FG Berlin-Brandenburg - 16 K 2059/21
FG Berlin-Brandenburg - 16 K 2059/21 | |
---|---|
Court: | FG Berlin-Brandenburg (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 12(5)(b) GDPR Article 15(3) GDPR |
Decided: | 26.01.2022 |
Published: | 01.04.2022 |
Parties: | Tax Authority |
National Case Number/Name: | 16 K 2059/21 |
European Case Law Identifier: | ECLI:DE:FGBEBB:2022:0126.16K2059.21.00 |
Appeal from: | |
Appeal to: | Pending appeal BFH (Germany) II R 6/22 |
Original Language(s): | German |
Original Source: | VIS Berlin (in German) |
Initial Contributor: | Frank F |
The Financial Court Berlin-Brandenburg held that data subjects have to specify their access request (Article 15(1) GDPR) when the controller processes large amounts of data and that a request concerning any type of data over a period of more than 50 years is excessive.
English Summary
Facts
In 2020, the data subject requested access to data concerning him from the tax authority (the controller) after a tax audit carried out on his wife in connection with income from self-employment. The controller replied that Data processed in this context did not concern the data subject.
In February 2021, the controller admitted to the existence of a data breach and reported that to the competent authority. In the course of the tax audit, the data subject's mobile phone number had been sent via unencrypted email without his consent.
Subsequently, die data subject filed a complain with the German Federal Data Protection Authority (BfDI).
In March 2021, the data subject filed an action for information. In particular, he desired information on all data about him stored by the controller since 1972, a copy of the data and the deletion of all data.
Holding
The Finance Court Berlin-Brandenburg fully rejected the data subject's claim.
First, regarding the data subject's right to access pursuant to Article 15(1) GDPR, the court held that the data subject was not entitled to the requested unlimited and unspecified data disclosure. It stated that this right against controllers who process large amounts of data only exists if the request is sufficiently specified. That position was based on Recital 63(7) GDPR and a comparison with Article 14(5)(b) GDPR according to which the fulfilment of information obligations vis-à-vis a person affected by a data collection from third parties can be omitted if and to the extent that the provision of this information proves to be impossible or would require a disproportionate effort. In particular, the court argued that, if Article 15(1) GDPR had to be interpreted widely, the exercise of comprehensive rights by a comparatively small group of data subjects (taxpayers) may have the consequence that the level of data protection for a larger group of data subjects (also taxpayers) falls short of the intended level of the Union legislator due to the inevitably limited resources of the tax authorities.
Further, the court held that the request was excessive pursuant to Article 12(5) GDPR, regardless whether Article 15(1) GDPR was to be interpreted narrowly or widely. It found the excessiveness both in the temporal sense because it concerned data aggregation over 50 years, and in the substantive-material sense.
The court interpreted the granting of specific information as something qualitatively different (aliud) in relation to the unspecified and unlimited request for the provision of a copy of the data and not as a minus. Therefore, it rejected the entire claim instead of granting it with regard to specific information.
Second, regarding the data subject's right to a copy pursuant to Article 15(3) GDPR, the court held that he was not entitled to be provided with copies of personal data in the form of (electronic) duplicates of entire files by the controller. It argued that Article 15(1) and 15(3) GDPR do not contain two independent rights but a single right. Therefore, according to the court, Article 15(3) GDPR only contains a right to the catalogue information pursuant to Article 15(1)(a)-(h) GDPR. The court confirmed that the request was also excessive in this regard.
Third, the court rejected the data subject's right to deletion and to object (Articles 17(1)(d) and 21(1) GDPR). It held that there had been no unlawful processing of personal data because it was based on Article 6(1)(e) GDPR, § 29b(1) German Tax Code (Abgabenordnung - AO). Moreover, the right to deletion was precluded by § 29b(1) AO.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Operative part: The action is dismissed. The appeal to the Federal Fiscal Court is allowed. The plaintiff is ordered to pay the costs of the proceedings. Facts: The subject matter of the legal dispute is essentially the plaintiff's rights under data protection law with regard to the processing of personal data relating to the plaintiff by the defendant tax office in the context of carrying out the taxation of third parties in whose taxation proceedings the plaintiff himself is not involved. The starting point of the legal dispute is a tax audit conducted at the plaintiff's wife in connection with income from self-employment. In a letter dated June 2, 2020, the plaintiff requested information from the defendant tax office about stored data relating to the plaintiff. The defendant then informed the plaintiff in a letter dated 17.06.2020 that the defendant tax office was not responsible for his taxation. In addition, he appeared as a person providing information in the context of the tax audit of his wife and the data stored to date in the context of the tax audit did not, as far as could be seen, relate to his person. The plaintiff seeks information about stored data, deletion of data, a declaration that the data processing is unlawful, and other relief in an action filed on March 22, 2021, without first conducting a preliminary proceeding. Among other things, the plaintiff also claims damages. In the course of the external audit, the plaintiff's mobile phone number was sent to the professional e-mail address of the plaintiff's wife without her consent by sending an unencrypted e-mail for the purpose of coordinating an appointment by the tax auditor. The defendant tax office admitted the existence of a data protection violation in a letter to the plaintiff's wife dated February 11, 2021, and initiated corresponding notifications to the competent supervisory authorities. In the run-up to the legal action, the plaintiff, together with his wife, filed a complaint regarding data protection at the B... tax office with the Federal Commissioner for Data Protection and Freedom of Information - BfDI. In the course of the complaint proceedings, the plaintiff and his wife were sent the defendant's statement dated April 13, 2021 by the BfDI in a letter dated July 28, 2021. In addition, during the complaint proceedings, the plaintiff submitted a request for information pursuant to Article 15 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (the General Data Protection Regulation - GDPR) to the C... Finance Administration. This was answered by letter dated 03.12.2021. In summary, the plaintiff states in support of the action: The manner and scope of the collection of the plaintiff's personal data by the defendant tax office in the context of the implementation of the taxation of third parties, in whose taxation procedure the plaintiff is not involved, give rise to a review of the legality of the data collection insofar as data are not collected from the data subject. The plaintiff's right to informational self-determination is particularly endangered, because the plaintiff has no control over which personal data concerning him is collected and processed, for what purpose this is done, who has access to his data and to whom this data is passed on. As a "transparent taxpayer", the plaintiff no longer has any control over what image the defendant tax office forms of his person and on what data basis. The plaintiff's rights to comprehensive disclosure of information and provision of data copies result from Article 15 of the GDPR, which grants a right to information and data copies to the applicant without any preconditions and without any further obligation to state reasons. In particular, the claim is not dependent on further concretizations, since otherwise the fundamental right to information and copy of data enshrined in data protection law could only be realized by the data subject at the price of disclosing further personal data, which would be incompatible with the protective purpose and intention of the GDPR per se. Furthermore, the plaintiff