BFH - IX R 35/21
From GDPRhub
| BFH - IX R 35/21 | |
|---|---|
 | |
| Court: | BFH (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 12(5) GDPR Article 12(5)(a) GDPR Article 12(5)(b) GDPR Article 15(1) GDPR Article 15(3) GDPR |
| Decided: | 12.03.2024 |
| Published: | |
| Parties: | Finanzamt |
| National Case Number/Name: | IX R 35/21 |
| European Case Law Identifier: | ECLI:DE:BFH:2024:U.120324.IXR35.21.0 |
| Appeal from: | FG Berlin-Brandenburg (Germany) 16 K 5148/20 |
| Appeal to: | Not appealed |
| Original Language(s): | German |
| Original Source: | Bundesfinanzhof (in German) |
| Initial Contributor: | fb |
A court ruled that also the tax authority is obliged to act on an access request. However, the data subject has the right to obtain a copy not only of their personal data, but also of the document where the data is contained only if this is essential to exercise their GDPR rights.
English Summary
Facts
The data subject had a dispute with the German tax authority (Finanzamt – FA), which was solved by a previous judgement. After that, on 14 October 2020, the data subject filed an access request with the controller. On 21 October 2020, the controller rejected the request, arguing that he did not have the right to access under Article 15 GDPR as the legal proceeding with the FA was already terminated. Moreover, the controller argued that the request was excessive under Article 12(5) GDPR.
The data subject started legal proceedings against the controller before the Berlin-Brandenburg Fiscal Court (Finanzgericht Berlin-Brandenburg – FG Berlin-Brandenburg). The data subject claimed he had not only the right to obtain a copy of his personal data, but also to have a copy of the documents or an extract of the database where his personal data was contained.
The court did not uphold the data subject’s requests. The court argued that the data subject did not have such a right and held that the data subject’s request was excessive as per Article 12(5) GDPR.
Therefore, the data subject decided to bring an appeal before the Federal Fiscal Court (Bundesfinanzhof – BFH).
Holding
First of all, the BFH noted that the right to access under Article 15 GDPR is conferred to data subjects independently from any other legal proceeding. It stated that the purpose of this article is to ensure that the data subject is aware of the processing of their personal data and can verify the lawfulness of the processing.
Secondly, the BFH dismissed the data subject’s argument and believed he has not a general right to obtain a copy of extracts from documents where personal data is contained. According to the court, the data subject can normally verify the accuracy of the personal data and the lawfulness of its processing just by being informed on which personal data is being processed and the purpose of this processing. The court argued that it is up to the data subject to prove that the communication of the personal data is not sufficient to exercise his rights under the GDPR. It noted that, if normally the data subject does not need to provide a motivation for their access request, in such a case it is up to him to specify which GDPR rights he intend to exercise and to explain why the provision of copies of files containing personal data is essential for this purpose.
Thirdly, the court set aside the statement of the FG Berlin-Brandenburg about Article 12(5) GDPR. In this case, the court found that the data subject’s request is neither manifestly unfounded nor excessive as per Article 12(5)(a) or (b) GDPR.
The BFH found that the case was not ready for decision and, therefore, referred it back to the FG Berlin-Brandenburg. The latter should assess if the provision of the documents to the data subject is essential for the effective exercise of his GDPR rights, taking into account the case law of the CJEU in cases C-307/22 (FT (Copies du dossier médical)) and C-487/21 (Österreichische Datenschutzbehörde).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Judgment of March 12, 2024, IX R 35/21
Application of the GDPR in the area of tax administration; requirements and scope of the right to information under Art. 15 GDPR
ECLI:DE:BFH:2024:U.120324.IXR35.21.0
BFH IX. Senate
EUV 2016/679 Art 15 Para 1, EUV 2016/679 Art 15 Para 3 Sentence 1, EUV 2016/679 Art 12 Para 5 Sentence 2, EUV 2016/679 Art 2 Para 2 Letter a, TFEU Art 267 Para 3, AO § 32i, FGO § 40 Para 1 Alt 2, FGO § 40 Para 1 Alt 3
previously Finance Court Berlin-Brandenburg, October 27, 2021, Ref. No. 16 K 5148/20
Principles
1. The processing of personal data by the tax authorities falls within the scope of the General Data Protection Regulation (GDPR). Differentiation according to the type of file management, the type of documents or the form of processing is not important.
2. Article 2(2)(a) GDPR does not limit the application of the General Data Protection Regulation to the area of harmonized taxes.
3. Article 15(3) sentence 1 GDPR does not grant an independent right to the provision of documents containing personal data by the controller compared to Article 15(1) GDPR.
