Obligation of electronic invoice – Criticality in relation to the Privacy regulations

The provision of 15 November 2018 made by the Italian Data Protection Authority highlights some problematic aspects on the obligation of electronic invoicing.

As we all well know, the electronic invoice, from 1 January 2019, is mandatory for all sales of goods and services provided, however, made between subjects resident or based in Italy (Article 1, paragraph 916, of the Budget Law 2018).

The Authority observes that the obligation of electronic invoicing, as outlined by primary and secondary legislation, presents significant critical issues with regard to compatibility with the legislation on the protection of personal data (Legislative Decree 196/2003, the so-called “Privacy Code”, as amended by Legislative Decree 101/2018 and EU Reg. 2016/679 so-called ” GDPR “).

As a preliminary point, it is noted that, in violation of the previous art. 154, paragraph 4, of the Code, the provision of the Director of the Revenue Agency n. 89757 of 30 April 2018, and of art. 36, § 4, of the Regulation, the provision n. 291241 of 5 November 2018, were adopted without the Authority being consulted.

Furthermore, it is set that the Agency, after having delivered the invoices as a “postman”, will not only store the data necessary to fulfill the tax obligations, but the actual invoice in XML format, which in itself contains information not necessary for tax purposes (in addition to any attachments entered by the operator, certainly extraneous).

Further problems arise from the decision to make all electronic invoices in XML format available to consumers on the Agency’s portal. Such processing entails, in fact, an unjustified increase of risks for the rights and freedoms of all private citizens, inherent in a massive and computerized processing of data accessible through a web application.

Another problem arises from the failure to encrypt the XML file of the electronic invoice. This, considering, in particular, the expected use of the PEC for the exchange of invoices, with the consequent possible storage of documents on e-mail management servers, which exposes data subjects to greater risks of unauthorized access to personal data (use not exclusive of PEC in the business environment, theft of credentials and cyber attacks on servers).

Finally, the mobile app, made available by the Agency, allows economic operators to activate the saving of some data, not better specified, in the cloud. From an initial analysis, the additional purposes of conservation and control pursued by the Agency with the data collected through this application, in violation of Article 13 of the Regulation, are not correctly exposed to users.

Given the high risks for freedoms and rights of data subjects, the Authority considers that the processing of personal data carried out in the context of electronic invoicing by the Revenue Agency, as currently outlined, may violate the provisions of the Regulation pursuant to Arts. 5, 6, § 3, lett. b), 9, § 2, lett. g), 13, 14, 25 and 32.

Andersen & Legal professionals are available to provide further information and clarifications on the subject in question.