General Data Protection Regulation - GDPR

The General Data Protection Regulation comes into force on 25 May, 2018, and will profoundly change the way data from European citizens is collected and used.

The online invoicing software InvoiceXpress complies with the General Data Protection Regulation. This means that when using our program, all your information is safe and in compliance with this new regulation.

What is the GDPR?

It is a Community regulation, approved in 2016, which aims to protect individuals regarding the processing of personal data and the free movement of such data.

This regulation determines how individuals and companies themselves can obtain, use, store and delete personal data. In other words, it aims to prevent the non-consensual use of European Union consumer data.

To whom does it apply?

This new regulation (GDPR) applies to all entities from European Union (EU) countries and to all non-EU entities that collect, store and process personal data from European citizens. In this way, the consistency of rules on citizens' privacy rights across countries is ensured.


Fines will be imposed depending on the seriousness of the breaches of the regulation. For less serious violations, fines could be in the amount of €10 million or 2% of world turnover. In the case of the most serious violations, the value rises to 20 million euros or 4% of the world's turnover.

Main changes to this regulation:

Of all the main changes to the protection of personal data, the new rights that European citizens now enjoy are the ones that stand out the most:

1 - Right to limitation of treatment - possibility for the data subject to request for the processing of their data to be restricted.

2 - Right to portability - possibility for the data subject to request that the controller communicates his data to another entity.

3 - Right to data erasure - possibility for the data subject to request for his/her data to be erased.

In short, citizens can and should have the right to transparency about the use of their personal data after it has been collected by companies. Furthermore, they may request that their data be updated.

In addition to these rights, the big news of the GDPR is the way in which consent should be requested in order to use citizens' personal data. This consent should be made through an opt-in or a positive action by the citizen so that it is considered legal, in the light of the GDPR.

Practices such as pre-marked checkbox and opt-out actions, that is, practices in which clicking on a button automatically accepts the Terms and Conditions and Privacy Policy are prohibited starting May 25, 2018.

In summary, new rights imply a profound change in the way users' data are collected, a change to the terms and conditions and a renewal of the consent requests to the contacts previously raised.

Processing and control of citizen data

The GDPR defines two types of roles regarding the use of European citizens' data.

The functions are:

Controller (Data Controller) - Corresponds to the organization that defines how and for what reason the data is processed, that is, it determines the purposes and means of processing personal data.

Processor (Data Processor) - Organization, software or person that processes personal data on behalf of the controller.

What are the responsibilities of controllers?

According to Article 26 of the GDPR, the Data Controller is responsible for demonstrating compliance with the principles relating to the process of personal data.

What are the processors' responsibilities?

The Data Processor, according to Article 28 of the GDPR, must ensure sufficient guarantees of implementation of appropriate technical and organizational measures so that the data processing meets the requirements of this regulation and ensures the protection of the rights of the data subject.

InvoiceXpress GDPR compliant

InvoiceXpress, as Data Processor, is responsible for ensuring that data processing is carried out in a transparent and secure way and that it complies with what is stipulated in the RGPD. We can guarantee that both InvoiceXpress and the partners we associate with are GDPR compliant.

We commit to:

  • List all applications and partners used for data processing, as well as their purpose.

  • Update the Terms and Conditions and the Privacy Policy in order to comply with the GDPR.

  • Make available for download a document related to the sub-contracting of the InvoiceXpress service for any user who needs this document.

  • Submit an opt-in Terms and Conditions and Privacy Policy along with an optional checkbox for marketing communications, whenever you sign up to try InvoiceXpress for free.

  • Make marketing communications even more transparent and indicate the frequency of sending them, whether they are product news and legal updates from the Tax Authority, or exclusive offers, courses and webinars. Learn More.

If you have any questions about GDPR and InvoiceXpress, we recommend that you contact our customer support team.