4. Only if a copy of documents is essential to enable the data subject to effectively exercise the rights conferred on him by the General Data Protection Regulation, there is a right under Article 15(3) sentence 1 GDPR to be provided with a copy of extracts from documents or even of entire documents or extracts from databases that contain, among other things, this data.
5. An exclusion of the right to information under Article 12(5) sentence 2 GDPR only comes into consideration if the controller invokes this and demonstrates that the request is manifestly unfounded or excessive.
Tenor
Following the plaintiff's appeal, the judgment of the Berlin-Brandenburg Finance Court of October 27, 2021 - 16 K 5148/20 is overturned.
The case is referred back to the Berlin-Brandenburg Finance Court for further hearing and decision.
The decision on the costs of the proceedings is transferred to the court.
Facts
I.
The issue is to what extent Article 15 (3) of the General Data Protection Regulation (GDPR) gives rise to a claim to the provision of (electronic) copies of tax files containing personal data.
By email dated October 14, 2020, the plaintiff and appellant (plaintiff) requested, in connection with the legal proceedings brought before the Berlin-Brandenburg Finance Court (FG) under the file number 5 K 5093/20 - which have since been legally concluded - regarding the determination of the trade tax assessment amounts for 2013 to 2015, against the defendant and respondent in the appeal (tax office - tax office - tax office), citing Art. 15 (3) GDPR, the electronic provision of the following administrative processes: administrative files, audit files, legal remedy files, any reference files, alternatively the provision of copies of personal data that are the subject of the processing of the trade tax assessment notices for 2013 to 2015. The tax office rejected this request by letter dated October 21, 2020. The action brought against this was unsuccessful for the reasons printed in the decisions of the tax courts 2022, 586.
The plaintiff appeals against this, in which he complains in particular of the violation of substantive law. Art. 15 (3) GDPR gives rise to an independent right to the provision of copies of the administrative files of the tax office, insofar as they contain personal data, compared to the right to information under Art. 15 (1) GDPR. The request for the provision of the copies is also not excessive. Because the application is made electronically, the copies must be sent in a common electronic format.
The plaintiff requests that
the judgment of the Berlin-Brandenburg Finance Court of October 27, 2021 - 16 K 5148/20 be overturned and that the tax office be ordered to provide electronic copies of the administrative procedures relating to the trade tax assessment amounts from 2013 to 2015 (administrative files, audit files, legal remedy files and any reference files, all including all conversation notes and telephone notes relating to the plaintiff), alternatively as a free physical copy.
The tax office requests that
the appeal be dismissed.
As a result of the termination of the proceedings relating to the determination of the trade tax assessment amounts from 2013 to 2015, the need for legal protection with regard to the receipt of the requested information has ceased to exist. The request for information is also contradicted by the fact that fulfilling it would involve disproportionate effort. In any case, instead of providing copies, access to the files could be granted in order to fulfill the request for information.
The tax office offered the plaintiff the electronic transmission of a list with his personal data. The plaintiff did not accept this offer.
Reasons for the decision
II.
The appeal is admissible.
Contrary to what the tax office believes, the need for legal protection for the plaintiff's request for information under Art. 15 GDPR has not been eliminated due to the termination of the legal proceedings under the reference number 5 K 5093/20 concerning the determination of the trade tax assessment amounts for 2013 to 2015. The right to information under Art. 15 GDPR is independent and not dependent on any other administrative or legal remedy procedure. According to Recital 63 Sentence 1 GDPR, the purpose of the right to information is to ensure that the data subject is aware of the processing of his or her personal data and can check the legality of the processing of his or her personal data.
III.
The appeal is justified. It leads to the annulment of the preliminary decision and the referral of the matter back for further hearing and decision (Section 126 Paragraph 3 Sentence 1 No. 2 of the Fiscal Court Code - FGO -).
The Fiscal Court was right to affirm the admissibility of the action (see 1.). In addition, the Fiscal Court agrees that the General Data Protection Regulation also applies to direct taxes (see 2.). However, the Fiscal Court applied Article 15 Paragraph 3 GDPR (see 3.) and Article 12 Paragraph 5 Sentence 2 and Sentence 3 GDPR (see 4.) incorrectly. Due to the aforementioned legal errors, the judgment must be annulled. The contested decision does not prove to be lawful for other reasons either (see 5.). The matter is not ready for judgment because the Fiscal Court did not make all the findings required for a final examination (see 6.).
