GDPR and invoicing

All About GDPR & Invoicing

Invoicing is a core, critical function of all business. Digital or not, the invoice to the customer is what makes business business and yes, it concerns personal data.

All invoicing, regardless of medium, requires us to keep certain fundamental pieces of information about our customers, be it in B2B or B2C scenarios. To illustrate this point, let’s break it down, starting with some basic data mapping.

Data mapping

Most basic invoices will include at a minimum:

  • First name, last name
  • Email
  • Invoice mailing address
  • Delivery address

The content of the invoice’s purchase is also relevant, as it provides extremely valuable profiling information to the business about a customer’s purchasing history.

So, is invoicing a thing under GDPR? Answer: Yes, absolutely.

The good news is that your business is probably completely legally justified to keep such data, and for the most part, it won’t have to go out of its way to change much. This is due to the legal basis that corresponds to these storage & processing activities.

Legal basis

If you think about it, there are two main purposes for the storage/processing of personal data with regards to invoicing:

“accounting obligations”

  • Rec.30; Art.7(1)(c), Compliance with legal obligations – since business’ are obligated to produce taxation reporting and keep financial records for a period of time. You’re well within your rights to keep a directory of past customers, their contact details and contact history. No explanation necessary.

“sales & marketing activities”

  • For B2C, marketing related communications and data processing typically happens on the basis of an explicit opt-in consent. Your regular ‘Yes, please let me know about offers & special deals’ checkbox, on the checkout page. If you send marketing to your past customers, start by assuming you need this opt-in at the time of purchase, and make sure this is un-ticked by default.
  • For B2B, the same marketing can happen on the basis of a legitimate interest. Legitimate interest means you can keep going about your business, no explicit consent necessary, as long as you explain exactly why you need to store & process this data (the justification). You still need to provide users the means to opt out (unsubscribe style).


At any rate, you need to take responsibility for the storage of this personal data, and make it known to your customers where their contact & purchasing information is stored, and under what circumstances.

Start by identifying your stores. Where and how are your customers’ data kept? Paper records? Email records? Excel spreadsheets? Your accounting software? Zervant?

In the case you keep your own data, explain what security measures you keep them under, and under what circumstances they are accessible. E.g. are they kept in Google Drive online in a folder that only you can access? Is it stored securely with PayPal or Zervant?

For Zervant, invoices are sent via email. Here it’s important to note that GDPR does not regulate email or any other technology used of one’s own personal choice.

Indicate in what country the data is stored and whether any staff or third parties outside the EU have access to the data, under what circumstances and for what purpose. In the case you are storing your own customer data, the answers to these questions will be obvious. If you are using a third party service to handle invoicing and customer data, the answers to these questions should be readily available in their own privacy policy (read more about Zervant’s privacy policy).


Once you have a clear picture of the above, you need to be able to communicate this with clarity to your customers. In most cases, this takes the form of a short, human readable privacy policy that is available online and is also offered to customers at the time of purchase. Providing this information at the right time, and focusing on what the customer is currently trying to do (e.g. check out) is an important way to ensure that they remain ‘informed’. E.g. for invoicing, be sure that opt-ins are collected at the time of purchase.

You may write your own privacy policy and as long as you keep in mind the above points and the ultimate goal of transparency – you should be well on your way to GDPR compliance. You could also get help from the friendly guys at Portyr, who are creating tools to help businesses like yours implement best practices with regards to GDPR.

At the end of the day, it’s about being respectful to your users and their rights. Be ready to answer the following questions from your curious customers:

  • Can I get a copy of my purchasing history? Yes, you’re obliged to comply – so be prepared to send this to them in some form.
  • I need to change my information. You probably already have a way to do this.
  • Please delete my information and forget about me forever. As we mentioned, you are actually legally bound to keep invoicing information and you can tell them that. However, they might have a case to have additional information or ‘profiling metadata’ related to “sales & marketing activities” deleted. A frank, open discussion with the customer in this case with the goal of understanding their concerns is the best approach.
  • How long will you keep my data? Again, this is connected to your legal obligation to keep the data.

With these steps you’re well on your way to staying afloat in the post-GDPR tsunami.

This article is part 2 of our mini-series on GDPR and small business – you can read part 1 here). It was written by Seb Nemeth, CEO and co-founder of Portyr. Portyr are building a platform for solving GDPR, by providing companies sensible ways to take meaningful and effective steps towards compliance.

Serve your customers even better!