Invoicing and GDPR compliance for SMEs

BlogInvoicingDecember 22nd, 2025
Invoicing and GDPR compliance for SMEs

Introduction

Every invoice you issue contains personal data: name, address, contact details of your clients. This information is protected by the GDPR (General Data Protection Regulation) and the Swiss FADP (Federal Act on Data Protection).

For many entrepreneurs and freelancers, GDPR compliance seems complex and reserved for large companies. Yet, as soon as you process client data, you are concerned. The good news? Complying with these rules in your invoicing process doesn't require advanced legal expertise.

This guide explains concretely how to apply GDPR principles to your daily invoicing. You'll discover which data is concerned, how to protect it, where to store it, and how to handle your clients' requests. We also address your responsibilities when using invoicing software or working with an accountancy firm.

Whether you create compliant invoices manually or via an online tool, these best practices will enable you to invoice legally whilst respecting your clients' privacy.

📌 Summary (TL;DR)

The GDPR applies to any invoice containing personal data. SMEs and freelancers must respect five key principles: data minimisation, transparency, consent, security and respect for individual rights. This article details concrete obligations, provides a practical checklist and explains how to choose compliant invoicing software to protect your clients' data.

📚 Table of contents

GDPR and invoicing: what you need to know

The GDPR regulates the processing of personal data in the European Union. In Switzerland, the FADP (Federal Act on Data Protection) aligns with these rules.

Your invoicing processes personal data: name, address, email, bank details of your clients. Each invoice therefore contains sensitive information protected by law.

Whether you're a freelancer or SME, you are responsible for this data. Understanding your obligations regarding data protection is not optional: it's a legal requirement that protects your clients and your business.

Personal data present on your invoices

Each invoice contains personal data: complete client identity, billing and delivery address, email, telephone number, sometimes bank details.

You also store purchase history, invoiced amounts, payment terms and commercial exchanges. Some data is legally mandatory for the tax validity of your invoices.

In Switzerland, you must retain your accounting documents for 10 years. This obligation applies to all your invoices, creating long-term secure storage.

The 5 GDPR principles to respect in your invoicing

The GDPR is based on five fundamental principles that apply directly to your GDPR invoicing process. Each principle imposes concrete obligations to protect your clients' data.

These rules are not theoretical: they define how you collect, use, store and protect personal information. Here are the five pillars of compliance applied to invoicing.

1. Data minimisation

Collect only the information necessary for invoicing. Name, address, contact details: limit yourself to the essentials to issue and archive your invoices compliantly.

No need for date of birth for a standard B2B invoice, nor personal information unrelated to the transaction. The less you collect, the less you have to protect.

2. Transparency and information

Inform your clients about the use of their data. Your privacy policy must be accessible and clearly explain why you collect this information.

Specify the retention period (10 years for invoices in Switzerland) and the intended use. Transparency builds trust and respects your clients' fundamental rights.

3. Consent and purpose

Invoicing is based on contract execution: you don't need explicit consent to issue an invoice. This is your legal basis for processing.

However, using this data for marketing (newsletter, commercial offers) requires separate and explicit consent. Never mix purposes without authorisation.

4. Security and confidentiality

Protect your data with appropriate technical measures: encryption, secure access with robust passwords, two-factor authentication if possible.

Limit data access to only those who need it. To learn more about security standards, consult our article on online accounting data security.

5. Individual rights

Your clients have the right to access their data, rectify it and, in certain cases, request its deletion.

Establish a procedure to handle these requests within a reasonable timeframe (generally 30 days). Important: the 10-year accounting retention obligation takes precedence over the right to erasure for invoices.

GDPR checklist for your invoicing process

Here are the essential points to verify to guarantee the compliance of your GDPR invoicing process:

  • Privacy policy accessible on your website and in your general terms and conditions

  • Secure access to your invoicing software with robust passwords

  • Encrypted backup of your accounting data

  • Access limitation: only authorised persons consult client data

  • Documented procedure to respond to access or rectification requests

  • Data processing agreement (DPA) with your invoicing software

  • Data hosting in Switzerland or EU

  • Team training in data protection best practices

Storage and hosting: where should your invoices reside?

The location of your servers is not a technical detail: it's a compliance matter. The GDPR strictly regulates data transfers outside the EU and Switzerland.

Favour secure storage on servers located in Switzerland or the European Union. Transfers to other countries require complex legal safeguards.