1. The action is admissible. Whether the action for the provision of copies of personal data pursuant to Art. 15 Para. 3 GDPR is admissible as an action for an order pursuant to Section 40 Para. 1 Variant 2 FGO, as a general action for performance pursuant to Section 40 Para. 1 Variant 3 FGO or as a general action for performance combined with an action for annulment or an action for an order against the rejection of the request by the tax office can be left aside in the present proceedings (for an action for an order: judgment of the Federal Administrative Court - BVerwG - of November 30, 2022 - 6 C 10.21, BVerwGE 177, 211, para. 14; cf. on the assertion of a right to information pursuant to Art. 15 Para. 1 GDPR BVerwG judgment of September 16, 2020 - 6 C 10.19, para. 12; Krumm in Tipke/Kruse, § 40 FGO Rz 23; on the rejection of the application for discussion of the factual and legal status in accordance with § 364a of the Fiscal Code ‑‑AO‑‑ judgment of the Federal Finance Court ‑‑BFH‑‑ of 11.04.2012 - I R 63/11, BFHE 237, 29, BStBl II 2012, 539, Rz 13 with reference to BFH judgment of 16.12.1987 - I R 66/84, BFH/NV 1988, 319, under 3.a on the rejection of an application for the provision of photocopies of the written statements of witnesses; for general performance claims, see BFH ruling of October 5, 2006 - VII R 24/03, BFHE 215, 32, BStBl II 2007, 243, under II.1.; BVerwG ruling of August 20, 2003 - 8 C 13.02, with further references; for the combination of general performance claims and actions for annulment or obligation, see von Beckerath in Gosch, FGO § 40 Rz 123; Braun in Hübschmann/Hepp/Spitaler, § 40 FGO Rz 134; Gräber/Teller, Finanzgerichtsordnung, 9th edition, § 40 Rz 34). This is because the respective admissibility requirements of the different types of claims are met. In particular, a preliminary procedure under Section 32i Paragraph 9 Sentence 1 AO, which is required for the action for an order under Section 44 FGO, is unnecessary. In addition, the plaintiff had already submitted his request for copies of personal data to the tax office before the action was brought, which refused, so that the general need for legal protection required for a general action for performance also exists.
2. The processing of personal data of natural persons (as data subject within the meaning of Art. 4 No. 1 GDPR) by the tax office (as controller within the meaning of Art. 4 No. 7 Clause 1 GDPR) in the context of a taxation procedure is subject to the requirements of the General Data Protection Regulation, regardless of the type of tax.
a) As a regulation of the European Union (EU), the General Data Protection Regulation is binding in all its parts according to Art. 288 Paragraph 2 of the Treaty on the Functioning of the European Union (TFEU) and applies directly in every member state.
b) In terms of content, the General Data Protection Regulation according to Art. 2 Para. 1 GDPR applies to the fully or partially automated processing of personal data as well as to the non-automated processing of personal data that is or is to be stored in a filing system.
aa) The data on taxpayers processed by the tax authorities also contain personal data within the meaning of Art. 4 No. 1 GDPR. This is because the data processed by the tax authorities contain information that relates to an identifiable natural person. This applies in particular if, as in this case, it concerns the tax records of a natural person.
bb) The application of the General Data Protection Regulation is not precluded by the fact that personal data are contained in files that are (still) kept in paper form by the tax authorities.
Partially automated processing occurs when the personal data is processed partly manually and partly automatically. According to Recital 15, Sentence 1 of the GDPR, the protection of personal data should be technology-neutral. In particular, the protection according to Recital 15, Sentence 2 of the GDPR should also apply to the manual processing of personal data. Accordingly, the Court of Justice of the European Union (ECJ) has ruled on Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Official Journal of the European Communities L 281 of November 23, 1995, p. 31 - Data Protection Directive or Data Protection Directive -) that this applies equally to automated and manual processing of personal data, so that the protection it provides to the persons affected by the data processing does not depend on the techniques used and no risks of circumvention of this protection arise (ECJ ruling Jehovan todistajat of July 10, 2018 - C-25/17, EU:C:2018:551, paragraph 53). The Data Protection Directive was replaced by the General Data Protection Regulation. However, since Art. 2 Para. 1 GDPR corresponds word for word to Art. 3 Para. 1 Data Protection Directive except for the reference to the General Data Protection Regulation or the Data Protection Directive, the legal principles already established by the ECJ continue to apply (see ECJ ruling Latvijas Republikas Saeima (Points de pénalité) of June 22, 2021 - C-439/19, EU:C:2021:504, para. 64 ff.). Only in the case of purely manual data processing is it necessary for the personal data to be stored or to be stored in a file system in order to open up the scope of protection of the General Data Protection Regulation under Art. 2 Para. 1 GDPR.
According to Art. 4 No. 6 GDPR, a file system is any structured collection of personal data that is accessible according to certain criteria, regardless of whether this collection is kept centrally, decentrally or organized according to functional or geographical aspects. It is not specified which criteria the file must be structured according to. However, according to the case law on Article 3 paragraph 1 of the Data Protection Directive and which can be applied to the legal situation at issue here, this only means that the data about a specific person must be easy to find (ECJ ruling Jehovan todistajat of July 10, 2018 - C-25/17, EU:C:2018:551, paragraph 57). Only files or collections of files and their cover sheets that are not organized according to specific criteria do not fall within the scope of the General Data Protection Regulation according to Recital 15, sentence 3 of the GDPR.
