GDPR for Trades and Construction SMEs: 6 Common Pitfalls

April 27, 2026· Category: GDPR· As of: 2026-05-02· Reading time: ~5 min

Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

Customer data in Excel lists needs RoPA entry, access restriction and deletion plan — not just a shared drive
Vehicle GPS tracking requires Section 26 BDSG basis, works council co-determination and a DPIA for high-risk cases
Construction-site photos with recognizable people are personal data — pixelate or get written consent
Subcontractor DPAs required wherever data is shared (tax advisor, IT, accounting)
WhatsApp business communication involves a US provider — needs consent or replacement with EU alternatives (Threema Work, Element)

1. Customer data in Excel lists

The classic trades pattern: an address list with appointments in a shared Excel file. Add the file to the records of processing, restrict access to the people who actually need it, define a deletion timeline (typically 10 years for invoiced customers under HGB) and document the reasoning.

2. Employee tracking via vehicle GPS

Vehicle GPS that produces individual location data triggers Section 26 BDSG (German Federal Data Protection Act, employee provisions) plus works council co-determination if a council exists. A DPIA is required for high-risk uses (e.g. continuous tracking outside working hours). Limit the data to working hours and document the boundary.

3. Construction site photos

Photos in which individuals are identifiable are personal data. Either pixelate faces and any other identifying features before publishing, or obtain written consent. For internal documentation, consent is generally easier; for marketing, pixelation is safer.

4. Subcontractor DPAs

Wherever data is shared with an external party — tax advisor, IT services, accounting bureau, payroll — a Data Processing Agreement under Art. 28 GDPR is required. Maintain a single DPA inventory and refresh it annually.

5. WhatsApp customer communication

WhatsApp is a US service operating under the DPF. Either obtain customer consent inside the terms of service for WhatsApp Business, or migrate to EU alternatives — Threema Work and Element are the closest functional matches.

6. Applicant data via email

Job applications received by email require a privacy notice, a 6-month default retention (longer requires consent for a talent pool), and secure deletion. Adding a privacy link in the email response template is the lowest-friction implementation.

Summary

Trades and construction businesses concentrate the GDPR risk in five everyday tools: Excel customer lists, vehicle GPS, site photos, subcontractor data sharing, and WhatsApp. Address each with a short documented control rather than a perfect technical solution — supervisory authorities accept reasonable practical mitigation when records exist.

View GDPR Kit →

Frequently Asked Questions

Who is required to have a DPO?

From 20 employees with automated processing. In the trades sector: usually all from 20 employees onwards.

Is an external DPO advisable?

For 20-50 employees, yes. An external DPO costs EUR 3,000-8,000/year, significantly cheaper than a full-time DPO.

Sources

Regulation (EU) 2016/679 — GDPR (As of: 2026-05-02)
German Federal Data Protection Act (BDSG) (as of: ongoing)
Section 257 HGB — German Commercial Code retention (as of: ongoing)

Tools & self-assessments

GDPR Checklist 30 check points for data protection compliance in SMEs. Fining Calculator Estimate the potential fine exposure for your organisation. GDPR Self-Assessment Structured self-test with maturity score and remediation roadmap. Cookie Banner Audit TDDDG/GDPR review of your cookie banner with concrete remediation hints.