GDPR starter kit for Dutch freelancers and sole proprietors

Freelancers are often controllers for small amounts of customer data — but GDPR has no lower threshold. 5 minimum requirements: (1) Privacy statement on your website: what data you collect, why, retention, your contact, customer rights. Our generator (€19) builds it in 5 min. (2) Customer records: separate invoicing data (7 years tax authority) from marketing data (opt-outable). (3) DPAs with your tools — accounting SaaS (Moneybird, eBoekhouden), email (Gmail), CRM, invoicing platforms, cloud storage. Request in account portal. (4) Retention: invoices 7 years (tax), rejected CVs 4 weeks, marketing consent until withdrawn. (5) Breach procedure — what you do if laptop with customer data is stolen: document, notify within 72h to AP, assess whether to inform customer. RoPA (Art. 30): in theory not required for <250 employees, in practice yes if you process sensitive data or systematically monitor. Excel suffices. Fine risk: AP rarely active against freelancers on minor matters — but yes on breaches affecting many customers + no procedure.