Regardless of whether the paper files meet these requirements based on the respective internal administrative requirements for file management, the personal data contained in the paper files are used to carry out the taxation procedure. This was partially digitized between 2013 and 2015. The data processing is therefore at least partially automated. The processing of personal data by the tax authorities therefore falls within the scope of the General Data Protection Regulation. Differentiation according to the type of file management (paper, electronic, hybrid), the type of documents (internal notes, reports, internal emails, etc.) or the form of processing by the responsible clerk (based on printouts or digitally) is not important.
c) The scope of the General Data Protection Regulation is also not limited to the area of harmonized taxes according to Art. 2 (2) (a) GDPR.
aa) The exceptions to the material scope of the General Data Protection Regulation are exhaustively defined in Art. 2 (2) and (3) GDPR (see ECJ judgment Koalitsia "Demokratichna Bulgaria - Obedinenie" of October 20, 2022 - C-306/21, EU:C:2022:813, para. 33). According to Recital 2, Sentence 1 of the GDPR, the principles and rules for the protection of natural persons with regard to the processing of their personal data should ensure that both their fundamental rights and freedoms and in particular their right to the protection of personal data are respected, regardless of their nationality or place of residence. In view of this, according to Recital 2, Sentence 2 of the GDPR, the General Data Protection Regulation should contribute to the completion of an area of freedom, security and justice and an economic union, to economic and social progress, to the strengthening and integration of economies within the internal market and to the well-being of natural persons. Against this background, the exceptions to the scope of the General Data Protection Regulation under Art. 2 (2) (a) GDPR, like the other exceptions provided for in Art. 2 (2), are to be interpreted narrowly (as is also the case in the ECJ judgments Commission v Poland (Indépendance et vie privée des juges) of 05.06.2023 - C-204/21, EU:C:2023:442, para. 316; Koalitsia "Demokratichna Bulgaria - Obedinenie" of 20.10.2022 - C-306/21, EU:C:2022:813, para. 35 and Latvijas Republikas Saeima (Points de pénalité) of 22.06.2021 - C-439/19, EU:C:2021:504, para. 62, m.w.N.).
According to Art. 2 (2) (a) GDPR, the General Data Protection Regulation does not apply to the processing of personal data in the context of an activity that does not fall within the scope of Union law. This is also expressed in Recital 16, sentence 1 GDPR. According to the case law of the ECJ, activities that do not fall within the scope of Union law include activities relating to national security and activities within the framework of the Union's common foreign and security policy (see ECJ judgments Koalitsia "Demokratichna Bulgaria - Obedinenie" of October 20, 2022 - C-306/21, EU:C:2022:813, para. 36; and Latvijas Republikas Saeima (Points de pénalité) of June 22, 2021 - C-439/19, EU:C:2021:504, para. 63). It follows that Article 2(2)(a) of the GDPR, read in the light of Recital 16 of the GDPR, is to be understood as meaning that it is intended to exclude from the scope of this Regulation only processing of personal data carried out by public authorities in the course of an activity carried out to safeguard national security or an activity which can be classified as such. The mere fact that an activity is a specific activity of a State or an authority is not sufficient (see ECJ judgments Commission v Poland (Indépendance et vie privée des juges) of 05.06.2023 - C-204/21, EU:C:2023:442, para. 317; Koalitsia "Demokratichna Bulgaria - Obedinenie" of 20.10.2022 - C-306/21, EU:C:2022:813, para. 39; Latvijas Republikas Saeima (Points de pénalité) of 22.06.2021 - C-439/19, EU:C:2021:504, para. 66 and Land Hessen of 09.07.2020 - C-272/19, EU:C:2020:535, para. 70).
