Invoice data are personal data
An invoice seems purely commercial but regularly contains personal data: contacts, e-mail addresses, IBANs, sometimes service descriptions with a personal reference.
Thus the GDPR applies to the processing — even if it is “only” supplier invoices. That is not a special case, that is the normal case.
Processing on behalf: the DPA is mandatory
Whoever uses a cloud solution for invoice intake has a service provider process data on their behalf. For this the GDPR requires a data processing agreement (DPA) under Article 28.
No DPA, no clean cloud use. That is not paperwork for its own sake — it is the legal basis of the entire processing.
Hosting location and access
Where do the data lie, who can access them, under which law? Hosting within the EU or in Germany simplifies a lot because third-country transfers and their extra requirements drop away.
Equally important: access protection and encryption — in transmission and in storage. Who can access the invoice data should be a clearly answerable question, not a guess.
Deleting is also an obligation
The GDPR thinks not only of storing but also of retention limits. That stands in tension with the tax retention obligation: documents must stay for years, other data may not lie forever.
A well-thought-out process separates this: the document subject to retention stays protected for the period, everything else follows the data-protection limits. Playing them off against each other is the error.
What you should concretely watch
A pragmatic checklist:
- Is there a DPA under Art. 28 GDPR?
- Where are the data hosted (EU/Germany)?
- Are transmission and storage encrypted?
- Is access clearly regulated and logged?
- Are tax retention and data-protection deletion cleanly separated?