Personal data is often a useful tool in investigations by tax authorities. Companies are therefore regularly requested to provide personal data, such as data of customers, suppliers, contact persons or employees. In a judgment dated 24 February 2022 (C-175/20), the Court of Justice (“CJEU”) made it clear that companies that provide data to tax authorities without further investigation risk violating their own obligations under the General Data Protection Regulation (GDPR).
This case concerned a request by the Latvian tax authority to a provider of internet advertising services to provide information concerning advertisements relating to the sale of vehicles on its website. The request concerned personal data linked to the vehicles advertised and their vendors. Personal data are any data that identify an individual or make him or her identifiable. The tax authority asked the company to provide it with access to the data for an unlimited period of time, or – if this was not possible – to send the data on a monthly basis. The request was also unlimited in scope with regard to the amount of information, personal data or data subjects requested by the tax authority. The provider of internet advertising services was of the opinion that the tax authority’s request did not comply with the GDPR, more specifically the principles of proportionality and data minimisation, and the case eventually ended up before the CJEU.
Decision of the Court of Justice
Scope of application: A request for information from a tax authority to a company falls within the ambit of the GDPR. The tax authority and the company receiving the request are both data controllers and must both comply with the GDPR, including the general principles on the processing of personal data (Article 5 GDPR).
No derogation without law: A tax authority may not derogate from the principles on the processing of personal data (Article 5 GDPR), such as the principle of data minimisation, unless such derogation is clearly, precisely and foreseeably provided for in national law. Indeed, exceptions to the right to data protection must always have an explicit legal basis in national law (Article 23 GDPR), without necessarily being in an act of parliament.
Conditions for a valid request: The question of whether a tax authority can oblige a company to provide a large amount of personal data for an indefinite period of time, as in the case at hand, is a question that rests with the national court. In its decision, the CJEU sets out the guidelines for a valid request for information:
- In its request, the tax authority must always inform the company of the purposes of the processing it intends to carry out. The collection of tax and the fight against tax fraud are considered as tasks carried out in the public interest within the meaning of Article 6(1)(e) GDPR. If the transfer of personal data cannot directly be based on a legislative provision (meaning a clear and precise provision stipulating an automatic and compulsory transfer of certain personal data; one can think of Article 321 of the Belgian Tax Code of 1992 (“BTC”) concerning the operators of digital collaborative platforms), but results from a request by the tax authority (based on a more general provision, such as, for example, Articles 316 or 322 BTC), the request must specify the specific purposes for collecting data in view of the task carried out in the public interest. In this way, the company is able to verify that the transfer of the personal data is lawful, and national courts can review the lawfulness of the transfer and the use of the data. Experience has shown us that the Belgian tax authorities often fall short in this respect when sending requests for information to third parties.
- Furthermore, the personal data requested by the tax authority must always be adequate, relevant and limited to what is necessary (principle of data minimisation – Article 5(1)(c) GDPR). Consequently, the tax authority is not allowed to request personal data in a general and indiscriminate manner if such data are not necessary for the purposes for which they will be processed. The CJEU stated that it is up to the referring court to verify whether all data that the tax authority intends to collect are necessary to achieve the purpose of the processing.
- In that regard, the CJEU again emphasised that it is up to the data controller to demonstrate compliance with the principles of the GDPR (accountability obligation – Article 5(2) GDPR). The tax authority must be able to demonstrate that both (i) the amount of personal data, and (ii) the period of time to which the collection of personal data relates are limited as much as possible to what is strictly necessary to achieve the intended public interest purpose.
According to the CJEU, the burden of proof of compliance with these principles rests on the data controller (in this case, the tax authority sending the request to the company).
The judgment of the CJEU demonstrates that it is of paramount importance for companies to critically examine requests for information from (tax) authorities and not to accede to such requests without conducting their own investigation. The judgment stipulates, in particular, that the recipient of the request for information has a duty to investigate the validity of the request and ascertain whether the recipient is indeed in a (legal) position to comply with the request. Any transfer of personal data in response to a request from a (tax) authority constitutes the processing of personal data. Responding to an unlawful request could therefore result in the liability of the company.
Your company should thus always consider whether responding to a request from a tax authority, by providing personal data, can be performed in compliance with the GDPR.
We would be delighted to provide you with our expertise in this area and to assist you with this analysis.