Can GDPR erasure requests be refused for invoice data?

Yes. GDPR Article 17(3)(b) provides that the right to erasure does not apply where processing is necessary for compliance with a legal obligation which requires processing by EU or member state law. Tax laws requiring invoice retention for 5-10 years constitute such a legal obligation. Organizations can and should refuse erasure requests for invoice data within the mandatory retention period, documenting the refusal basis with reference to the applicable tax law.

What personal data is typically contained on business invoices?

Business invoices typically contain: contact person names (authorized signatory, AP contact), email addresses, direct phone numbers, and sometimes personal reference numbers. In certain sectors (healthcare, legal services), invoices may reference personal identifiers of service recipients. GDPR compliance requires that this personal data is processed with a legal basis, access-controlled, and not used for purposes other than the accounting and tax purposes for which it was collected.

Compliance, Legal, and IT Teams

How do organizations balance invoice retention requirements with GDPR compliance?

Invoice retention for tax purposes and GDPR's data minimization and erasure principles create tension for organizations holding personal data on invoices. GDPR explicitly provides exceptions for processing personal data for legal obligation compliance including tax record-keeping. Organizations must document their legal basis for retaining invoice data beyond GDPR minimization periods and ensure retention periods align with the most restrictive mandatory tax retention requirement.

What is the GDPR legal basis for long-term invoice retention?

Invoice retention relies on multiple GDPR legal bases depending on context:

Legal obligation (Article 6(1)(c)): Tax law requires invoice retention; this overrides GDPR minimization
Legitimate interests (Article 6(1)(f)): Commercial records retained for legal dispute resolution
Documentation: Organizations must document the legal basis for each retention period in their Records of Processing
Data types: Invoices contain personal data of individual employees who approved purchases or sales contacts
Access control: Retained invoice data must be access-controlled; limited to personnel with a processing need
Erasure requests: Subject access requests for erasure of invoice data can be refused where legal obligation applies

Frequently Asked Questions

Can GDPR erasure requests be refused for invoice data?: Yes. GDPR Article 17(3)(b) provides that the right to erasure does not apply where processing is necessary for compliance with a legal obligation which requires processing by EU or member state law. Tax laws requiring invoice retention for 5-10 years constitute such a legal obligation. Organizations can and should refuse erasure requests for invoice data within the mandatory retention period, documenting the refusal basis with reference to the applicable tax law.
What personal data is typically contained on business invoices?: Business invoices typically contain: contact person names (authorized signatory, AP contact), email addresses, direct phone numbers, and sometimes personal reference numbers. In certain sectors (healthcare, legal services), invoices may reference personal identifiers of service recipients. GDPR compliance requires that this personal data is processed with a legal basis, access-controlled, and not used for purposes other than the accounting and tax purposes for which it was collected.

How do organizations balance invoice retention requirements with GDPR compliance?

What is the GDPR legal basis for long-term invoice retention?

Frequently Asked Questions

Related Concepts

Related Regulations