bb) The exception in Article 2(2)(a) GDPR therefore does not apply to the implementation of the taxation procedure by the tax authorities (see ECJ judgment Valsts ieņēmumu dienests (Traitement des données personnelles à des fins fiscales) of February 24, 2022 - C-175/20, EU:C:2022:124, para. 47, according to which the collection of information containing large amounts of personal data by the tax administration of a Member State from an economic operator must meet the requirements of the General Data Protection Regulation). The taxation procedure does not serve an activity in the same category as national security. As expressed in Section 3(1) AO, taxes essentially serve to finance the state. On the other hand, they do not directly serve to preserve state integrity, like national security. This also applies to the administration of direct taxes. The General Data Protection Regulation also applies directly in this area (see also BTDrucks 18/12611, p. 75; BTDrucks 18/7457, p. 47; letter from the Federal Ministry of Finance dated 13 January 2020, BStBl I 2020, 143, para. 1 et seq.; van Armansperg, Deutsches Steuerrecht 2021, 453, 457; Wargowske in Gosch, AO § 2a para. 13; see also ECJ judgment Valsts ieņēmumu dienests (Traitement des données personnelles à des fins fiscales) of 24 February 2022 - C-175/20, EU:C:2022:124, para. 47, although the ECJ does not address the extent to which the decision also concerns non-harmonised law; a.A. Drüen in Tipke/Kruse, § 2a AO Rz 6; Krumm, Der Betrieb 2017, 2182, 2186). The EU institutions do not have any regulatory powers in the area of direct tax administration - as is the case here. However, the protection of personal data is guaranteed without any corresponding restriction for the area of non-harmonised law in Article 8 of the Charter of Fundamental Rights of the European Union (EU Charter of Fundamental Rights) and by Article 16 Paragraph 1 TFEU. Furthermore, the principle of effectiveness ("effet utile") also requires the direct application of the General Data Protection Regulation in the area of direct tax administration in order to guarantee the highest and most uniform level of data protection possible in accordance with Recital 10 of the GDPR throughout the EU. According to this recital, the harmonization of data protection is intended to ensure a uniform and high level of data protection. The principle of effectiveness, in turn, states that the exercise of the rights conferred by Union law must not be made practically impossible or excessively difficult (cf. ECJ judgment La Quadrature du Net et al. of October 6, 2020 - C-511/18, EU:C:2020:791, para. 223, with further references). This would be contradicted if the General Data Protection Regulation were not applicable in the area of direct tax administration due to an area exception under Art. 2 Para. 2 Letter a of GDPR and thus large parts of the taxation procedure were not directly subject to the General Data Protection Regulation. Data protection in the area of tax law is also guaranteed by a large number of national provisions, for example by Sections 29b to 32j of the Fiscal Code. However, relying on these provisions to protect the right to protection of personal data guaranteed, among other things, by Article 8 of the EU Charter would run counter to the harmonisation spirit of the General Data Protection Regulation expressed in Recital 3 of the GDPR, as well as Recital 10, Sentence 1 of the GDPR and Recital 53, Sentence 2 of the GDPR. According to Recital 3 of the GDPR, the predecessor directive to the General Data Protection Regulation, the Data Protection Directive, served to harmonise the provisions for the protection of the fundamental rights and freedoms of natural persons with regard to data processing and to ensure the free movement of personal data between Member States. Nothing else can apply to the General Data Protection Regulation. According to Recital 53, Sentence 2 of the GDPR, the General Data Protection Regulation should harmonise conditions for the processing of special categories of personal health data with regard to certain requirements, in particular when the processing of these data for health-related purposes is carried out by persons who are subject to professional secrecy in accordance with a legal obligation.
3. However, the FG applied Article 15 (3) GDPR incorrectly.
a) Contrary to the plaintiff's opinion, Article 15 (3) sentence 1 GDPR does not grant an independent claim against the controller to provide documents containing personal data compared to Article 15 (1) GDPR.
aa) Article 15 (1) GDPR grants the data subject the right to request confirmation from the controller as to whether personal data concerning them are being processed. If this is the case, they have a right to information about this personal data and to the information specified in more detail in Article 15 (1) letters a to h GDPR. According to Article 15 (3) sentence 1 GDPR, the controller shall provide the data subject with a copy of the personal data that is the subject of the processing. The case law of the ECJ has clarified that Article 15 of the GDPR cannot be interpreted as granting a right other than that provided for in paragraph 1 of its first sentence. Moreover, the term "copy" does not refer to a document as such, but to the personal data it contains, which must be complete. The copy must therefore contain all the personal data that are the subject of the processing (ECJ judgments FT (Copies du dossier médical) of October 26, 2023 - C-307/22, EU:C:2023:811, para. 72 and Austrian Data Protection Authority of May 4, 2023 - C-487/21, EU:C:2023:369, para. 32). The right to be provided with a copy of the personal data does not require any justification, which is why it is not precluded if it is justified by purposes other than those mentioned in Recital 63, Sentence 1 of the GDPR (ECJ judgment FT (Copies du dossier médical) of 26 October 2023 - C-307/22, EU:C:2023:811, paras 50 and 52).