submits that the risk situation under data protection law would be additionally intensified and deepened by the manner and scope of the data collection by the defendant due to the lack of binding specifications on the maximum storage period, the data processing in a technically outdated system environment and the lack of suitable technical and organizational measures for the effective implementation of the data protection principles. The plaintiff requests, 1. order the defendant to 1.1 to provide the plaintiff, within the meaning of Art. 15 (1) of the GDPR, with complete information about all of the plaintiff's data stored since 21.01.1972 up to the date on which the information is provided, including all of the data actually held by the defendant about the plaintiff, the correspondence exchanged internally about the plaintiff and the correspondence exchanged (including e-mails), the internal telephone and conversation notes and other internal notes of the defendant; 1.2 provide the Plaintiff with a complete copy of the personal data that are the subject of the processing, within the meaning of Article 15(3) of the GDPR; 1.3 to completely and securely delete or destroy all data about the Plaintiff that does not serve its taxation, including all archives and data backups within the meaning of Art. 4 DSGVO; 1.4 to prove, by way of a step-by-step action regarding 1.3, the complete and secure deletion or destruction of all data about the plaintiff that do not serve his taxation, including all archives and data backups within the meaning of Art. 4 DSGVO; 1.5 to inform all third parties to whom data of the plaintiff has been disclosed that such data has been unlawfully obtained and unlawfully disclosed; 1.6 to inform the plaintiff to whom his or her data have been disclosed, for what legal reason and for what purpose; 1.7 to inform the plaintiff about who on the defendant's side had access to the plaintiff's data and why this access was granted (Section 76 BDSG); 1.8. to inform the plaintiff from whom the defendant has received data of the plaintiff; and 1.9. to swear, by way of a step-by-step action under 1.1, that the claim for information under 1.1 has been fully and accurately met; 2. to declare that the defendant 2.1 has not fulfilled his duty to inform according to Art. 14 DSGVO, § 33 BDSG, § 46 BDSG; 2.2 has not fulfilled the plaintiff's rights to information according to Art. 15 DSGVO; 2.3 has subsequently violated rights of the plaintiff according to Chapter III "Rights of the data subject" of the GDPR; 2.4 has not created the necessary technical and organizational measures for securing (TOMS) the rights of the Plaintiff under the GDPR and the BDSG and has not tested these TOMS for their effectiveness; 2.5 has not been able to provide the necessary qualified IT security according to ISO 27001 (IT Grundschutz) at the time of the start of the data processing (Art. 32 DSGVO in conjunction with § 32h AO); 2.6 attempted to deprive the plaintiff of its legal options under Chapter VIII. of the DSGVO, §§ 36, 66 BDSG by providing missing and false information; 2.7 failed to provide the required notifications under the DSGVO to the Federal Commissioner for Data Protection and Freedom of Information (BfDI) or failed to do so in a timely manner (Article 33 DSGVO, Section 65 BDSG); 2.8 has not carried out the required data protection impact assessment (Section 67 BDSG); 2.9 committed data protection violations under the DSGVO and BDSG by collecting data of the Plaintiff from third parties in the context of external audits without legal grounds and there is no need for this at the Defendant; 2.10 has interfered with the plaintiff's fundamental right of informational self-determination (Art. 1 GG in conjunction with Art. 2 GG, Art. 8 GRCh, ECHR, Sec. 48 BDSG); 2.11 has interfered with the private life of the plaintiff and thus violated his dignity (Art. 1 GG in conjunction with Art. 2 GG, Art. 8 GRCh); 2.12 has engaged in illegal data retention by not deleting illegally obtained data and by not preventing the exploitation of such data; 2.13 its employees have violated tax secrecy pursuant to Section 30 AO in i.V.m. § 355 of the German Criminal Code (StGB); 2.14 its employees have violated the BDSG, in particular also § 42 BDSG; 2.15 have encroached upon medical secrecy pursuant to § 203 StGB and thus have permanently damaged the Plaintiff's relationship of trust in the duties of the Defendant pursuant to Article 20 GG; 2.16 has exploited particularly protected data according to Art. 9 DSGVO, § 22 BDSG without legal ground; 2.17 utilized illegally obtained data and information, reference is made to the files of the proceedings 2 K 2040/20; 2.18 violated tax secrecy and the GDPR by publishing the Plaintiff's telephone number in an email to the Plaintiff's wife's practice; 2.19 violated tax secrecy and the GDPR by publishing the Plaintiff's telephone number to the Senate Department of Finance in a manner unknown to the Plaintiff; 3. declare that 3.1 parts of the AO, which contain the information obligations to the data subjects from whom the data were not directly collected (data collection from third parties), are not compatible with higher-ranking law and in particular violate the Charter of Fundamental Rights, the ECHR and the Basic Law; namely, inter alia, §§ 32b, 32c, 32f AO; and 3.2 the judge at the Tax Court ... in the proceedings 2 K 2040/20 (plaintiff: D...; subject matter of the proceedings: audit order) 3.2.1. deprived the plaintiff here of the right to be heard; 3.2.2 deprived the plaintiff here of his legal judge; 3.2.3 failed to apply the GDPR; 3.2.4 failed to comply with the legal protection guarantee of the Basic Law by not summoning the plaintiff here. The defendant requests that to dismiss the action. The defendant refers to the fact that according to the statement of claim only the reply letter of the tax office dated 17.06.2021 is the subject of the action. The plaintiff's request for data information was a general request for information without specification (e.g. on a specific fact, on a specific administrative procedure or assessment period), so that the general information provided meets the legal requirements. With regard to the further submissions of the parties, reference is made to the exchanged written pleadings, to the attached administrative file and to the minutes of the hearing. By order dated October 26, 2021, the proceedings relating to the claim for damages were separated from the proceedings here and referred to the Regional Court of C.... The court allowed an appeal against the referral order due to the expected broad impact of the legal issue. The plaintiff and the defendant have filed an appeal against the order. The proceedings are being conducted at the BFH under file number II B 92/21. By order of February 7, 2022, the proceedings concerning the plaintiff's request for correction of defamatory statements by the defendant were severed and referred to the Administrative Court C.... The court did not allow an appeal against the referral order. The court had before it the defendant's administrative file, in addition to the contentious files of the present proceedings. By an order dated March 22, 2021, and again by an order dated November 17, 2021, the court requested the administrative files relating to the dispute from the defendant. The defendant sent the administrative files on 24.11.2021 and these were received by the court on 30.11.2021. By written statement dated 01.12.2021, the plaintiff requests in the proceedings here pursuant to Section 86 (3) of the Fiscal Court Code - FGO - to request the defendant to submit the administrative files requested by order of the court dated 22.03.2021. The BFH has not yet ruled on the request. Reasons for Decision: A. The action is ripe for decision. I. The action can be decided on the basis of the files and factual submissions on file. In particular, the submission of further administrative files can be dispensed with because their content is not relevant to the decision on the question of the requested obligation of the defendant tax office to provide data information and a data copy as well as the further requests for performance and declaratory relief, which is independent of the concrete content. In all other respects, too, the contents of the file, the factual submissions to date and the motions of the parties do not give rise to any further action by the court to clarify or determine the facts of the case. In particular, the facts submitted in evidence are not relevant to the