In its latest newsletter the European Data Protection Supervisor (EDPS) points out that data privacy principles apply to tax compliance. EDPS in the newsletter says the following:
Tax compliance and data privacy
Recognising the importance of tax compliance as a matter of public interest, the EDPS emphasises the need to strike a balance between protecting individuals’ personal information and enforcing an effective proposal to tackle tax evasion. To this end, the principles of data protection by design and by default, data minimisation and data accuracy in the context of automatic exchanges of information between national tax authorities should apply.
To manage the ‘secure central interface’ which allows administrative cooperation on taxation, the EDPS refers the Commission to the Guidelines on the protection of personal data in IT governance and management of EU institutions to ensure security of processing in compliance with Regulation (EU) 2018/1725. Technical and logistical support ought to be provided in collaboration with EU Member States via defined administrative arrangements under Directive 2011/16/EU.
As a supervisory authority, the EDPS may follow up on possible updates concerning the ‘secure central interface’ and, more broadly, the implications stemming from the Commission’s role within processing operations in the context of administrative cooperation on taxation.
On page 3 of the opinion EDPS’ recommendations are summarized as follows:
With this Opinion, issued pursuant to Article 42(1) of Regulation (EU) 2018/1725, the EDPS puts forward recommendations aiming at minimizing the impact of a Commission’s legislative proposal amending Directive 2011/16/EU on administrative cooperation in the field of taxation on the fundamental right to privacy and to the protection of personal data of individuals. These recommendations are intended to ensure compliance with the applicable data protection legal framework, while avoiding jeopardizing the efficacy and efficiency of the administrative action on the fight against tax evasion.
Whereas the EDPS acknowledges that tax compliance is an important objective of public interest, he insists that the right balance should be struck between the attainment of such goal and the right to privacy and personal data protection. In this regard, he calls for particular attention to the implementation of the principles of data protection by design and by default, data minimisation and data accuracy in the context of automatic exchanges of information between national tax authorities.
Concerning the management of the secure central interface on administrative cooperation in the field of taxation, the EDPS stresses the need for the Commission to ensure compliance with the provisions on security of processing under Regulation (EU) 2018/1725, in particular following the EDPS “Guidelines on the protection of personal data in IT governance and management of EU institutions”. Moreover, the EDPS considers that the role of the Commission with regard to the management of the secure central interface pursuant to Regulation (EU) 2018/1725, needs to be further ascertained in particular in the light of any further arrangement with Member States and the factual circumstances of the technical and logistical support provided within the system..
The EDPS also stresses that, pursuant to Article 42(1) of Regulation (EU) 2018/1725, it expects to be consulted before its adoption by the Commission, on the implementing acts that will define the administrative arrangements to provide technical and logistical support for the secure central interface where Member States communicate with the use of standard forms pursuant to Directive 2011/16/EU.
Finally, he recalls that in its capacity as competent supervisory authority under Regulation (EU) 2018/1725, the EDPS may follow up on possible updates concerning the secure central interface and, more broadly, the implications stemming from the Commission role within the processing operations in the context of the administrative cooperation on taxation.
Another item in the newsletter is about data protection and customs declarations:
Data protection & customs declarations
On 31 August 2020, the EDPS issued Formal Comments on the Implementing Regulation, which harmonises customs declarations and notification requirements in the Union Custom Code (UCC), in order to simplify the procedure for the movement of goods in and outside the EU.
The EDPS welcomes the approach to unify and update the formats and codes of the data requirements for declarations, notifications and proof of the customs status of Union goods to customs authorities, as this would enhance the data quality and efficiency of the overall process.
The EDPS notes that the exchange and storage of information between customs authorities as well as between customs authorities and economic operators mainly involve information concerning legal persons. In this context, the EDPS reiterates that the judgement of the Court of Justice of European Union in Joint Cases C-92/09, Volker und Markus Schecke Gbr v. Land Hessen, and C-93/09, Eifert v. Land Hessen and Bundesanstalt für Landwirtschaft und Ernahrung, in which the Court ruled that the name of a legal person should be considered as personal data if the official title of the legal person identifies one or more natural person. Consequently, it cannot be excluded that the common data requirements would also concern the processing of personal data within the scope of the GDPR.
Furthermore, the EDPS notes that the draft Delegated Regulation entails the processing of limited categories of personal data for the performance of the customs declaration obligations pursuant to the UCC.
In the light of the above, the EDPS concludes that the draft Delegated Regulation does not raise data protection issues that would merit specific recommendations.
Also customs cooperation with Canada is mentioned.