What is Schrems II in plain English?

It is the legal and practical problem that EU personal data sent to the US needs much closer scrutiny because the old Privacy Shield framework was invalidated.

Why does this matter for invoice software?

Invoices contain real business and sometimes personal data. If a tool processes them outside the EU, firms need a clear legal and operational basis for that transfer.

Is saying 'we are GDPR compliant' enough?

No. You need to ask where data is processed, who can access it, how long originals are kept, and whether subprocessors or model providers create cross-border transfer issues.

How does ZeroPaste address this?

ZeroPaste processes invoices on EU servers, deletes original files within 24 hours, and does not use customer documents to train AI models.

Zurück zum Blog

Compliance2026-05-225 min read

Schrems II and invoice processing: what European bookkeepers need to know

A plain-English guide to Schrems II for bookkeeping firms evaluating invoice-processing software, including what questions to ask vendors and why EU-hosted architecture matters.

ComplianceSchrems IIGDPREurope

Schrems II gets mentioned a lot in European software conversations and explained clearly far less often. For most bookkeepers, the practical question is not “what was the exact legal history?” The practical question is much simpler: if I use software to handle client invoice documents, where does that data go, and how much risk or explanation does that create for my firm?

That is the right question, because invoice processing is not abstract data handling. It involves real client documents, supplier names, amounts, dates, references, and sometimes personal data. A bookkeeping firm should not have to become a privacy law chamber to ask sensible questions about that workflow.

What Schrems II means in plain English

Schrems II is the shorthand for the 2020 court decision that invalidated the EU-US Privacy Shield framework. The operational effect was straightforward: sending EU personal data to the US became something firms needed to scrutinise much more carefully.

That does not mean every US-linked tool became automatically unlawful overnight. It does mean “the vendor says they are compliant” stopped being enough. Firms increasingly need to understand the transfer story, the hosting story, and the subprocessor story.

For bookkeeping practices, that matters because financial documents are sensitive and often client-owned. Even when an invoice is business-to-business, the compliance question is still real. Where is it processed? How long is it kept? Who else touches it?

Why invoice processing is exactly the kind of workflow this affects

Many software categories can hide the issue because the data feels indirect. Invoice processing is the opposite. The workflow begins with the source document itself. If the software uploads the original PDF, stores it for long periods, or passes the content through multiple providers in different jurisdictions, the compliance explanation becomes more demanding.

That is not automatically disqualifying. But it does raise the bar. A European practice should be able to describe the architecture in terms a client can understand. If the explanation starts turning into “it depends which processor, which region, and which exception path,” that is usually a sign the workflow is harder to defend than it needs to be.

What “EU servers” should mean in practice

This is where marketing language can get slippery. “EU servers” should not just mean the website has European customers. It should mean the document-processing path itself is running on EU infrastructure. Ideally it should also come with short retention for the originals and a clear statement about whether customer documents are used to train models.

In other words, you are not looking for a slogan. You are looking for architectural discipline.

For a bookkeeping firm, that discipline reduces two costs at once. It reduces the compliance risk itself, and it reduces the explanation burden when a client asks where their files go. Those are not the same thing, but they often travel together.

The vendor questions worth asking

If I were evaluating any invoice tool for a European bookkeeping workflow, I would ask these questions directly:

Where are source documents processed?
Where are source documents stored?
How long are original files retained by default?
Are customer documents used to train models?
Which subprocessors or model providers touch the content?
Is the product still usable in a strictly EU-hosted configuration?

That list will tell you more than a polished trust page.

It is also worth asking whether the tool can operate in a narrow, extraction-first way. If the workflow only needs invoice extraction and review, a broader platform with more storage, more retention, and more processors may create complexity you did not need in the first place. The security page gives the ZeroPaste version of that story in more detail.

How ZeroPaste is designed around the issue

ZeroPaste is deliberately narrow: invoice extraction and delivery, not an all-purpose accounting platform. That narrowness is helpful from a compliance perspective because it lets the architecture stay simple.

Processing happens on EU servers. Original files are deleted within 24 hours or immediately on request. Customer documents are not used to train AI models. The review-first workflow also means the tool is not trying to bypass human control. It extracts the fields, shows you the result, and lets you decide what moves forward.

That does not remove your own obligations. No vendor can do that. But it makes the architecture easier to understand and easier to justify than a more sprawling toolchain.

The honest conclusion

Schrems II is not a reason to panic. It is a reason to be specific. If your bookkeeping workflow handles client invoice documents, you should know what happens to those files and whether the answer still makes sense when a privacy-conscious client asks for it in plain English.

In my view, the best compliance stories are the ones that do not need excessive explanation. Short retention. EU processing. Clear boundaries. That does not solve every legal question, but it is a much better starting point than hoping a generic compliance badge will carry the whole conversation.

FAQ

Does Schrems II apply even if the data is “only invoices”?

It can, because invoices still contain real commercial and sometimes personal data. The category is not automatically exempt just because it is operational.

What if the vendor says they use standard contractual clauses?

That may be part of the answer, but it should not be the whole answer. You still need to understand the practical processing path.

Is EU hosting the only thing that matters?

No. Retention, subprocessors, model usage, and access controls matter as well. But EU hosting is a strong starting point.

What is the quickest next step for a firm reviewing tools?

Use the checklist above, compare it against the vendor’s real architecture, and then test the workflow on a small live batch rather than a synthetic demo.

Try ZeroPaste free — 5 invoices, no card required → https://zeropaste.io/sign-up

Weiterführende Beiträge:

Möchten Sie diesen Workflow mit echten Rechnungen testen?

Neue Nutzer erhalten bei ZeroPaste 5 kostenlose Dokumente ohne Kreditkarte, damit Sie die Extraktion mit den PDF-Rechnungen Ihrer Mandanten direkt testen können.

ZeroPaste kostenlos testen — keine Karte nötig