Cloud or local servers? The cloud offers security and automatic backup, provided your provider is compliant. Check certifications (ISO 27001), datacentre locations and encryption measures.

BePaid stores all your data in Switzerland, guaranteeing compliance and sovereignty. For more details on security criteria, consult our article on accounting data storage.

Subcontracting and invoicing software: your responsibilities

When you use SaaS software like BePaid, you remain the data controller. The software acts as a processor.

This legal distinction is important: you are responsible for GDPR compliance, even if it's the software that technically stores the data. You must therefore choose a reliable provider.

Require a data processing agreement (DPA) that defines responsibilities, security measures and the supplier's commitments. This document is mandatory under the GDPR.

Selection criteria: data hosting, security certifications, Swiss FADP compliance, transparency on practices. To learn more, consult our guide to choosing the right invoicing software.

Practical cases: common situations and solutions

GDPR theory becomes concrete when facing everyday situations. Here are three frequent scenarios encountered by SMEs and freelancers, with practical and compliant solutions.

A client requests deletion of their data

Response to provide: you are legally obliged to retain invoices for 10 years under Swiss law. This legal obligation takes precedence over the right to erasure.

Practical solution: explain this obligation to the client. After the contractual period, you can pseudonymise the data (replace the name with an identifier) whilst retaining the invoice. Complete deletion impossible before 10 years.

Sending invoices by email: precautions to take

A standard email is not encrypted: your invoices transit in clear text over the internet. For sensitive data, this is not ideal.

Pragmatic solutions: use a secure client portal where the client downloads their invoice after logging in. Or send an email with a download link rather than a direct attachment. PGP encryption exists but remains complex for most SMEs.

Sharing invoices with your accountancy firm

Your accountancy firm processes your data: it becomes a processor under the GDPR. A written agreement defining responsibilities is necessary.

Verify that your accountancy firm also respects data protection rules. Favour secure exports from your invoicing software rather than sending unprotected files by email.

How BePaid helps you remain compliant

BePaid integrates compliance standards directly into the platform. Hosting in Switzerland, data encryption at rest and in transit, secure access with strong authentication.

Your exports are controlled and traceable. The data processing agreement (DPA) is available to formalise our GDPR and Swiss FADP compliance commitments.

We never sell your data, don't use it for other purposes, and you retain full control. Compliance is not an option: it's integrated into every feature.

To create your compliant invoices in a few clicks, discover our guide on how to create a compliant invoice in Switzerland.

GDPR compliance in your invoicing process is not just a legal obligation: it's also a matter of trust with your clients. By applying the five fundamental principles, data minimisation, transparency, clear purpose, enhanced security and respect for rights, you protect both your business and your commercial partners.

Best practices are simple: only collect necessary information, secure your email sending, choose appropriate hosting and document your processes. The checklist presented in this article allows you to quickly verify your compliance and identify areas for improvement.

BePaid natively integrates these data protection requirements: secure hosting in Switzerland, encrypted communications, access rights management and compliance with European standards. You can thus focus on your business whilst your invoicing solution automatically respects the legal framework. Create your free account and invoice compliantly today.

Ready to optimize your invoicing?

Join thousands of businesses that trust BePaid for their invoice and payment management needs.

Similar articles

How to manage deposits and proforma invoices in your accounting
InvoicingDecember 21st, 2025

How to manage deposits and proforma invoices in your accounting

Deposits and proforma invoices facilitate cash flow management on large projects, but their accounting and VAT treatment raises questions. This practical guide explains how to correctly invoice partial payments, manage the final balance and avoid common mistakes in Switzerland.

Invoicing and legal obligations for associations
InvoicingDecember 20th, 2025

Invoicing and legal obligations for associations

Associations in Switzerland must comply with accounting and tax obligations defined by the Code of Obligations. Depending on their size and activities, they may be subject to VAT or benefit from specific exemptions. This guide details the invoicing rules, mandatory information and best practices for managing your association in full compliance.

Electronic invoicing and ISO 20022 standards
InvoicingDecember 19th, 2025

Electronic invoicing and ISO 20022 standards

The ISO 20022 standard structures financial data exchanges in Switzerland, particularly through the QR-invoice. Understanding this standard ensures your invoices are compliant and facilitates automatic bank reconciliation. This guide explains the essential technical elements and how to create compliant invoices.