The National e-Invoicing System (KSeF) is changing the invoicing model in business transactions: structured invoices are issued and received in the ICT system, and for companies, it requires not only the adaptation of accounting tools but also the organization of access, authorizations, and personal data security. The solution is being implemented in stages: from February 1, 2026, the obligation applies to large entities (sales in 2024 exceeding PLN 200 million gross), and from April 1, 2026, to other, smaller entities, with additional transitional periods.

The basis for the introduction of obligatory KSeF is, among others, the derogation decision of the EU Council, which allowed Poland to depart from the principle of voluntary electronic invoices (derogation from Articles 218 and 232 of the VAT Directive).

1. Schedule and scope of the obligation

From a compliance and data protection perspective, it is worth separating two issues immediately: issuing and receiving invoices. While the obligation to issue is phased, receiving invoices in KSeF is mandatory from February 1, 2026, which means that entities that are still using transitional periods themselves must organizationally prepare for receiving documents in the system.

Transitional solutions have been provided for the smallest entrepreneurs: until the end of 2026, some taxpayers may issue invoices outside KSeF if, in a given month, they fall within the limit of documented sales value, and those "digitally excluded" (simplified: very small transactions - up to PLN 450 for a single invoice and up to PLN 10,000 per month) are only obliged to join from January 1, 2027.

At the same time, the Ministry of Finance, already at the implementation stage, communicated a package of "mitigating" solutions for the transition, e.g., a periodic educational approach or postponing some elements. This is an important context but does not change the essence: companies must build processes for access, authorizations, and accountability of user actions in KSeF.

2. Who is the data controller in KSeF, and who "only" uses the system?

KSeF involves several process participants, and this distinction has a direct impact on personal data protection issues.

System administrator: The Head of the National Revenue Administration manages KSeF and is the data controller in the system for KSeF's functioning, including access, storage, and authorizations.

Who is the controller on the business side? The taxpayer who enters data into KSeF and receives invoices generally remains the controller of personal data processed within their own activities, such as data of contractors, contact persons, and data of personnel servicing the process. In practice, it is the taxpayer who must ensure that data access is restricted and that persons acting on behalf of the company are properly empowered and authorized.

What about processors? If a taxpayer uses an accounting office, an external financial and accounting system provider, an integrator, or another operational partner, such an entity will often act as a processor, performing activities on behalf of the taxpayer. This primarily involves issuing invoices, handling invoice reception, and supporting authorization administration. This triggers obligations under Articles 28 and 32 of the GDPR, and thus requires a data processing agreement and adequate security measures.

3. KSeF is not just an invoice – it also includes user and access data

When implementing KSeF, it is easy to focus solely on the data directly on the invoices. Meanwhile, a critical area of GDPR also concerns access management: who can grant authorizations, who can issue invoices, who has access to documents, and how user identity is confirmed.

The Regulation of December 12, 2025, on the use of KSeF specifies, among other things, the types of authorizations, the modes of granting and revoking them, and the data required in notifications. In the authorization granting procedures, identification data of natural persons appear (e.g., NIP or PESEL, and if absent – date of birth, as well as identity document data), as well as an e-mail address (mandatory) and phone number (optional) in the context of contact data.

This means that KSeF generates, in addition to the classic invoice flow, an additional stream of data about personnel and collaborators who are designated to operate the system. From a GDPR perspective, the critical question is not "do we process," because we process due to a legal obligation, but whether we do it in a controlled, minimal, and accountable manner.

4. Is it necessary to amend the data processing agreement with the accounting office?

In practice, a review of the agreement is most often necessary, and often an amendment as well – especially when the scope of services of the accounting office includes activities in KSeF (issuing invoices, reception, authorization handling, integration support).

When verifying the data processing agreement, it is worth checking whether it explicitly covers:

• access to KSeF and the manner in which authorized persons operate accounts within their entrusted function,

• the process of granting and revoking authorizations and responsibility for access management (including the obligation to maintain a record of persons with access),

• rules for using authorization channels and contact data,

• retention periods and whether the company stores invoices only in KSeF or also locally,

• sub-processing (e.g., when the office uses IT subcontractors).

Therefore, if your company has its own rules for assigning authorizations, it is worth ensuring that the agreement with the external provider imposes identical requirements on them. This will allow your internal procedures to be genuinely observed by the partner, which will enable you to easily demonstrate (in accordance with the accountability principle) that you fully control data security.

5. Is it necessary to re-verify the processor?

Yes, regardless of whether the data processing agreement will be amended. GDPR requires that the controller selects processors that provide adequate security measures, and this assessment is continuous, especially when the scope of processing or risks change. KSeF changes them – new authorizations, new authentication channels, and a new document flow model are introduced. In practice, this means updating technical measures, access policy, training, incident response, and control over user accounts.

6. Obligations of the taxpayer as a personal data controller

The implementation of KSeF in terms of data protection usually requires organizing five areas:

1. information obligation: towards employees and collaborators servicing KSeF and – depending on the model – supplementing clauses towards contractors with the context of KSeF and data recipients (including in terms of authorities' access within their powers);

2. authorizations and permissions: organizing the issue of authorization for data processing and permissions in KSeF. The Regulation clearly shows that KSeF is a system where roles and permissions are strictly defined, and access errors mean not only tax risks but also confidentiality breaches;

3. record of processing activities (Article 30 GDPR): the need to update new activities, such as managing access to KSeF, handling invoice issuance/reception in the system, archiving, or monitoring activities in the system;

4. risk analysis (Article 32 GDPR) and potentially DPIA (Article 35 GDPR): especially in terms of managing authorizations, integrating financial and accounting systems with KSeF, minimizing data in the content of invoices, and secure use of tools;

5. retention and archiving: invoices sent to KSeF are to be stored in the system for 10 years (counting from the end of the year in which they were issued), which requires a decision on whether and to what extent the company additionally stores them locally.

7. The role of the DPO – support that genuinely reduces risks

In KSeF projects, the Data Protection Officer should be involved from the very beginning of organizing personal data processing duties: role division, information clauses, access procedures, risk analysis, and updating the record of activities. Additionally, in organizations using accounting offices, integrators, or service units, the DPO can make accountability real by ensuring clarity on who grants authorizations, who revokes them, and who is responsible for access control.

Although KSeF is a technological and tax project, its implementation has a very specific dimension affecting GDPR: personal data appears not only on invoices but also in the entire layer of authorizations, authentication, and system operation. The starting point should be risk analysis and organization of access, and then updating GDPR documentation. In practice, these elements may determine in the near future whether KSeF becomes an improvement or a source of incidents and chaos.

Article prepared by Alicja Christensen, lawyer at ecommerce.legal