Invoices and personal data protection


The provisions on the protection of personal data oblige to rigorous treatment of personal data and their processing. Particular attention should be paid to the legality of the data sets held and their adequate protection, among others by encrypting them. The provisions on the protection of personal data also apply to invoices. Let's take a closer look at the personal data contained in invoices - does the protection of personal data also apply to the information contained therein?

Personal data protection - general concept

In broad terms, personal data protection is the protection of data held by an entrepreneur that constitutes a set of personal data. The collection of personal data is any personal data that enables the identification of a specific person. No provision describes the exact data that may be considered personal. Thus, the criterion for the possibility of identifying a single person remains.

The entrepreneur's name and surname on the invoice

The provisions on the protection of personal data also apply to data that make it possible to identify persons conducting business activity, provided that they constitute personal data for a specific situation. This means that data controllers of entrepreneurs are obliged to comply with the provisions on the protection of personal data.

Art. 4 of the GDPR
Whenever the Act mentions:
7) "controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; if the purposes and means of such processing are specified in Union law or the law of a Member State, the controller may also be designated under Union law or the law of a Member State, or specific criteria for its appointment may be laid down

The data on the invoice is personal data

From 2014, all taxpayers are required to issue invoices. Taxpayers exempt from VAT subject to VAT, whose turnover value does not exceed PLN 200,000. PLN annually, they are also obliged to do so if the recipient requests an invoice.

The detailed scope of data to be included in the invoice is included in Art. 106 e of the VAT Act, including is it

  • entrepreneur's name and surname,
  • his address,
  • contact details

- so these are data that are legally protected.

Personal data may be processed only when there is a so-called legal basis for data processing.

In the case of entrepreneurs, the typical grounds for ordinary data processing are:

  • consent of the data subject,
  • data processing is necessary to perform the contract with the data subject,
  • processing is necessary to fulfill the legal obligation incumbent on the administrator,
  • processing is necessary for the purposes of the legitimate interests pursued by the administrator or by a third party.

Programs for issuing invoices and personal data protection

Due to the fact that invoices contain personal data - programs with the use of which invoices are issued must meet the requirements of the provisions on the protection of personal data. The entire system must be secured against unauthorized access - on the basis of the application itself (client) and the server (database). It must not be forgotten that these programs must meet the requirements of content integrity and authenticity of origin.

In the case of issuing invoices, the legal basis for data processing is the fulfillment of the legal obligation (the obligation to issue an invoice in connection with the sale) of the administrator. So in this case, the consent of the data subject is not required.

Obligation to train employees in the field of personal data protection

The personal data administrator is obliged to apply all necessary technical and organizational measures ensuring proper protection of personal data. Merely having secure invoicing tools cannot be enough here because, as research shows, it is human error that causes the leakage of personal data in most cases. Appropriate staff training is a necessary action to protect against unexpected leakage of personal data outside the company and the exhaustive application of the provisions on the protection of personal data.