General Data Protection Regulation - GDPR

The General Data Protection Regulation comes into force on May 25, 2018 and will profoundly change the way European citizens’ data is collected and used.

InvoiceXpress online invoicing software complies with the General Data Protection Regulation. This means that when you use our program, all your information is safe and complies with this new regulation.

What is the GDPR?

It is an EU regulation, approved in 2016, which aims to protect individuals with regard to the processing of personal data and the free movement of such data.

This regulation determines how individuals and companies themselves can obtain, use, store and delete personal data. In other words, it aims to prevent the non-consensual use of EU consumer data.

Who does it apply to?

The new regulation (GDPR) applies to all entities in European Union (EU) countries and all non-EU entities that collect, store and process the personal data of European citizens. This ensures that the rules on citizens’ privacy rights are consistent between countries.


Fines will be imposed depending on the seriousness of the violations. For less serious violations, fines could be 10 million euros or 2% of worldwide turnover. In the case of the most serious violations, the figure rises to 20 million euros or 4% of global turnover.

Main changes to this regulation:

Among the main changes to the protection of personal data, the new rights that European citizens now enjoy stand out:

1 – Right to restriction of processing – possibility for the data subject to request that the processing of their data be restricted.

2 – Right to portability – the possibility for the data subject to request that the data controller communicate their data to another entity.

3 – Right to erasure of data – possibility for the data subject to request that their data be erased.

In short, citizens can and should have the right to transparency about the use of their personal data after it has been collected by companies. What’s more, they can request that their data be updated.

In addition to these rights, the great novelty of the GDPR is the way in which consent is sought to use citizens’ personal data. This consent is given through an opt-in or a positive action by the citizen in order to be considered legal under the GDPR.

Practices such as pre-ticked checkboxes and opt-out actions, i.e. practices in which clicking a button automatically accepts the Terms and Conditions and Privacy Policy, are prohibited as of May 25, 2018.

In short, new rights imply a profound change in the way user data is collected, a change in the terms and conditions and a renewal of requests for consent from contacts.

Processing and control of citizens’ data

The GDPR defines two types of roles in relation to the use of European citizens’ data.

The functions are:

  • Data Controller– Corresponds to the organization that defines how and why data is processed, i.e. determines the purposes and means of processing personal data.
  • Data Processor– Organization, software or person that processes personal data on behalf of the controller.
What are the controllers’ responsibilities?

In accordance with Article 26 of the GDPR, the Data Controller is responsible for demonstrating compliance with the principles relating to the processing of personal data.

What are the responsibilities of the processors?

The Data Processor, according to Article 28 of the GDPR, must ensure sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of this regulation and ensures the protection of the rights of the data subject.

InvoiceXpress complies with the GDPR

InvoiceXpress, as Data Processor, is responsible for ensuring that data is processed transparently, securely and in compliance with the GDPR. We can guarantee that both InvoiceXpress and the partners with whom we are associated comply with the GDPR.

We are committed to:

  • List all the applications and partners used to process the data, as well as their purpose.
  • Update the Terms and Conditions and Privacy Policy to comply with the GDPR.
  • Make available for download a document relating to the sub-contracting of the InvoiceXpress service for any user who requires such a document.
  • Provide an opt-in to the Terms and Conditions and Privacy Policy, along with an optional checkbox for marketing communications, whenever you sign up to try InvoiceXpress for free.
  • Make marketing communications even more transparent and indicate how often they will be sent, whether they are product news and legal updates from the Tax Authority, or exclusive offers, courses and webinars. Find out more.

If you have any questions about the GDPR and InvoiceXpress, we recommend that you contact our customer support team.