decision. II. The proceedings are also not to be stayed until the conclusion of the proceedings pending before the BFH pursuant to Sec. 86 (3) FGO, since the requirements for a stay are not met. (1) Pursuant to § 74 of the FGO, the court may order a stay of proceedings only if the decision in the dispute depends in whole or in part on the existence of a legal relationship that is the subject of another pending dispute. (2) For the purpose of conducting the interlocutory proceedings pursuant to Sec. 86 (3) FGO, the Tax Court shall transfer the proceedings to the BFH. The main proceedings shall be suspended in the meantime. However, the main proceedings are continued if the court no longer adheres to its request for submission and the application under section 86(3) FGO thus becomes inadmissible (cf. Schallmoser in: Hübschmann/Hepp/Spitaler, AO/FGO, 266th ed. (11/2021), § 86 FGO marginal no. 54 with further references). The same must apply a fortiori if the tax court's request for submission of files is complied with. The prerequisite for a decision pursuant to Section 86 (3) FGO is that the documents requested by the Tax Court are not submitted in full and that the court still adheres to the complete submission even at the time of the decision sought by the Federal Fiscal Court. 3 The Senate is of the opinion that with the submission of the administrative documents sent by the defendant on November 24, 2021 and received by the court on November 30, 2021, the request for submission of documents by the Fiscal Court has been complied with. Thus, there is no admissible application pursuant to § 86 (3) FGO as a prerequisite for a stay of proceedings. B. I. The action is unsuccessful. It is already partly inadmissible and otherwise unfounded. 1. claims for benefits 1.1 Insofar as the plaintiff requests that the defendant be ordered to provide the plaintiff with complete information within the meaning of Article 15 (1) of the GDPR about all of the plaintiff's data stored since January 21, 1972, up to the date on which the information is provided, including all of the data actually held by the defendant about the plaintiff, the internal data relating to the plaintiff and the correspondence exchanged (including e-mails), the internal telephone and conversation notes and other internal notes of the defendant, the action is admissible but unfounded. a. The action is admissible as a combined action for obligation and general performance. There is no contestable administrative act in the form of a refusal to provide information. In accordance with the plaintiff's request, the action is therefore admissible as an action for an order (§ 40 (1) 2 FGO) insofar as the provision of information is preceded by an official decision of a regulatory nature regarding the content, scope and limits of the provision of information, in combination with a general action for performance (§ 40 (1) 3 FGO) insofar as the provision of information is affected as a simple administrative act. The subject-matter jurisdiction of the court follows from Section 32i (2) of the German Fiscal Code (AO) for actions against persons responsible under Article 79 of the GDPR. The local jurisdiction follows from Section 32i (5) sentence 2 AO, since the defendant tax office has its registered office in the jurisdiction of the court. The prior unsuccessful conduct of preliminary proceedings is not required (Section 32i (9) AO). b. However, the action is unfounded. The requirements for a claim to data information are met "on the merits" (aa.). However, the plaintiff is not entitled "to the extent" to the requested unlimited and unspecified data information (bb.). In any case, however, the defendant tax office can refuse the data information as excessive (cc.). A claim-preserving reduction in content or time to a permissible request for information cannot be considered (dd.). aa. The GDPR is applicable to the processing of personal data by the defendant tax office (1). The claim of the plaintiff, who is personally entitled to claim as a data subject, also contains personal data, so that the personal and factual scope of application of the GDPR is opened (2). The defendant tax office, as the responsible party, is also the correct respondent (3), so that the requirements for a claim for information pursuant to Article 15 (1) GDPR are met on the merits. (1) In the area of tax administration, the GDPR is also applicable to the administration of direct taxes. As an EU Regulation, the GDPR applies directly in each member state of the Union pursuant to Article 288 of the Treaty on the Functioning of the European Union - TFEU - without the need for further implementation by national law. Insofar as the direct applicability of the GDPR beyond the area of harmonized taxes under Union law is partially rejected (so with reference to the literature FG Niedersachsen, judgment of 28.01. 2020 - 12 K 213/19 -, Entscheidungen der Finanzgerichte - EFG - 2020, 665), the Senate can leave this question aside in the result, since the federal legislator has ordered the at least substantive validity of the GDPR for the entire data processing activity of the tax authorities by reference in Section 2a AO (so also FG Munich, court decision of 23.07.2021 - 15 K 81/20 -, EFG 2021, 1789 marginal no. 36). (2) The personal and material scope of application of the GDPR are opened. The plaintiff is a natural person identified or otherwise identifiable by means of a tax number or tax identification number and as such a "data subject" within the meaning of Art. 4 No. 1 GDPR and thus personally entitled to make a claim. The material scope of application of the GDPR is opened in the dispute insofar as the processing of personal data is to be assessed. In principle, all information present in a tax file is also personal data. The GDPR applies to the wholly or partially automated processing of personal data as well as to the non-automated processing of personal data stored or to be stored in a file system (Art. 2(1) GDPR). Art. 4 No. 1 GDPR defines personal data as "any information" relating to data subjects (identifiable). In interpreting this term, the protective purpose of the GDPR is decisive. It is not about the data itself, nor is it about the economic interests of the data processors. It is solely about the protection of the fundamental rights of natural persons in the processing of the data allocated to them. The term "all information" must therefore be understood broadly; the term is not limited to sensitive or private information, it covers all information about a data subject. Therefore, in principle, all information recorded in a tax file is to be understood as personal data because it can be directly or indirectly linked to a natural person by means of classification features (tax number or tax identification number). (3) The defendant tax office is also the correct respondent as a controller within the meaning of Art. 4 No. 7 GDPR. "Controller" according to Art. 4 No. 7 DSGVO is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. The controller is thus the financial authority which decides on the purposes and means of the processing of personal data; as a rule, therefore, the financial authority which is competent in terms of subject matter and location and which also maintains the files which are the subject of the dispute. bb. However, the data subject rights enshrined in Article 15 (1) of the GDPR do not, in the opinion of the recognizing Senate, give the plaintiff a right to information from defendants who process large amounts of information, if the request for information is not specified and is not limited in terms of subject matter or time. The legal opinion of the plaintiff that Article 15 (1) of the GDPR grants a claim to the granting of the requested data information without any preconditions and without any further obligation to state reasons at the expense of the applicant is supported by the wording of the basis of the claim. The plaintiff's argument that the claim under Article 15(1) of the GDPR is not dependent on further specification, since otherwise the fundamental right to data information enshrined in data protection law could only be realized by the data subject at the price of disclosing further personal data, which would not be compatible with the protective purpose and intention of the GDPR, also seems worth considering. Nevertheless, the Senate is convinced that a right to information pursuant to Article 15 (1) of the GDPR exists vis-à-vis parties obliged to provide information who process large amounts of data