Invoicing and the GDPR legislation: what should you consider?

The General Data Protection Regulation (GDPR) determines what you, as an entrepreneur, both may and must do with personal data. What about invoicing data? Here’s our explanation.

Invoicing and the GDPR legislation

 

The General Data Protection Regulation (GDPR) determines what you, as an entrepreneur, both may and must do with personal data. What about invoicing data? Here’s our explanation.

The GDPR caused quite a stir in the business world when it came into force in May 2018. Since then, both companies and public authorities must comply with the new rules when processing personal data. Even when you send out invoices, you must observe the GDPR guidelines.

The GDPR (AVG in Dutch) applies to all data that can lead to a natural person. An invoice, for example, may involve the name of the customer’s contact person or the VAT number of a self-employed person.

Make sure you treat such data in accordance with the GDPR. Ideally, you should describe, in a consultable data policy, how your company handles personal data. In this way, you are transparent to your customers, and you have something to hold on to.

Personal data on invoices: this is how you comply with the GDPR

Keep these two GDPR rules in mind in your invoicing process:

  • Do not keep personal data longer than necessary.

Sometimes you are legally obliged to keep certain data. For example, you must keep invoices and some other accounting documents for at least seven years. You can also choose to keep them for longer. Do you think this is necessary? Describe in your data policy how long you keep invoices and, if you do, why you deviate from the legal minimum period.

After seven years, or after the period you have specified, you must destroy the invoices or delete them from all digital systems, or at least remove the personal data they contain (e.g., delete them).

Invoicing and the GDPR legislation: what should you consider?

 
  • Do not use invoice data for any purpose other than invoicing.

    For example, it is usually prohibited to simply add an e-mail address you find on an invoice to the database for your newsletter. You are also not allowed to use telephone numbers for commercial activity. Always ask the person in question for explicit permission first and inform them about your data policy.

    You may send commercial mailings to an e-mail address that does not refer directly to a specific person, such as an ‘info@’ address, without permission.

Do you have more questions and/or remarks about GDPR and invoicing? Do not hesitate to contact us!