bb) Only if the provision of a copy is essential to enable the data subject to effectively exercise the rights conferred on him or her by the General Data Protection Regulation, taking into account the rights and freedoms of others, is there a right to receive a copy of extracts from documents or even of entire documents or extracts from databases under Art. 15 (3) sentence 1 GDPR (cf. ECJ judgments FT (Copies du dossier médical) of October 26, 2023 - C-307/22, EU:C:2023:811, para. 75 and Austrian Data Protection Authority of May 4, 2023 - C-487/21, EU:C:2023:369, paras. 41 and 45). Contrary to the plaintiff's opinion, however, there is no general presumption of this. Rather, it is up to the data subject to demonstrate that the copy of the personal data and the communication of the information pursuant to Art. 15 (1) (a) to (h) GDPR are not sufficient for the exercise of the rights conferred on him or her by the General Data Protection Regulation. If the data subject requests that copies of documents containing his or her personal data be made available, it is up to him or her to state which rights conferred on him or her by the General Data Protection Regulation he or she intends to exercise and to explain why the provision of copies of files containing personal data is essential for this purpose. Otherwise, the rule-exception principle established by the ECJ would be ineffective. According to the case law of the ECJ, the claim under Art. 15 (1) and (3) GDPR is fundamentally aimed at the provision of a copy of the personal data processed by the data subject (ECJ judgments FT (Copies du dossier médical) of October 26, 2023 - C-307/22, EU:C:2023:811, para. 72 and Austrian Data Protection Authority of May 4, 2023 - C-487/21, EU:C:2023:369, para. 32). If this is not sufficient for the exercise of the rights under the General Data Protection Regulation, there may exceptionally be a right to a (partial) copy of the source in which the personal data is processed (see ECJ rulings FT (Copies du dossier médical) of October 26, 2023 - C-307/22, EU:C:2023:811, para. 75 and Austrian Data Protection Authority of May 4, 2023 - C-487/21, EU:C:2023:369, paras. 41 and 45). Moreover, a corresponding presumption of indispensability is not required to ensure effective data protection. As a rule, it is sufficient for the exercise of the rights conferred by the General Data Protection Regulation if the data subject becomes aware of the personal data processed about him or her and is informed of the information in accordance with Art. 15 (1)(a) to (h) GDPR. In particular, by informing the data subject of which personal data is being processed and for what purpose this processing is carried out, the data subject is already regularly in a position to check the accuracy of the personal data and the legality of its processing.
b) Based on other legal principles, the FG failed to make the necessary findings for a final assessment. There are no findings as to whether or to what extent the plaintiff has asserted that the requested copies are essential for him in order to enable him to effectively exercise the rights granted to him by the General Data Protection Regulation. Furthermore, there are no findings as to which rights under the General Data Protection Regulation the plaintiff actually intends to assert.
4. The FG also erred in law in assuming that the claim asserted by the plaintiff is excluded due to an excessive request within the meaning of Art. 12 Para. 5 Sentence 2 and Sentence 3 GDPR.
a) According to Article 12(5) sentence 2 GDPR, in the case of manifestly unfounded or excessive requests from a data subject, particularly in the case of frequent repetition, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or of implementing the requested measure (Article 12(5) sentence 2 letter a GDPR), or refuse to act on the request (Article 12(5) sentence 2 letter b GDPR). In the absence of a requirement to justify the request for information, the controller is obliged to provide the data subject with a first copy of his or her personal data that are the subject of processing free of charge, even if the request in question is justified by purposes other than those mentioned in Recital 63, Sentence 1 of the GDPR (see ECJ judgment FT (Copies du dossier médical) of October 26, 2023 - C-307/22, EU:C:2023:811, paragraphs 50 and 52). The controller must provide evidence of the manifestly unfounded or excessive nature of the request in accordance with Article 12 (5) Sentence 3 of the GDPR. It follows from this that an exclusion of the right to information according to Art. 12 Para. 5 Sentence 2 GDPR can only be considered if the controller invokes this and demonstrates that the request is manifestly unfounded or excessive (cf. Gola/Heckmann/Frank, GDPR, 3rd ed., Art. 12 Rz 41 and Art. 15 GDPR Rz 50; Paal in Paal/Pauly, GDPR, 3rd ed., Art. 15 Rz 9; Schneider/Schwartmann in Schwartmann/Jaspers/Thüsing/Kugelmann, GDPR/BDSG, 2nd ed., Art. 12 GDPR Rz 69; BeckOK DatenschutzR/Quaas, 46th Ed. [01.11.2023], GDPR Art. 12 Rz 48; Heckmann/Paschke in Ehmann/Selmayr, GDPR, 2nd ed., Art. 12 para. 49; cf. Kühling/Buchner/Bäcker, 4th ed., GDPR Art. 15 para. 42b; Taeger/Gabel/Mester, 4th ed. [2022], GDPR, Art. 15 para. 21).