only if the request for information is sufficiently specified: This legal view is based on recital 63, sentence 7, to the GDPR, according to which the controller, if it processes a large amount of information about the data subject, should be able to require that the person requesting information specify to which information or which processing operations its request for information relates before providing it with information. This view is confirmed by a comparison with the provision in Art. 14(5)(b) GDPR, according to which the fulfillment of information obligations vis-à-vis a data subject affected by a data collection from third parties may be omitted if and to the extent that the provision of such information proves impossible or would require a disproportionate effort. Some of the literature therefore also advocates an analogous application of the provision to Art. 15 GDPR (N. Härting, Datenschutz-Grundverordnung, 2016, para. 684; see also Stollhoff in: Auernhammer, DSGVO/BDSG, 7th ed. 2020, Art. 15 marginal no. 15). Finally, the need for a restrictive interpretation of Art. 15(1) GDPR also arises from the legal concept of balancing conflicting rights (practical concordance) and further weighing and balancing mechanisms to be found in various places within the GDPR for resolving conflicts of objectives under data protection law (cf. only Art. 32(1) GDPR, which provides for a process to balance several, partly conflicting data security criteria). Tax law is mass case law in administrative practice. If, according to the wording of Article 15 (1) of the GDPR, every taxpayer is entitled to comprehensive data access rights, the exercise of comprehensive rights by a comparatively small group of data subjects (taxpayers) may have the consequence that the level of data protection for a larger group of data subjects (also taxpayers) falls short of the intended level of the EU legislator due to the inevitably limited resources of the tax administration. The Senate is convinced that such a race of the data subjects does not correspond to the intention of the GDPR and therefore a restrictive interpretation of Article 15 (1) GDPR is required. cc. Even if Article 15 (1) GDPR were to be interpreted as granting the rightful claimant a right to receive the requested data information, the plaintiff's request would be considered excessive within the meaning of Article 12 (5) GDPR and the defendant may rightfully refuse to fulfill the claim. The Senate is convinced that the plaintiff's request is excessive in terms of both content and time. In terms of content, according to the plaintiff's request, the information is to extend to (see p. 282-283 FG-A.): - all data identifiably attributable to the plaintiff pursuant to Art. 4 DS-GVO, which are located outside the tax file concerning the plaintiff with the defendant - data from external audits or audits of third parties (e.g. bank statements, invoices, purchased services and articles, e.g. meals paid for with EC or credit cards, purchases, services from lawyers, doctors, laboratories and dental technicians, articles from pharmacies); - all internal notes, all correspondence and internally generated data; - all stored bank details and their transactions; - all data concerning seizures from third party debtors, all account circulars; - all data provided by third parties and to third parties (authorities, courts, organizations, etc.), including the names of the recipients and senders as well as the transport routes and their security measures against unauthorized access; - all correspondence with the BFDI, the Senate Department of Finance, the Petitions Committee of the State of C.., other authorities, lawyers, courts, private persons; - all contracts obtained from third parties during external audits; - all taxable documents, e.g. paid wage tax as well as their tax returns, income tax, capital tax, all communication of the involved professional secrecy holders according to § 30 AO, which is not in the files, e.g. Whatsapps, Signal, SMS and the like; - record data concerning the person of the plaintiff in accordance with the Ordinance on the Automated Retrieval of Tax Data (Steuerdaten-Abrufverordnung - StDAV -); - all health data; - all e-mails with reference to my person; all documents, all inner states (e.g. opinions, motives, wishes, convictions and value judgments): all interview transcripts, telephone notes, file notes and memos, real files and administrative files, information such as asset and property relationships, communication and contractual relationships and all other relationships of the plaintiff with third parties; - all personal, economic and legal relationships insurance application, declaration of assignment, letter of termination; - insofar as statements by me of statements about me are recorded in interview notes or telephone notes, all existing expert opinions, personal performance and behavioral data, the processing purposes; - the categories of personal data processed; the recipients or categories of recipients to whom the personal data have been disclosed or are to be disclosed, in particular in the case of recipients in third countries or international organizations, this also applies in particular to the possible telemetry data of the specialist procedures, operating systems and office applications or, however, proof that these data cannot be transferred; - if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration; - the communication of all available information on the origin of the data stored; - indication of from whom as well as when and with what content personal data have been transmitted, as well as the transport routes and their technical and organizational security measures (TOMS) against access by third parties; - for all data at the same time the storage periods and the legal basis, the commissioned data processors as well as their physical storage location. In terms of time, the data disclosure is to cover a period of 50 years (Bl. 283R FG-A.). dd. In the opinion of the recognizing senate also a claim-preserving contentwise or temporal reduction to a permissible request for granting of a data information does not come into consideration. The provision of certain information represents something qualitatively different (aliud) in relation to the unspecified and unlimited request for the provision of a data copy and is not a less (minus) to the plaintiff's request (so also BFH, decision of 05.05.2017 - X B 36/17 -, Sammlung amtlich nicht veröffentlichtter Entscheidungen des Bundesfinanzhofs - BFH/NV - 2017, 1183 marginal no. 20 on the relationship of the request for the provision of certain information or data copies in relation to the claim for "surrender of data copies of complete files"). 1.2 To the extent that the plaintiff requests that the defendant be ordered to provide the plaintiff with a complete copy of the personal data that are the subject of the processing within the meaning of Article 15(3) of the GDPR, the action is admissible but unfounded. a. The action is admissible as a combined action for an obligation and general performance. Reference is made to the statements under B. I. 1.1 a. is referred to. b. However, the action is unfounded. The prerequisites for a claim to the issuance of a copy of the data do exist "on the merits" (aa.). However, the rights of the data subjects enshrined in Article 15 (3) of the GDPR do not, in the opinion of the discerning Senate, entitle the plaintiff to be provided with copies of personal data in the form of (electronic) duplicates of entire files by the defendant tax office (bb.). And even if Article 15 (3) of the GDPR were to be interpreted extensively as granting the rightful claimant a claim to provision of copies, the plaintiff's request would have to be regarded as excessive within the meaning of Article 12 (5) of the GDPR and the defendant would have been justified in refusing to fulfill the claim (cc.). A claim-preserving reduction in terms of content or time to a permissible request for a data copy is out of the question (dd.). aa. The GDPR is applicable to the processing of personal data by the defendant tax office. The relief sought by the plaintiff, who is personally entitled to claim as a data subject, also involves personal data, so that the personal and factual scope of application of the GDPR is opened. The defendant tax office, as the responsible party, is also the correct defendant, so that the requirements for a claim for a copy of the data pursuant to Article 15 (3) of the GDPR are met on the merits. bb. However, the