An accepted proposal
From the moment an offer has been accepted or accepted, it becomes part of the administration of the offering party. The proposal becomes part of the sales administration. The sales administration consists of collected documents that demonstrate the sale. This includes proposals, extracts, conversation reports and information in the Customer Relationship Management (CRM) system. The sales administration is part of the basic administration and that means that accepted proposals are part of the basic administration. The basic administration consists of the payroll administration, the purchase and sales administration, the accounts receivable and creditor administration and the ledger. The retention period for the basic administration is 7 years according to the Tax Act (art. 52 Dutch Tax Act). Note: Property data must be kept for 10 years. Formally, one has to choose a time each year to clean up the administration. Documents, invoices and therefore proposals that are older than 7 years must then be destroyed. This applies to both digital proposals and paper proposals.
A rejected proposal
Officially, rejected offers and proposals that have not been responded do not need to be kept. However, there are several reasons and commercial considerations to keep rejected offers. It can simply happen that a customer or prospect comes back to their decision or request a new or modified proposal at a later time. Being able to go back to previous proposals can then be very valuable. Others keep rejected proposals for analysis purposes. Business analyses provide insight into the state of affairs of a company. A thorough analysis always leads to solid improvement actions. So also for making a proposal and drafting proposals. Another administrative reason for keeping rejected offers is the burden of proof for entrepreneurs with regard to the hour criterion. When entrepreneurs can demonstrate that they have spent 1225 or more hours on the company in a calendar year, they are entitled to a tax advantage. The hours that people spend on, for example, conducting conversations, marketing, making proposals or the execution of assignments and orders all count. In short, the advice here is to keep the rejected offers for the duration of 7 years, just as with accepted offers. The next point deals with the extent to which this retention period is in line with the GDPR.
Keeping the GDPR and proposals
The GDPR - the General Data Processing Regulation - is about the processing of personal data. The GDPR has been in force since May 25, 2018. This means that the same privacy legislation applies throughout the European Union. The Personal Data Protection Act (Wbp) has not been valid since then. The GDPR is also known by the English name: General Data Protection Regulation (GDPR).
The GDPR clearly emphasizes the responsibility of companies to demonstrate compliance with this law. This is called accountability. Accountability means that companies must be able to demonstrate by means of documents that the correct organizational and technical measures have been taken to comply with the GDPR.
A proposal will always contain personal data. According to the GDPR, personal data must be kept for as long as it is necessary for the purpose for which it was obtained and used. If an offer has been rejected, it should be destroyed or anonymised. Another option is to ask the (potential) customer for permission to keep the proposal. If this is requested in writing and confirmed, one fully complies with the law.
However, the GDPR is a general law, while the Tax Act is a special law. The tax code is above that of the GDPR. Therefore, keep the Tax Code as a guide. The most transparent thing one can do is inform (potential) customers from the start what is happening with their data.
This means that:
it is stated in the privacy statement and general terms and conditions that the statutory retention obligation is applied according to Article 52 of the National Tax Act;
referred to the privacy statement in proposals;
it is included in the processing register.
Every organization with more than 250 employees is obliged to have a processing register. The processing register contains information about the personal data that one processes, why and how this is secured.