Concept Definition
How does GDPR apply to e-invoicing?
GDPR (General Data Protection Regulation) applies to e-invoicing because invoices contain personal data including names, addresses, and in some cases bank details or national ID numbers. Businesses must have a lawful basis for processing this data, implement appropriate security, and manage retention periods within GDPR constraints alongside VAT retention obligations.
What personal data do invoices contain?
Invoices frequently contain personal data subject to GDPR:
- Natural person names: Sole traders, freelancers, individual clients.
- Addresses: Home addresses where individuals are the contracting party.
- Bank account details: IBAN and account holder name.
- Email addresses: Contact details used in invoice transmission.
- Tax identification numbers: May be personal in some jurisdictions (e.g., Italian codice fiscale).
Frequently Asked Questions
- What is the lawful basis for processing invoice personal data?
- The primary lawful basis is legal obligation (GDPR Article 6(1)(c)): businesses are legally required to issue and retain invoices for tax purposes. This provides a clear lawful basis for processing the personal data necessary for invoicing and the mandatory retention period.
- Can invoice archives be deleted to comply with GDPR erasure requests?
- No. GDPR erasure rights (Article 17) do not apply where processing is necessary to comply with a legal obligation. Tax retention obligations override GDPR erasure requests for the duration of the statutory retention period. After the retention period, personal data should be deleted.