data subject rights enshrined in Article 15(3) of the GDPR do not, in the opinion of the court, entitle the plaintiff to be provided with copies of personal data in the form of (electronic) duplicates of entire files by the defendant tax office. (1) Pursuant to Article 15(1)(1) of the GDPR, the data subject shall have the right to obtain confirmation from the controller as to whether personal data concerning the data subject are being processed. If this is the case, Article 15 (1) (2) of the GDPR grants the right to information about this data and to additional information pursuant to Article 15 (1) (2) (a) to (h) of the GDPR. Pursuant to Article 15 (3), first sentence, of the GDPR, the controller shall provide the data subject with a copy of the personal data that are the subject of the processing. The question of whether the rights under Art. 15(1) and Art. 15(3) GDPR are two different claims or a single claim is assessed differently in the literature as well as in case law. (α) The proponents of a uniform claim predominantly assume a restrictive interpretation of the right to copy data pursuant to Article 15 (3) of the GDPR. According to this, the right to a copy is limited to the transmission of an overview of the processed data (for example, Landesarbeitsgericht - LAG - Niedersachsen, judgment of October 22, 2021 - 16 Sa 761/20 - marginal no. 214, juris; LAG Baden-Württemberg, judgment of March 17, 2021 - 21 Sa 43/20 -, NZA Rechtsprechungsreport Arbeitsrecht - NZA-RR - 2021, 410 marginal no. 47 et seq. ; LAG Niedersachsen, judgment of 09.06.2020 - 9 Sa 608/19 -, NZA-RR 2020, 571 marginal no. 45; Paal, in: Paal/Pauly, DS-GVO, 3rd ed. 2021, Art. 15 marginal no. 33; Franck, in: Gola, Datenschutz-Grundverordnung, 2. Aufl. 2018, Art. 15 Rn. 27; Dausend, Zeitschrift für Datenschutz - ZD - 2019, 103; Wybitul/Brams, Neue Zeitschrift für Arbeitsrecht - NZA - 2019, 672). In justification, reference is made, among other things, to the fact that the wording of Art. 15 (3) sentence 1 DSGVO does not speak of a photocopy or printout of processed data and that the legal purpose of Art. 15 (1) half-sentence 2 DSGVO lies in the transparency and lawfulness control of the processing (LAG Baden-Württemberg, judgment of March 17, 2021 - 21 Sa 43/20 -, NZA-RR 2021, 410 marginal no. 49). Accordingly, Article 15 (3) sentence 1 of the GDPR merely regulates a special form of information, which is why the information content of Article 15 (3) sentence 1 of the GDPR cannot go further than that of Article 15 (1) of the GDPR. According to Art. 15 (3) sentence 1 of the GDPR, only the data covered by Art. 15 (1) must therefore be provided as a copy and thus as an "annex" to the information (see BeckOK DatenschutzR/Schmidt-Wudy (as of 01.05.2021), GDPR Art. 15 marginal no. 85 with further references to the state of the dispute). In the tax literature, too, it is predominantly argued that rights to information under data protection law do not confer a right to access to official files (von Armansperg, Deutsches Steuerrecht - DStR - 2021, 453, 458 with further references). With regard to the wording, it was explained - with reference to various language versions of the GDPR - that the information of Art. 15 GDPR was not to be understood as a right of inspection (access to the file) (Poschenrieder, DStR 2020, 21, 23). Rather, the interpretation of Art. 15(1) and (3) GDPR must take into account the objectives pursued by the rights of access. In this context, these rights should not be seen in isolation, but in their serving function in the overall context of data protection law. In a first stage (Art. 15(1)(1) GDPR), the data subject should be able to find out whether personal data are processed at all. In a second stage (Art. 15(1)(2) GDPR), the data subject should then be able to verify the lawfulness of the data processing. This review by the data subject could then trigger the rights of Section 3 (Chapter III) of the GDPR at the third stage: Right to rectification (Art. 16 GDPR), Right to erasure or right to be forgotten (Art. 17 GDPR), Right to restriction of processing (Art. 18 GDPR), Right to data portability (Art. 20 GDPR) and Right to object (Art. 21 GDPR). The right of access under Art. 15 GDPR cannot be "detached" from the context of data protection law, it only serves - also vis-à-vis the administration - to verify whether a data processing itself is lawful. Measured against national law, the taxpayer should be able to verify whether the data processing was carried out in accordance with Sections 29b, 29c AO (cf. Schober, Finanzrundschau - FR - 2020, 558, 561). (β) In contrast, the proponents of the view that the rights under Article 15(1) and Article 15(3) GDPR are two different claims predominantly assume an extensive interpretation of the right to copy data under Article 15(3) GDPR. According to this interpretation, the relevant documents are to be transmitted in the form in which they are available to the data controller (for example, Oberverwaltungsgericht - OVG - NRW, judgment of 08.06.2021 - 16 A 1582/20 -, para. 92, juris; BeckOK DatenschutzR/Schmidt-Wudy (as of 01.05.2021), DS-GVO Art. 15 para. 85; Bäcker in: Kühling/Buchner, DS-GVO, BDSG, 3rd ed. 2020, Art. 15 Rn. 6 and 39a; Koreng, Neue Juristische Wochenschrift - NJW - 2021, 2692, 2693; Engeler/Quiel, NJW 2019, 2201, 2203). In justification, it is pointed out, among other things, that in addition to the systematics and the wording of Art. 15 GDPR, the legislative history suggests this result of interpretation. Otherwise, the distinction in Art. 15(1) and Art. 15(3) GDPR would be superfluous and the legislator could have left it at the adoption of the wording from Art. 12 of Directive 95/46/EC (Data Protection Directive) (Koreng, NJW 2021, 2692, 2693 with further references). The meaning and purpose of the right under Article 15 (3) sentence 1 of the GDPR would also argue against a restrictive interpretation of the right to a copy of the personal data processed. The reason for and regulatory objective of the General Data Protection Regulation is the protection of natural persons with regard to the processing of personal data concerning them, as guaranteed in Article 8 (1) of the Charter of Fundamental Rights of the European Union (Charter of Fundamental Rights - CFR -) and in Article 16 (1) TFEU (see Article 1 (2) of the GDPR and Recital 1 to the GDPR). Already at the level of the Charter of Fundamental Rights, the right of every person to obtain information about the data collected concerning him or her and to obtain rectification of the data is enshrined (Art. 8 (2) sentence 2 CFR). The data subject rights of the General Data Protection Regulation are rooted in the consideration of the European standard setter that the individual must in principle be able to determine for himself the disclosure and use of his personal data. Natural persons should therefore in principle have control over their own data (cf. recital 7, sentence 2 to the GDPR). To this end, Article 8 (2) sentence 2 CFR and Article 15 (1) GDPR granted the data subject a right to know which personal data had been collected by third parties. According to the first sentence of recital 63 to the GDPR, the regulatory objective is that the data subject is aware of the processing and can check its lawfulness on this basis (thus OVG NRW, judgment of 08.06.2021 - 16 A 1582/20 -, para. 105, juris). (2) Taking into account the aforementioned principles and after weighing all the circumstances, the Senate is of the opinion that Article 15 (3) of the GDPR must be interpreted restrictively and does not give the plaintiff a claim to the provision of copies of personal data in the form of (electronic) duplicates of files by the defendant tax office (so already FG Berlin-Brandenburg, judgment of 27.10.2021 - 16 K 5148/20 -, designated for publication, appeal filed, BFH file number: II R 47/21). (α) In the opinion of the Senate, the legal principles developed in the case law of the ECJ on Art. 12 of Directive 95/46/EC (Data Protection Directive), i.e. a direct predecessor regulation to Art. 15 GDPR, can also be used for purposes of interpreting the content and scope of the data subject rights under Art. 15 GDPR. In the decision of the ECJ issued on Article 12 of Directive 95/46/EC (Data Protection Directive) (judgment of July 17, 2014, joined cases C-141/12 and C-372/12 "Y.S. u. M. u. S. /Minister voor Immigratie", Official Journal of the European Union -ABl EU- 2014, C 315, 2; Europarecht -EuR- 2015, 80), the applicants in the proceedings underlying the reference