If you issue invoices, you process personal data. It is as simple as that. The General Data Protection Regulation (GDPR) applies to every business in the EU -- including auto-entrepreneurs and freelancers -- that handles information identifying a natural person. This guide explains exactly which invoice data falls under the GDPR, what your obligations are, how long you can keep it, and what happens if you get it wrong.

Which invoice data is personal data?

Under the GDPR, personal data is any information relating to an identified or identifiable natural person. On a typical invoice, this includes:

  • Client's full name (for individual clients and sole traders)
  • Postal address
  • Email address
  • Phone number (if included)
  • Bank details (IBAN, BIC) when displayed for payment purposes
  • SIRET/SIREN number of sole traders (this identifies a natural person operating as a business)

For B2B invoices addressed to companies (legal persons), the company name and registration number alone are not personal data. However, the moment you include a contact person's name, direct email, or phone number, those fields become personal data subject to the GDPR.

The description of services can also constitute personal data in certain contexts -- for example, an invoice from a medical professional that describes the nature of the consultation, or a legal invoice that references a specific personal matter.

Legal basis: why you do not need consent

Many freelancers and small businesses worry about needing explicit client consent to process invoice data. The good news: you do not. The GDPR provides six legal bases for processing personal data, and invoicing relies on two of the strongest:

  • Article 6(1)(b) -- Contract performance: processing the data is necessary for the performance of a contract to which the client is a party. You cannot deliver a service and issue an invoice without knowing who the client is.
  • Article 6(1)(c) -- Legal obligation: French commercial and tax law require you to issue invoices containing specific mandatory fields (client name, address, etc.) and to retain them for 10 years. You are legally compelled to process this data.

This means you do not need a consent checkbox, a cookie banner, or a signed data processing agreement just to invoice your clients. However, you still owe them transparency: your privacy policy should explain that you process invoicing data, on what legal basis, and for how long.

Data retention periods

One of the GDPR's core principles is storage limitation: personal data should not be kept longer than necessary. But French law imposes mandatory minimum retention periods for invoices that override the GDPR's minimization principle:

  • 10 years from the end of the financial year: accounting documents, including invoices, under Article L123-22 of the Commercial Code.
  • 6 years: tax documents, under Article L102 B of the Livre des procedures fiscales (Tax Procedures Code). Since invoices serve both accounting and tax purposes, the 10-year rule effectively applies.
  • 5 years: commercial contracts and related correspondence, under Article 2224 of the Civil Code (general limitation period).

In practice, you should retain all invoices and associated personal data for 10 years after issuance. After this period, you must delete or anonymize the data unless another legal basis justifies continued retention.

A good practice is to implement a two-tier retention policy: keep active invoices (current year plus one) in your live invoicing system with full access, then archive older invoices in a restricted-access system with limited personnel authorization. This satisfies both the legal retention requirement and the GDPR's data minimization principle.

Client rights under the GDPR

Even though you process invoice data under a legal obligation, your clients retain several GDPR rights:

  • Right of access (Art. 15): clients can request a copy of all personal data you hold about them, including invoice data. You must respond within one month.
  • Right to rectification (Art. 16): if a client's name, address, or other details are incorrect on an invoice, they can request correction. Note that for already-issued invoices, you must issue a credit note and a corrected invoice rather than modifying the original (which would violate accounting rules).
  • Right to erasure (Art. 17): clients can request deletion of their data. However, you can refuse this request when the data must be retained to comply with a legal obligation -- which is the case for invoices during the 10-year retention period. After 10 years, the right to erasure applies fully.
  • Right to restriction of processing (Art. 18): a client can ask you to limit how you use their data. In practice, this means you can keep the invoices for legal compliance but must not use the data for other purposes (e.g., marketing).
  • Right to data portability (Art. 20): clients can request their data in a structured, machine-readable format. This is most relevant if a client is switching to another service provider and needs their invoice history.

Data security obligations

Article 32 of the GDPR requires you to implement "appropriate technical and organisational measures" to protect personal data. For invoice data, this means:

  • Access control: limit who can view invoices to those who genuinely need access. In a solo business, this is straightforward. In a team, implement role-based access.
  • Encryption: store digital invoices on encrypted drives or in cloud services that offer encryption at rest and in transit. Never send invoices containing bank details via unencrypted email.
  • Backup: maintain regular backups of your invoice data in a secure location, separate from your primary storage.
  • Physical security: if you keep paper invoices, store them in a locked cabinet with restricted access.
  • Password hygiene: use strong, unique passwords for your invoicing software and enable two-factor authentication where available.
  • Breach notification: if invoice data is compromised (e.g., your laptop is stolen, your cloud account is hacked), you must notify the CNIL within 72 hours (Art. 33) and, if the breach poses a high risk, inform affected clients without undue delay (Art. 34).