If the request is excessive according to these principles, it cannot - contrary to the plaintiff's view - be seen as a valid request for the provision of copies of personal data. This is clear from Art. 12 para. 5 sentence 2 letter b GDPR. If the controller does not demand a reasonable fee, he does not need to take action in the event of a refusal due to an excessive request. Furthermore, a reduction of the excessive request to a permissible level does not prove to be a minus, but an inadmissible aliud to the original request (see BFH decision of May 5, 2017 - X B 36/17, paragraph 20 on the provision of copies of certain parts of the file in the case of a request for the provision of the complete file content).
b) The statements of the lower court on Art. 12 Para. 5 Sentence 2 and Sentence 3 GDPR do not meet these standards. There is already a lack of a finding of abusive conduct or of findings on the arguments of the tax office against the background of the obligation incumbent upon it to provide evidence of a manifestly unfounded or excessive request. In addition, the Senate is unable to agree with the FG's assessment that the plaintiff's request for copies to be made available under Article 15, Paragraph 3, Sentence 1 of the GDPR was manifestly unfounded, as it was merely made in a general manner and was therefore obviously excessive. As the above statements show, the plaintiff is entitled to a claim under Article 15, Paragraph 3, Sentence 1 of the GDPR, so that the assertion of a corresponding request cannot in any case be manifestly unfounded. The extent to which the plaintiff was offered information about his personal data and also a copy of tax assessments is not relevant here, as the plaintiff's request is for copies of the administrative files specified in more detail containing his personal data to be made available. Even if the plaintiff's request does not serve the objectives of the General Data Protection Regulation according to the FG, the application for the provision of copies according to Art. 15 Para. 3 Sentence 1 GDPR is neither manifestly unfounded nor excessive according to the principles mentioned.
5. The contested decision does not prove to be lawful for other reasons either (Section 126 Para. 4 FGO).
a) The tax office cannot object to the plaintiff's request on the grounds that fulfilling the right to information would involve disproportionate effort. The Senate does not need to decide to what extent such an objection can be upheld in principle. This is because there are already no corresponding findings by the lower court that providing information would involve disproportionate effort. The corresponding blanket submissions by the tax office in the appeal proceedings do not provide any corresponding indications either.
b) It is not up to the tax office to fulfill the plaintiff's request by granting access to the files.
aa) According to Section 32d Paragraph 1 AO, it is within the tax office's discretion to determine the form in which information is provided. However, this only applies if there are no relevant provisions in Articles 12 to 15 GDPR. However, this is the case with Article 15 Paragraph 3 Sentence 1 and Sentence 3 GDPR. According to this, the controller must provide an (electronic) copy of the personal data and, under certain circumstances, also of the sources in which such data was processed.
bb) The extent to which granting access to the files instead of providing copies in accordance with Section 11 Paragraph 2 of the Brandenburg Data Protection Act is sufficient is not subject to assessment by the BFH. According to Section 118 Paragraph 1 Sentence 1 FGO, only violations of federal law are revisable. The Brandenburg Data Protection Act also does not declare that the financial legal process is open (Section 33 Paragraph 1 No. 4, Section 118 Paragraph 1 Sentence 2 FGO). An exceptional case whereby an essentially irreversible provision of state law must be examined in the appeal proceedings (see Krumm in Tipke/Kruse, Section 118 FGO Rz 30, with further references) does not exist.
c) The tax office cannot successfully invoke Section 34 Paragraph 1 of the Federal Data Protection Act. The regulation is superseded by the more specific regulation of Section 32c AO ("lex specialis").
aa) Insofar as the data subject does not have the right to information from a financial authority in accordance with Art. 15 GDPR under Section 32c Paragraph 1 AO, the necessary findings that allow subsumption under the necessary conditions for this are lacking. No corresponding indications were presented either.
bb) Furthermore, according to Section 32c Paragraph 3 of the Fiscal Code, information will only be provided if the person concerned provides information that enables the data to be found and the effort required to provide the information is not disproportionate to the interest in information asserted by the person concerned. However, this only applies if the personal data is neither automated nor stored in non-automated file systems. However, as already explained, this is not the case. Furthermore, there is no finding of disproportionate effort.