for a preliminary ruling requested access to a so-called "draft document", which contained data on the party to the proceedings, but also a legal analysis. The ECJ clarified that the data contained in this draft document, which formed the factual basis for the legal analysis also contained in the draft document, also constituted personal data of the party to the proceedings. He affirms a right to information in this respect. On the other hand, he denies a right to information with regard to the legal analysis. This could not be the subject of a review by the applicant and a correction. If the right of access were to be extended to this legal analysis, this would in fact not serve the objective of the Directive to ensure the protection of the privacy of this applicant in the processing of data relating to him, but rather the objective of ensuring him a right of access to administrative documents, to which, however, Directive 95/46 is not directed (ECJ, judgment of 17.6.2014, OJ EU 2014, C 315, 2, para. 46). The ECJ also clarifies that the Directive leaves it to the Member States to determine the specific form in which the information is to be provided, insofar as it enables the data subject to obtain knowledge of the personal data concerning him or her and to verify whether they are accurate and processed in accordance with the Directive, so that he or she can exercise, where appropriate, the rights conferred on him or her by the Directive (ECJ, Judgment of 17.6.2014, OJ EU 2014, C 315, 2, para. 57). In order to safeguard the right to information, it is sufficient if the applicant receives a complete overview of the data reproduced in the draft document - i.e. also such personal data contained in the legal analysis - in an understandable form (ECJ, Judgment of 17.6.2014, OJ EU 2014, C 315, 2, para. 59). To the extent that such information could achieve the objective pursued by the right of access, the data subject was not entitled, either under the right of access or under Article 2(2) of the Charter, to obtain a copy of the document or of the original file containing such data. (β) The legislative history of the GDPR also speaks in favor of a restrictive interpretation of Art. 15(3), first sentence, of the GDPR. According to the explanatory memorandum of the original draft for the GDPR, Art. 15 of the draft version is based on Art. 12 of Directive 95/46/EC (Data Protection Directive) (cf. Proposal for the Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) of 25.01.2012, COM (2012) 11 final, p. 9). In the original draft, a right of surrender was only inserted by decision of the European Parliament of 12.03.2014 in Art. 15 (2a) of the draft version, which, however, only extends to personal data provided by the data subject himself (cf. Position of the European Parliament adopted at first reading on 12 March 2014 with a view to the adoption of Regulation (EU) No .../2014 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), P7_TC1-COD(2012)0011, p. 139). According to the Senate, the claim under Article 15(3) of the GDPR in its final version must therefore be seen in conjunction with Article 20(1) of the GDPR, according to which the data subject has the right "to receive personal data concerning him or her which he or she has provided to a controller in a structured, commonly used and machine-readable format." This shows that the European legislator deliberately chose not to apply the right to copies to all data sets containing personal data about the data subject (so also Laoutoumai/Hoppe, Kommunikation & Recht - K& R - 2019, 296, 298 f.). (γ) Systematic aspects also speak in favor of the view of the Senate that the right to a copy only includes the catalog information within the meaning of Article 15 (1) (a) to (h) of the GDPR and that data subjects have no further-reaching claims. This is because the wording of Art. 15(3) sentence 1 GDPR is comparatively restrictive; it only provides for a copy of "the personal data" and, unlike Art. 28(3)(g) or Art. 58(1)(e) GDPR, does not speak of "all" personal data. The view that Art. 15(1) and (3) GDPR do not contain two independent claims, but rather a single claim, is also supported by the fact that the first sentence of Art. 15(3) GDPR does not contain any prerequisites for a claim on the factual side, but merely standardizes the obligation of the controller to provide a copy as a legal consequence. (δ) In the view of the discerning senate, the result of the interpretation is also confirmed by a teleological interpretation of Article 15 (3) sentence 1 of the GDPR. The right to copy flanks the rights of access under Article 15(1) of the GDPR and, together with these, serves the purpose of enabling the data subject to review the data processing relating to him or her. According to recital 63 to the GDPR, the information rights of Art. 15 GDPR are intended to provide the data subject with an overview of the scope and content of the personal data stored about him or her in order to enable him or her to verify the lawfulness of the processing and to exercise the other rights concerned, e.g., to erasure or restriction of processing. This objective of enabling the review is achieved if the information following from Article 15(1) of the GDPR is provided in copy. It is not necessary to inform the person concerned about all documents or files stored by the controller. cc. Even if Article 15 (3) of the GDPR were to be interpreted extensively to the effect that it grants the rightful claimant a right to be provided with copies, the plaintiff's request would have to be considered excessive within the meaning of Article 12 (5) of the GDPR and the defendant would have been justified in refusing to fulfill the claim. (1) The plaintiff's claim to a free copy in the form of (electronic) duplicates of entire files is precluded by the second sentence of Article 12(5) of the GDPR. According to this provision, in the case of manifestly unfounded or excessive requests by a data subject, the controller may either demand a reasonable fee (Article 12(5), second sentence, point (a) of the GDPR) or refuse to act on the basis of the request (Article 12(5), second sentence, point (b) of the GDPR). According to Art. 12(5) sentence 3 GDPR, the controller must provide evidence of the manifestly unfounded or excessive nature of the request. However, Art. 15 GDPR does not grant a data subject a blanket right to information. According to recital 67, seventh sentence, of the GDPR, the type of personal data about which information is to be provided should be specified if the controller processes a large amount of information about the data subject. Reference is made to the explanations under B. I. 1.1 bb. is referred to. The same applies to the claim for a copy under Article 15(3) of the GDPR, which cannot be more comprehensive in terms of content than the claim under Article 15(1)(2) of the GDPR (so also Engeler/Quiel, NJW 2019, 2201, 2203 et seq.). (2) The plaintiff has asserted his claim for the provision of a copy of the entire contents of the defendant's file relating to personal data concerning him by means of a blanket request for information directed at the provision of copies of entire files of the defendant. The plaintiff also did not respond to the plaintiff's offer to provide certain personal data of the plaintiff. Thus, the plaintiff's request for information is obviously excessive and therefore unfounded. The defendant has therefore rightly refused to fulfill the claim pursuant to Article 12 (5) sentence 2 of the GDPR. Nothing to the contrary also results from the decision of the LAG Baden-Württemberg (judgment of December 20, 2018 - 17 Sa 11/18 -, NZA-RR 2019, 242). The decision relates to a specific employment relationship and thus to a concrete, definable fact of life. In contrast to the decision of the LAG referred to by the plaintiff, the plaintiff's claim does not relate to a specific, narrowly defined fact of life, but includes the general request for the submission of (electronic) duplicate files. The Senate is convinced that it is not necessary for the defendant to prove the unfounded or excessive nature of the request, since the circumstances leading to the unfoundedness of the request already result from the wording of the claim and the contents of the file and are therefore obvious. According to the Senate's assessment, the plaintiff's request does not, moreover, serve the objective of the GDPR to ensure the protection of the plaintiff's privacy in the processing of data relating to him. Rather, the plaintiff is attempting to use the right to information in an improper manner in order to gain access to entire files of administrative documents relating to him. However, such access does not result from Article 15 of the GDPR or the respondent is to be entitled to a right to refuse performance in accordance with Article 12 (5) sentence 2 of the GDPR for these cases. dd. In the view of the discerning senate, the action as a minus to the claim "surrender of data copies of complete files" is also not partially justified with regard to the provision of certain information or surrender of certain data copies. The provision of certain information or data copies represents something qualitatively different (aliud) in relation to the claim for "provision of data copies of complete files" and is not a less (minus) to the plaintiff's claim (so also BFH, decision of 05.05.2017 - X B 36/17 -, BFH/NV 2017, 1183 marginal no. 20). 