EDPS, Opinion of the European Data Protection Supervisor on the Commission Proposal for a Directive of the European Parliament and the Council on electronic invoicing in public procurement, 11 november 2013.
While the main objective of the Proposal is not the processing of personal data, processing e-invoices under the Proposal may nevertheless require the processing of certain amount of personal data. Therefore, data protection is a relevant consideration for e-invoicing.
4. First, certain elements (data fields) of the e-invoices may contain personal data. The contracting entities can be either legal or natural persons. Where the contracting entities are natural persons, their data will be considered personal data. This will also be the case where the official title of the legal person identifies one or more natural persons.
5. Further, in cases where the contracting entities need to evidence that they have provided certain services (e.g. medical, social or educational services) to a number of defined individuals, the information that they may need to submit to the contracting authority will contain personal data regarding these individuals. This may sometimes also include sensitive data, for example, in the health and social sector the information may include the type of medical/psychological treatment or social services provided, which are linked (or can be linked), to the names of the individuals to whom these treatments/services were provided.
6. Finally, if and when the data contained in the e-invoices will be used for further purposes that ultimately aim linking the data to specific individuals (such as corporate officers, shareholders or employees of a company) - for example, to investigate a specific incident of tax fraud - the initially seemingly innocuous and non-personal data on the invoices will also be considered personal data.
7. In all these cases, personal data will require appropriate protection, and the national rules transposing Directive 95/46/EC become applicable.
Lees verder hier.