6. The matter is not ready for judgment and should therefore be referred back to the Fiscal Court.
a) The Fiscal Court will have to examine the extent to which the plaintiff has met his burden of proof and whether the provision of (electronic) copies of the files of the tax office is essential for the effective exercise of his rights under the General Data Protection Regulation. In this regard, the FG will have to take into account the case law of the ECJ that the reproduction of extracts from documents or of entire documents may prove essential if they must be presented in their context in order to ensure their comprehensibility (ECJ judgments FT (Copies du dossier médical) of 26 October 2023 - C-307/22, EU:C:2023:811, para. 74 and Austrian Data Protection Authority of 4 May 2023 - C-487/21, EU:C:2023:369, para. 41). In particular, when personal data is generated from other data or when it is based on free fields, i.e. a missing statement from which information about the data subject can be derived, the context in which this data is the subject of processing is essential so that the data subject can receive transparent information and an understandable presentation of this data (ECJ ruling Austrian Data Protection Authority of 04.05.2023 - C-487/21, EU:C:2023:369, para. 42).
b) In the second legal process, the FG will also have to make findings as to the extent to which the tax office has complied with the obligation to provide evidence incumbent upon it under Art. 12 Para. 5 Sentence 3 GDPR and whether the application is manifestly unfounded or excessive. In this regard, the case law of the ECJ must be taken into account, according to which the two reasons for which the controller does not have to comply with the data subject's request under Art. 12 (5) sentence 2 GDPR relate to cases of abuse of rights (ECJ judgment FT (Copies du dossier médical) of October 26, 2023 - C-307/22, EU:C:2023:811, paragraph 31).
c) If the FG, applying the aforementioned legal principles, comes to the conclusion that the plaintiff is entitled to the provision of copies under Art. 15 (3) sentence 1 GDPR, the information must be made available to the plaintiff in a common electronic format in accordance with Art. 15 (3) sentence 3 GDPR. The fact that the email to the tax office dated October 14, 2020 meets the requirements for an electronic application in this sense is undisputed between the parties, which is why the Senate refrains from providing further explanations.
7. The extent to which the procedural errors complained of by the plaintiff exist can be left open, since the proceedings must be referred back to the FG for further hearing and decision on substantive grounds.
8. There is no need for a referral to the ECJ in accordance with Article 267(3) TFEU in the present proceedings. For the reasons stated in each case, the legal situation is clear ("acte clair"; decision of the Federal Constitutional Court - BVerfG - of 04.03.2021 - 2 BvR 1161/19, para. 55; ECJ judgment CILFIT / Ministero della Sanità of 06.10.1982 - 283/81, EU:C:1982:335, para. 16) or has already been clarified by the ECJ's case law in a way that leaves no reasonable doubt ("acte éclairé"; BVerfG decisions of 04.03.2021 - 2 BvR 1161/19, para. 55 and of 19.07.2011 - 1 BvR 1916/09, BVerfGE 129, 78, para. 80; ECJ ruling CILFIT / Ministero della Sanità of October 6, 1982 - 283/81, EU:C:1982:335, para. 16). In particular, against the background of Art. 2 Para. 1 GDPR and Art. 4 No. 6 GDPR as well as Recital 15 Sentence 1 and Sentence 2 GDPR and the case law of the ECJ (ECJ ruling Jehovan todistajat of July 10, 2018 - C-25/17, EU:C:2018:551), the Senate has no doubts about the requirements of the material scope of application of the General Data Protection Regulation and that this also includes, in particular, the personal data contained in the paper files kept by the tax office. Against the background of Art. 8 EUGrdRCh and Art. 16 Para. 1 TFEU as well as Recital 2 Sentence 1 GDPR and the case law of the ECJ (ECJ judgments Commission v Poland (Indépendance et vie privée des juges) of 05.06.2023 - C-204/21, EU:C:2023:442; Koalitsia "Demokratichna Bulgaria - Obedinenie" of 20.10.2022 - C-306/21, EU:C:2022:813; Valsts ieņēmumu dienests (Traitement des données personnelles à des fins fiscales) of 24.02.2022 - C-175/20, EU:C:2022:124; Latvijas Republikas Saeima (Points de pénalité) of 22 June 2021 - C-439/19, EU:C:2021:504, para. 62, with further references; Land Hessen of 9 July 2020 - C-272/19, EU:C:2020:535) and the effet utile principle, the Senate has no doubt that the area of administration of non-harmonised taxes is not excluded from the scope of the General Data Protection Regulation according to Art. 2 Para. 2 Letter a of GDPR. Furthermore, the case law of the ECJ has clarified that Article 15 (1) in conjunction with (3) GDPR basically only contains a right to the provision of personal data and that a right to a copy of the source in which the personal data was processed only exists if it is essential for the exercise of the rights under the General Data Protection Regulation (ECJ rulings FT (Copies du dossier médical) of October 26, 2023 - C-307/22, EU:C:2023:811; Austrian Data Protection Authority of May 4, 2023 - C-487/21, EU:C:2023:369). Based on the case law of the ECJ, the Senate also considers the requirements for a manifestly unfounded or excessive application within the meaning of Art. 12 Para. 5 Sentence 2 GDPR to be clarified (ECJ judgment FT (Copies du dossier médical) of October 26, 2023 - C-307/22, EU:C:2023:811).
9. The decision on costs is based on Section 143 Para. 2 FGO.