1.3 Insofar as the plaintiff requests that the defendant be ordered to completely and securely delete or destroy all data about the plaintiff that do not serve his taxation, including all archives and data backups within the meaning of Article 4 of the GDPR, the action is admissible but unfounded. a. The action is admissible as a general action for performance. In the opinion of the Senate, an action for an obligation cannot be considered because there is a direct legal claim to the deletion of data if the requirements are met. If successful, no further administrative decision would be required. The subject-matter jurisdiction of the court follows from Section 32i (2) AO for actions against data controllers under Article 79 DSGVO, the local jurisdiction follows from Section 32i (5) sentence 2 AO; the defendant tax office has its registered office in the jurisdiction of the court. b. However, the action is unfounded. This is because the plaintiff has no claim based on Article 17 (1) (d) or Article 21 (1) of the GDPR. There is no unlawful processing of personal data. aa. According to Art. 17 (1) DSGVO, the data subject has the right to require the controller to erase personal data concerning him or her without undue delay. Among other things, the controller is obliged to erase personal data without undue delay if the personal data have been processed unlawfully (Art. 17(1)(d) GDPR). The lawfulness of processing is based on Art. 6 DSGVO for personal data, and on Art. 9 DSGVO for special categories - sensitive - personal data. If none of the grounds for lawful processing of the data set out in Art. 6 or Art. 9 DSGVO existed, the data subject (Art. 4 No. 1 DSGVO) may, under Union law, request the erasure of personal data from the controller due to initially unlawful processing pursuant to Art. 17 (1) lit. d DSGVO. (1) According to Art. 4(1) GDPR, personal data means any information relating to an identified or identifiable living natural person ("data subject"). (2) According to Art. 4 No. 2 GDPR, processing is any operation carried out by automated or manual means and any set of such operations which relates to personal data. In addition to the wholly or partly automated processing of personal data, the GDPR also covers their non-automated processing, as long as they are stored or are intended to be stored in a "file system" (Art. 2(1) GDPR). File system means any structured collection of personal data accessible according to specified criteria, whether such collection is maintained centrally, decentrally or according to functional or geographical criteria" (Art. 4 No. 6 GDPR). Structured is a collection of personal data as a planned compilation of individual data (Ernst in: Paal/Pauly, DS-GVO BDSG, 2nd ed. 2018, Art. 4 marginal no. 53) according to the required broad understanding, if the data about a specific person can be easily retrieved. (3) The defendant as a tax authority must process the data as a controller within the meaning of Art. 4 No. 7 DSGVO. A controller in this sense may also be an authority which alone or jointly with others determines the purposes and means of the processing of personal data. (4) The processing must be lawful. Legislatively, the processing of personal data in the context of the tax procedure is based on Art. 6 (1) sentence 1 lit. e DSGVO (BT-Drs. 18/12611, p. 77). According to this, data processing is lawful if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This is governed by the law of the Member States to which the controller is subject, pursuant to Art. 6 (3) sentence 1 lit. b DSGVO, unless Union law itself provides for a regulation (Art. 6 (3) sentence 1 lit. a DSGVO). In this case, pursuant to Art. 6 (3) sentence 2 DSGVO, either the purpose of the processing must be specified in the legal basis or, with regard to (1) (e), it must be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Heberlein in: Ehmann/Selmayr, Datenschutz-Grundverordnung, 2nd ed. 2018, Art. 6 para. 43; Buchner/Petr in: Kühling/Buchner, DS-GVO BDSG, 3rd ed. 2020, Art. 6 DS-GVO marginal no. 198). Against this background, the legislator has created a legal basis based on Art. 6 (1) sentence 1 lit. e DSGVO for the area of tax procedural law with Section 29b (1) AO (BT-Drs. 18/12611, p. 77; Wackerbeck in: Hübschmann/Hepp/Spitaler, AO/FGO, 266th ed. (11.2021), § 29b AO marginal no. 11; Mues in: Gosch, AO/FGO, 165th ed. (08/2018), § 29b AO marginal no. 6). Processing of sensitive data, which is only permitted in the cases specified in Art. 9 (2) DSGVO, is based on Art. 9 (2) lit. g DSGVO in the context of tax proceedings (Mues in: Gosch, AO/FGO, 165th ed. (08/2018), Section 29b AO marginal no. 7). The processing of such data is permissible insofar as it is based on Union law or the law of a Member State which is proportionate to the aim pursued, preserves the essence of the right to data protection and provides for adequate and specific measures to safeguard the fundamental rights and interests of the data subject, and is necessary for reasons of substantial public interest. § Section 29b (2) AO is the national legal basis for the processing of sensitive data within the meaning of Art. 9 (2) lit. g DSGVO in administrative proceedings in tax matters under the AO by tax authorities (Mues in: Gosch, AO/FGO, 165th ed. (08/2018), § 29b AO marginal no. 8). bb. Based on these principles, there is undoubtedly a processing of personal data of the plaintiff by the defendant as a tax authority. However, the processing of the data contained, regardless of whether it is pursuant to Art. 6 (1) sentence 1 lit. e or Art. 9 (2) lit. g DSGVO, is based on a sufficient authorization within the meaning of the DSGVO and was thus lawful. The subject of the examination can only be the personal data of the plaintiff resulting from the file content and processed by the defendant. The discerning senate is convinced that particularly sensitive data, such as health data or sexual orientation of the plaintiff, are not evident from the contents of the file. It can therefore be left open whether the special requirements for the processing of sensitive data pursuant to Article 9 (2) (g) of the GDPR are met. As far as the processing of personal data evident from the file content, such as personal data (name, address, date of birth), marital status (married) and family relationship (parent), recording of calls to the tax office (in the capacity of a respondent) in the administrative file, economic activities (purchase of reference books, which were not allowed for BA deduction in the case of the freelance wife) is concerned, the Senate has no doubts that this processing took place on sufficient legal authority within the meaning of the GDPR and that the data are necessary for the purposes of carrying out the taxation. The plaintiff's consent was therefore not required for lawful processing of the data. cc. The Senate also had no reason to conduct further investigations on the basis of the contents of the file, the submissions made to date and the motions of the parties. Insofar as the plaintiff requests the questioning of a pharmacist who operates a pharmacy in the vicinity of the wife's practice and who is not named because he wishes to remain anonymous for as long as possible out of fear of reprisals by the defendant, and who is to confirm the requests for data of the plaintiff in plain text by the defendant tax office, this request is not sufficiently substantiated to give rise to further factual investigations by the court. 