E-invoicing and the GDPR

France's mandatory e-invoicing reform (rolling out from September 2026 for large enterprises, September 2027 for auto-entrepreneurs) introduces a new data processing layer. When you use a Plateforme de Dematerialisation Partenaire (PDP) to send electronic invoices, you are entrusting a third party with your clients' personal data.

Key GDPR considerations for e-invoicing:

  • Data processing agreement (DPA): you must have a written DPA with your PDP, as required by Article 28 of the GDPR. The PDP acts as your data processor and must only process the data according to your instructions.
  • Data transfers: verify where your PDP stores data. If data is stored outside the EU, appropriate safeguards (Standard Contractual Clauses, adequacy decisions) must be in place.
  • Data minimization: ensure your PDP does not retain invoice data longer than necessary or use it for purposes beyond the invoicing service (e.g., analytics, marketing).
  • Security certifications: prefer PDPs that hold ISO 27001 or SOC 2 certifications, which demonstrate robust data security practices.

Dokta, as a GDPR-compliant invoicing platform, provides a signed DPA, stores all data within the EU, and implements encryption at rest and in transit for all invoice data.

CNIL penalties and enforcement

The Commission Nationale de l'Informatique et des Libertes (CNIL) is France's data protection authority. It has the power to investigate complaints, conduct audits, and impose sanctions for GDPR violations. The potential penalties are significant:

  • Tier 1 (Art. 83(4)): up to 10 million euros or 2% of global annual turnover for violations related to data processing obligations, security measures, and breach notification.
  • Tier 2 (Art. 83(5)): up to 20 million euros or 4% of global annual turnover for violations of data subject rights, legal basis requirements, and cross-border transfer rules.

For small businesses and auto-entrepreneurs, the CNIL has historically favored warnings and injunctions before imposing fines. However, in 2023 alone, the CNIL issued over 40 sanctions, including fines against small companies for inadequate security measures. The message is clear: size does not exempt you from compliance.

Common GDPR violations related to invoicing include: retaining invoice data indefinitely without a retention policy, sending invoices containing bank details via unencrypted email, failing to respond to client data access requests, and not having a data processing agreement with your invoicing software provider.

GDPR compliance checklist for invoicing

  • Identify all personal data on your invoices and in your invoicing system.
  • Verify your legal basis (contract performance + legal obligation) -- do not ask for consent.
  • Set a 10-year retention period with automatic deletion or anonymization after expiry.
  • Update your privacy policy to mention invoicing data processing.
  • Implement access controls and encryption for stored invoices.
  • Sign a data processing agreement with your invoicing software provider.
  • Establish a procedure for responding to client data requests within 30 days.
  • Prepare a breach notification procedure (CNIL within 72 hours, clients if high risk).
  • Train any staff who handle invoices on basic GDPR principles.
  • Review and update your compliance measures annually.

Frequently asked questions

Do I need client consent to issue an invoice?

No. The legal basis for processing personal data on invoices is legal obligation (Article 6(1)(c) GDPR) and contract performance (Article 6(1)(b) GDPR). Consent is neither required nor appropriate for invoicing, since the client cannot meaningfully withdraw consent for data you are legally obligated to process and retain.

Can a client ask me to delete their invoices under GDPR?

A client can submit a right-to-erasure request, but you can lawfully refuse it during the mandatory 10-year retention period. Article 17(3)(b) of the GDPR explicitly exempts data processing necessary for compliance with a legal obligation. After 10 years, you must honor the deletion request. Inform the client of this exception when responding to their request.

How long can I keep invoice data?

French law requires you to retain invoices for 10 years from the end of the financial year in which they were issued (Article L123-22, Commercial Code). Tax authorities can request invoices going back 6 years (Article L102 B, Tax Procedures Code). After the 10-year period, you must delete or anonymize the personal data unless another legal basis applies.

Is sending invoices by email GDPR-compliant?

Sending invoices by email is permissible, but you should take precautions. Avoid including sensitive data (such as full bank details) in the email body. Prefer sending invoices as encrypted PDF attachments or, better still, use a secure invoicing platform that provides a download link with authentication. Standard unencrypted email does not meet the "appropriate technical measures" standard of Article 32 for sensitive financial data.

What should I do if my invoicing data is breached?

Notify the CNIL within 72 hours of becoming aware of the breach (Article 33 GDPR). Document the nature of the breach, the data affected, and the measures taken. If the breach is likely to result in a high risk to client rights -- for example, bank details were exposed -- you must also notify affected clients without undue delay (Article 34). Having a pre-prepared breach response plan significantly reduces response time and legal exposure.