What is this about?
The tax authority can request information from a taxpayer or a third party. In many instances, the tax authority can seek personal data as well. For example, it does this when it investigates into the equity that multinationals (typically) grant to certain employees. Usually, the tax authority first sends the company a “request for information to third parties.” For this, it requests an overview of all staff members who received bonuses, stock options, RSUs, … .
Data from which a natural person can be identified are indeed considered “personal data.” The processing of personal data is subject to the provisions of the GDPR (or the General Data Protection Regulation), among other provisions. Companies cannot simply process the data and pass them to the tax authority; they must strictly fulfill their data protection obligations.
Any breach of these obligations can lead to major fines or other sanctions.
Court of Justice
The issue of requesting personal data as part of a tax investigation came up recently in a case that was submitted to the Court of Justice for preliminary ruling (CJEU 24 February 2022, C-175/20).
The discussion concerned a Latvian case in which the Latvian tax authority requested an internet advertising company to provide information on vehicles that were sold through the website (chassis numbers, model, price) and the sellers’ telephone numbers. Access to this information would have to be granted without any time restriction.
The taxpayer opposed this, after which the case was eventually brought before the Court of Justice (CJEU). The CJEU had to rule on the question whether the tax authority’s request complied with the obligations under the GDPR.
The CJEU first confirmed that a tax authority’s request to share personal data certainly falls within the GDPR’s scope of application. The collecting, storing, and sharing of the requested data entails the taxpayer’s “processing” of the data each time.
The CJEU then set out several criteria to determine whether the processing complied with the principles of the GDPR:
- The purposes of the processing must be known at the latest when the personal data are being collected. In this respect, the CJEU said that if the providing of personal data is not based on a statutory provision but merely because of a tax authority’s request (such as a request for information), then this request must describe the specific purposes of the data collection;
- The personal data that are being sought by the tax authority must be adequate and relevant and remain limited to only what is necessary for the purposes for which they are processed. Therefore, the tax authority must not simply request all kinds of personal data. It must be able to demonstrate that it tried to restrict the volume of personal data as much as possible;
- The taxpayer must ascertain that the request to send personal data to someone else is lawful. But the burden of proving this rests with the data controller, which is the tax authority.
If the taxpayer’s statutory obligations prevent it from providing the requested personal data to the tax authority, then its refusal on these grounds cannot in theory be sanctioned.
This can be seen in recent case-law.
For example, the Brussels Court of First Instance recently annulled an administrative fine that the BBI imposed on a telecom provider that refused to provide certain personal data (Brussels Court, 17 June 2022, 2020/3775/A). Also, the Antwerp Court of First Instance, Antwerp Division, had already confirmed this in respect of a payment service provider (Antwerp Court, 2 February 2018, 17/1638/A).
Nevertheless, you should be cautious when dealing with such requests and in determining your position.
If companies face the situation in which a tax authority requests that they share personal data, it is important to check whether the request complies with the obligations under the GDPR. The purposes of the data processing must be clear. Furthermore, the personal data that are being requested must be limited to those that are necessary and relevant.
Data that have been shared without having been checked if it concerns a valid or lawful processing can put the company at risk of being held liable for breach of data protection laws.
Do you have questions or are you faced with a tax investigation at this time? Feel free to contact Luk Cassimon (email@example.com, 0472/467.847), Wylma Gashi (firstname.lastname@example.org, 0487/954.038), or your usual contact person at Monard Law.