GDPR and Invoicing: What Every Freelancer Must Know

The General Data Protection Regulation (GDPR) is not just for big tech companies. Every freelancer or small business that invoices clients in the EU — or invoices EU-based clients from anywhere in the world — processes personal data, and that means GDPR applies to you.

This guide explains what GDPR means for invoicing: what counts as personal data on an invoice, what your legal basis is for processing it, how long you can keep invoice records, and what rights your clients have over their data.

Do Invoices Contain Personal Data?

Yes. An invoice typically includes:

• Client's full name or business contact name
• Client's address (business or home)
• Email address (often on accompanying communications)
• Phone number
• VAT number (for sole traders, this may encode personal information)

Any information that can identify a natural person — directly or indirectly — is personal data under GDPR. A sole trader's name and address are personal data. A company name alone is not, but a named contact at that company is.

Your Legal Basis for Processing Invoice Data

Under GDPR Article 6, you need a lawful basis to process personal data. For invoicing, two bases apply:

1. Contract (Art. 6(1)(b))

Processing is necessary to perform a contract with the data subject, or to take steps at their request before entering a contract. Invoicing a client directly fulfills this — you need their address and name to issue a valid invoice for services rendered.

2. Legal obligation (Art. 6(1)(c))

Processing is necessary to comply with a legal obligation. Tax law in virtually every EU member state requires you to keep invoice records for a minimum number of years. Retaining invoices to meet your tax authority's requirements falls under this basis.

You do not need consent to issue invoices or keep them for tax purposes. Asking for consent here would be incorrect — consent must be freely withdrawable, and you cannot delete a required tax record because a client withdrew consent.

Data minimisation (Art. 5(1)(c))

The data minimisation principle requires that personal data be "adequate, relevant and limited to what is necessary." For invoices this means collecting only what is needed to issue the invoice and meet tax requirements — name, address, and tax number. Storing a client's date of birth, personal email, or phone number beyond what the invoice requires is not justified under either lawful basis above.

How Long Can You Keep Invoice Records?

GDPR's data minimisation and storage limitation principles require you to keep personal data only as long as necessary. For invoices, "necessary" is defined by your national tax law, not GDPR. Common retention periods:

Country	Minimum retention period
Germany	10 years
France	10 years
Netherlands	7 years
Spain	5 years (general), 4 years (tax)
Italy	10 years
UK (post-Brexit)	6 years (Companies Act)
Ireland	6 years

After the retention period ends, you must delete or anonymise the records. Keeping invoices indefinitely "just in case" is not GDPR-compliant.

Client Rights and Invoices

GDPR gives data subjects rights over their personal data. Here is how those rights interact with invoicing:

Right to access (Article 15)

A client can request a copy of the personal data you hold about them. You must respond within one month. For invoices, this means providing copies of invoices that contain their data.

Right to erasure (Art. 17)

The right to be forgotten does not override legal obligations. Art. 17(3)(e) explicitly states that the right to erasure does not apply when processing is necessary "for compliance with a legal obligation." If your tax law requires you to keep an invoice for 10 years, you can refuse an erasure request on that basis. Inform the client that you are retaining the record under Art. 17(3)(e) to comply with legal obligations and will delete it once that obligation expires.

Right to rectification (Article 16)

If a client's details on an invoice are wrong, they can ask you to correct them. For issued invoices, you typically issue a corrected invoice or credit note rather than altering the original record.

Using Invoice Software: What to Watch For

If you use a cloud-based invoicing platform, that platform becomes a data processor under GDPR. You are the data controller; they process data on your behalf. Art. 28 makes a written Data Processing Agreement (DPA) mandatory — not optional — whenever a controller uses a processor. This means:

• You need a DPA with the platform. Reputable platforms include one in their terms of service; if yours does not, that is a red flag.
• The DPA must specify what data is processed, for what purpose, where it is stored, who the sub-processors are, and the security measures in place.
• Client data may be stored on servers outside the EU — check whether adequate transfer safeguards exist (EU Standard Contractual Clauses or an adequacy decision).
• You remain responsible for GDPR compliance, even if the platform mishandles data. A DPA transfers risk contractually but not legally.

Browser-based invoice tools that store all data locally — like invoicePrivate — sidestep this entirely. No data is sent to a server, so there is no third-party data processor, no DPA required, and no risk of a platform breach exposing your clients' data.

Practical Steps for GDPR-Compliant Invoicing

1. Collect only what you need. Name, address, and tax number — not more. You do not need a client's date of birth or personal email unless specifically required.
2. Know your retention period. Set a reminder to delete invoice records once the statutory period expires in your country.
3. Update your privacy notice. If you send newsletters, maintain a CRM, or re-use client contact details for marketing, your privacy notice must disclose this. Invoicing data used only for invoicing does not require a separate privacy notice — the contract basis covers it.
4. Sign a DPA with any cloud tool. If you use SaaS invoicing software, check that a DPA is in place. This is non-negotiable under GDPR Article 28.
5. Have a process for access requests. If a client asks what data you hold, you need to be able to respond within 30 days.

Penalties for Non-Compliance

GDPR fines are tiered:

• Lower tier: Up to €10 million or 2% of global annual turnover — for procedural violations (e.g., no DPA with a processor)
• Upper tier: Up to €20 million or 4% of global annual turnover — for violations of core principles (e.g., processing without a lawful basis)

For freelancers and micro-businesses, supervisory authorities typically issue warnings and require remediation before imposing fines — but the obligation is real, and complaints from clients can trigger investigations.

Summary

GDPR and invoicing coexist straightforwardly once you understand the rules: your legal basis is either contract or legal obligation, your retention period is set by tax law, and erasure requests can be refused when legal retention applies. The main risk area for freelancers is using cloud software without a DPA — or keeping invoice data far longer than required.

invoicePrivate processes no data server-side — all invoice data remains in your browser's local storage, making GDPR compliance for the tool itself essentially a non-issue.