller. You decide which documents to request, who to send the request to, and what to do with the files once they arrive. FolioDoc is the Processor. We store the files, deliver the notifications, and manage the infrastructure — but we never decide what gets collected or why.

Both roles carry obligations. As a Controller, you need a legal basis for collecting the data (a contract, consent, legitimate interest, or a legal obligation). You need to inform the people you're collecting from about what you're doing with their data. And you need to make sure any Processor you work with meets GDPR standards. As a Processor, FolioDoc is required to only process data according to your instructions, keep it secure, help you fulfill data subject requests, and delete everything when you say so.

The Data Processing Agreement (DPA)

Create your first secure document request

Article 28 of GDPR requires a written agreement between every Controller and Processor. This is the Data Processing Agreement, or DPA. It's not optional — if you're using any SaaS tool that touches personal data from EU residents, you need a DPA in place.

FolioDoc provides a ready-to-use DPA at /dpa. It covers the scope of data processing (what data, for what purpose), the security measures we implement, our obligations around sub-processors (any third-party services we use), how we handle data breaches, and what happens to data when the agreement ends. You don't need to negotiate it. It's there, it's signed by using the service, and it's written in plain language.

Data Minimization: Only Collect What You Need

One of GDPR's core principles is data minimization — you should only collect personal data that is adequate, relevant, and limited to what is necessary. In practice, this means: don't ask for more documents than you actually need.

FolioDoc is designed around this principle. When you create a document request, you build a checklist of specific items. Your recipients see exactly what's needed and upload only those files. There's no open-ended file dump, no "upload anything you think might be relevant" field. The structure keeps collection focused and minimizes the chance of receiving data you didn't ask for and shouldn't have.

Retention: Don't Keep Data Forever

Article 5(1)(e) — the storage limitation principle — says personal data should be kept only as long as necessary for the purpose it was collected. This is one of the areas where many businesses slip up. Documents get collected, downloaded, and then sit on a server indefinitely because nobody set up a cleanup process.

FolioDoc handles retention automatically. By default, all data associated with a completed or expired request is purged after 90 days. This includes uploaded files, recipient responses, metadata, and notification history. The retention period is configurable via the DATA_RETENTION_DAYS environment variable if your use case requires a shorter or longer window. The cleanup runs as an automated background task — you don't need to remember to do it manually.

You can also delete any request and its data immediately through the API or the dashboard. Deletion is not a soft delete — files are physically removed from disk, not just marked as deleted in a database.

FolioDoc's default retention period is 90 days after a request is completed or expired. After that, all data — files, responses, metadata — is automatically purged.

Right to Erasure: The 'Delete Everything' Button

Create your first secure document request

Article 17 gives data subjects the right to request that their personal data be erased. As a Controller, you need to be able to honor these requests. That means the tools you use need to support complete, verifiable deletion.

FolioDoc supports this with full cascade deletion. When you delete a request, everything goes: checklist items, recipient records, uploaded files, magic link tokens, notification history, and escalation events. The files are physically deleted from storage, not just dereferenced. If a file deletion fails for any reason (disk error, network issue), a PendingFileDeletion record is created and retried automatically — files are never silently orphaned.

For account-level deletion, the DELETE /api/v1/auth/me/ endpoint removes the entire user account and every piece of data associated with it. Every deletion is recorded in an immutable DeletionLog — an audit trail that shows what was deleted, who triggered it, and when. The log contains no sensitive content, just the metadata needed to prove deletion happened.

Data Portability: Getting Your Data Out

Article 20 gives data subjects the right to receive their personal data in a structured, commonly used, machine-readable format. This is the right to data portability.

FolioDoc provides a self-service data export feature. From the Settings page, you can export all your account data in JSON or CSV format. Per-request exports are also available — CSV summaries plus ZIP archives of uploaded files. The API endpoint is GET /api/v1/auth/me/export/ with an optional format parameter. No need to email support and wait three weeks.

Security Measures: Art. 32

Article 32 requires both Controllers and Processors to implement appropriate technical and organizational security measures. Here's what FolioDoc provides on the technical side:

Security measures built into FolioDoc:

  • TLS encryption for all data in transit — every connection is HTTPS, no exceptions
  • 5-layer file validation: file size limits, content-type checking, extension allowlisting, magic byte verification, and per-recipient upload limits
  • SHA-256 hashing for magic link tokens — the actual token is never stored, only its hash
  • Rate limiting on authentication endpoints to prevent brute-force attacks
  • PII-scrubbed error monitoring — Sentry is configured to strip request bodies and auth headers before logging
  • Role-based access control — users only see their own workspace data

A Practical Checklist

If you're collecting documents from people in the EU, here's a quick checklist of what to have in place:

GDPR compliance checklist for document collection:

  • Identify your legal basis for collecting the data (contract, consent, legal obligation, or legitimate interest)
  • Have a Data Processing Agreement in place with every tool that touches the data
  • Inform data subjects: tell the people you're collecting from what you're collecting, why, and how long you'll keep it
  • Set retention periods and stick to them — don't keep data longer than you need it
  • Have a working deletion process that actually removes data, not just hides it
  • Keep audit trails so you can prove you deleted data when asked
  • Support data subject requests: be ready to provide, export, or delete someone's data within 30 days
  • Review your sub-processors and make sure they're also GDPR-compliant

FolioDoc's free tier includes all GDPR features — DPA, auto-purge, deletion API, data export. No paywall on compliance.

GDPR compliance doesn't have to be a nightmare. Most of it comes down to being intentional about what you collect, transparent about what you do with it, and disciplined about cleaning it up when you're done. If you use tools that handle the technical side well, you can focus on running your business instead of worrying about data protection audits.

We built FolioDoc with these principles baked in from the start — not as an afterthought or a premium add-on. If you're collecting documents and want to do it the right way, give it a try.

Related articles

Best Way to Request Documents From Clients Securely in 2026 (Accountant’s Guide)

A practical guide for accountants and tax advisors on how to request and collect client documents securely. Covers why email fails, GDPR risks, modern alternatives, and what to look for in document request software.

Read article

Document Collection Software in 2026: What to Look For (and 5 Tools Compared)

A practical buyer’s guide to document collection tools. We compare Content Snare, FileInvite, Clustdoc, Superdocu, and FolioDoc on the features that actually matter.

Read article

Ready to stop chasing documents?

Create your first request in under 2 minutes. Free plan, no credit card.