Skip to main content
Verifactu

Verifactu and GDPR

In recent months, there’s been a lot of talk in Spain about Verifactu, a new e-invoicing system that the Spanish Tax Agency (AEAT) is planning to roll out.

If you’re running a business or working as a freelancer in Spain — especially as a foreign resident — it’s normal to feel confused by all the legal updates and tax obligations.

Some of the most common questions are:

  • Do I have to send all my invoices directly to the Spanish Tax Agency?
  • What invoice data is actually shared?
  • If the invoice includes client names or medical treatments, does that breach data protection laws like the GDPR?

These are all valid concerns. The good news? The answers are simpler than they seem. Let’s break it down.

What Exactly Is Verifactu?

Verifactu is a new system designed to ensure that all invoices issued are verifiable and tamper-proof.

In practice, this means that once you issue an invoice, you can’t modify it. Each invoice must include a unique identifier code and a digital fingerprint (hash) to prove its integrity.

Verifactu also gives you the option to send invoices to the Spanish Tax Agency (AEAT) in real time, although — and this is important — sending them is not mandatory.

Do You Have to Send All Invoices to the Spanish Tax Agency (AEAT)?

No, it’s not mandatory.

What is mandatory is using certified invoicing software that complies with the Verifactu standards. But sending the invoices in real time to the AEAT is optional.

That said, if you don’t send your invoices, you must store them securely and unaltered, because the tax authorities can request them at any time.

In reality, many companies and freelancers will likely choose to send them automatically — it reduces stress and simplifies audits.

What Invoice Data Is Actually Shared with the Tax Agency?

This is a key point. Not all invoice details are shared, only essential tax-related data:

  • Invoice number and series
  • Date of issue
  • Tax ID (NIF) and basic information of both the sender and the recipient
  • Tax base, VAT, and total amount
  • Technical codes: hash and unique invoice code

What’s not shared is the product or service description.

For example, if you run a dental clinic and the invoice says “filling” or “orthodontics,” that description does not get sent to the tax authorities. Only the amounts and basic fiscal data are submitted.

What About GDPR Compliance?

A common concern is whether sending invoices to the AEAT complies with the General Data Protection Regulation (GDPR).

The answer is yes. The legal basis for sharing this data is the fulfilment of a legal obligation (Article 6.1.c of the GDPR). You do not need your client’s consent to send invoice data to the tax agency.

Still, you should follow some important data protection principles:

  • Data minimisation: Only include the information necessary for the invoice.
  • Security: Use certified invoicing software that ensures encryption and data integrity.
  • Transparency: Update your privacy policy to inform clients that their billing data may be sent to the Spanish tax authorities.

What If the Invoice Includes Sensitive Information (e.g., Health Data)?

In general, invoices shouldn’t include sensitive personal data, like health conditions, religious beliefs, or political views.

However, in some sectors — such as medical, dental, or psychological services — the service description could reveal health information indirectly.

Here’s the good news: that part of the invoice is not sent to the tax agency. It stays only in the copy you give to the client.

Still, it’s best to be cautious. Avoid putting too much detail in the service description. Terms like “consultation,” “treatment,” or an internal code are usually enough to justify the expense.

What Happens If You Don’t Comply with Verifactu?

Non-compliance can lead to serious penalties:

  • Using non-certified invoicing software could result in fines of up to €150,000.
  • Altering invoices or preventing traceability can also lead to heavy sanctions.
  • If you breach data protection rules (e.g., sharing more data than necessary or failing to secure your files), the Spanish Data Protection Authority (AEPD) can also fine you.

How Will Verifactu Affect Your Business Operations in Spain?

The main impact is that you’ll need to adapt your invoicing processes. That includes:

  • Updating or changing your invoicing software to a certified provider
  • Training your administrative or accounting team
  • Deciding whether to send invoices automatically to the tax agency or store them securely yourself
  • Reviewing and updating your privacy policy to inform clients about data sharing

For small businesses or freelancers, it might seem like a hassle at first. But in the long run, it helps keep everything more secure, organized, and legally compliant.

Conclusion: Key Takeaways for Foreign Entrepreneurs in Spain

  • With Verifactu, you don’t have to send every invoice to the Spanish Tax Agency, but you must issue invoices that are verifiable and tamper-proof.
  • If you choose to send them, only basic invoice data is shared — not product or service details.
  • This process is fully GDPR-compliant, as it’s based on a legal obligation. Still, follow the principles of minimisation, security, and transparency.
  • Clinics and medical professionals can still include treatments on invoices, as this data is not shared with AEAT.
  • Ultimately, Verifactu is a step forward in Spain’s digital tax system. It requires some adaptation, but brings more security, transparency, and peace of mind — especially when it comes to audits and compliance.

Author: Mariona Heredia, Lawyer.

If you need more informarion, contact us!


    Information on data protection

    Company name
    LEGAL IT GLOBAL 2017, SLP
    Purpose
    Providing the service.
    Sending the newsletter.
    Legal basis
    Compliance with the service provision.
    Consent.
    Recipients
    Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.
    Rights
    You may access, rectify or delete your data and exercise the rights indicated in our Privacy Policy.
    Further information
    See the Privacy Policy.

    Do you want to stay up to date on all legal news?

    Subscribe to our newsletter for news, articles, and events.

    subscribe
    Us
    Services
     
    cipp certification
    Powered by  GDPR Cookie Compliance
    Privacy Overview

    This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.