1.4 Insofar as the plaintiff requests that the defendant be ordered to provide evidence of the complete and secure deletion or destruction of all data relating to the plaintiff that is not used for taxation purposes, including all archives and data backups within the meaning of Article 4 of the GDPR, the second stage request is deemed not to have been filed due to the unsuccessfulness of the first stage request (request 1.3). According to the case law of the fiscal courts and the opinion of the literature, which the Senate endorses, there is also the possibility in fiscal court proceedings pursuant to Section 254 of the German Code of Civil Procedure (Zivilprozessordnung - ZPO) in conjunction with Section 155 of the German Rules of the Fiscal Code (Finanzgerichtsordnung - FGO). § Section 155 FGO, there is also the possibility of a step-by-step action. Contrary to what is partially advocated for civil proceedings, it is assumed for fiscal court proceedings that in the case of a step action, the application at the second or higher step is only deemed to have been filed in the event that the court grants the application at the first step or the applications of preceding steps (see FG Hessen, judgment of December 11, 2018 - 4 K 977/16 -, EFG 2019, 745; so also Steinhauff in: Hübschmann/Hepp/Spitaler, AO/FGO, 266th Lfg (11/2021), Section 43 FGO marginal no. 96). 1.5 Insofar as the plaintiff requests that the defendant be ordered to inform all third parties to whom the plaintiff's data was forwarded that this data was unlawfully obtained and unlawfully forwarded, the action is inadmissible. In contrast to motion 1.8, the Senate understands the term "third parties" as used in the motion to mean persons outside the tax authorities. However, the application is inadmissible as there are no indications as to which persons are specifically to be covered. 1.6 Insofar as the plaintiff requests that the defendant be ordered to inform the plaintiff to whom his data was disclosed, for what legal reason and for what purpose, the action is admissible but not well-founded. The requested information is annex information within the meaning of Article 15(1)(c) of the GDPR to the general data information pursuant to Article 15(1) of the GDPR. However, since the right to obtain the data information does not exist (reference is made to the explanations under B. I. 1.1 bb.), the right to the annex information is also not given. 1.7 Insofar as the plaintiff requests that the defendant be ordered to inform the plaintiff about who on the defendant's side had access to the plaintiff's data and why this access was granted (Section 76 of the Federal Data Protection Act - BDSG), the action is admissible but not well-founded. The provisions of the BDSG are essentially not applicable in the area of tax administration. Pursuant to Sec. 2a (1) Sentence 2 AO, the provisions of the Federal Data Protection Act or other federal data protection regulations and corresponding state laws apply to tax authorities only insofar as this is stipulated in the AO or the tax laws. With regard to Section 76 BDSG, this is not the case. A claim to the provision of the relevant information also does not arise from the GDPR. Moreover, neither Section 76 BDSG nor the data subject rights of the GDPR grant the data subject a right to demand the protocols (cf. Schwichtenberg in: Kühling/Buchner, 3rd ed. 2020, BDSG § 76 Rn. 5; Burghardt/Reinbacher in: BeckOK DatenschutzR, § 76 marginal no. 20). 1.8 Insofar as the plaintiff requests that the defendant be ordered to inform the plaintiff from whom the defendant has received the plaintiff's data, the action is admissible but not well-founded. The requested information is annex information within the meaning of Article 15(1)(g) of the GDPR to the general data information pursuant to Article 15(1) of the GDPR. However, since the right to obtain data information already does not exist (reference is made to the statements under B. I. 1.1), the right to the annex information is also not given. 1.9 Insofar as the plaintiff requests that the defendant be ordered to swear to the complete and correct fulfillment of the right to information pursuant to 1.1. by way of a step-by-step action, the second step request is deemed not to have been filed due to the unsuccessfulness of the first step request (request 1.1). Reference is made to the statements under B. I. 1.4 is referred to. 2. declaratory relief against the defendant The type of action permitted for the declaratory motions directed against the defendant is the general action for a declaratory judgment within the meaning of Sec. 41 (1) Alt. 1 FGO. Pursuant to Section 41 (1) FGO, an action may be brought to establish the existence or non-existence of a legal relationship or the invalidity of an administrative act if the plaintiff has a justified interest in an early establishment (action for a declaratory judgment). The determination of the existence of a legal relationship in this sense is also at issue if the determination of the unlawfulness of administrative action that does not constitute an administrative act (Sec. 118 Sentence 1 of the German Fiscal Code - AO -) is to be determined vis-à-vis the person concerned (cf. BFH, Judgment of April 29, 2008 - I R 79/07 -, BFH/NV 2008, 1807, under II.1.; Judgment of January 18, 2012 - II R 49/10 -, BFHE 235, 151, BStBl II 2012, 168, para. 18). The general action for a declaratory judgment within the meaning of Section 41 (1) FGO must be distinguished from the genuine and non-genuine action for a continuation of proceedings pursuant to Section 100 (1) sentence 4 FGO. If an administrative act - VA - is completed before the court can rule on its lawfulness by way of a judgment, the court shall, pursuant to Section 100 (1) sentence 4 FGO, determine its unlawfulness upon application, provided the plaintiff has a legitimate interest in this. As is already clear from the wording of the provision, this is a declaratory judgment, because the original administrative decision has already been implemented and its repeal under Section 100 (1) sentence 1 or its amendment under Section 100 (2) sentence 1 is therefore no longer possible (Stapperfend in: Gräber, 9th ed. 2019, FGO Section 100 marginal no. 80). Despite the declaratory judgment, the action for a declaration of continuation is a subcategory of the action for annulment. It is an action relating to an administrative act, the aim of which is to establish the unlawfulness of an administrative act despite the fact that it has been completed (BFH, judgment of August 14, 1985 - I R 188/82 -, BFHE 144, 339). The distinction is particularly important with regard to the different requirements for the substantive judgment. For example, the requirements for the existence of an interest in a declaratory judgment are generally lower in the context of an action for a continuation of the judgment than in the context of a general action for a declaratory judgment (also Steinhauff in: Hübschmann/Hepp/Spitaler, AO/FGO, 266th Lfg. (11/2021), § 41 FGO, marginal no. 236 with references to the case law of the administrative courts). Thus, for example, a declaratory interest in the continuation of a completed proceeding can be justified by a suit for damages (official liability) that is already pending or can be expected with sufficient certainty (cf. BFH, judgment of August 11, 1998 - VII R 72/97 -, BStBl II 1998, 750). The court is convinced that these lower requirements for the existence of an interest in a declaratory judgment cannot be applied to the general action for a declaratory judgment. The principles of the BFH's case law are to be seen in the context of the special action situation in actions for continuation of a declaratory judgment, which as an "extended" or "downstream" action for rescission" decide on the legality of an administrative act, the completion of which is ultimately dependent on coincidences. These considerations cannot be applied to the situation of the general action for a declaratory judgment, which lacks an administrative act whose legality would have to be decided by the adjudicating court anyway. The purpose of the special requirements for a judgment on the merits, the subsidiarity of the action for a declaratory judgment and the requirement of a special interest in a declaratory judgment, is to avoid unnecessary actions for a declaratory judgment if another, more relevant and more effective type of action is available for the prosecution. For reasons of procedural economy, the legal protection to which the plaintiff is entitled is to be concentrated on a single procedure, namely the one that most effectively meets his concern. Due to the principle equivalence of the legal channels, this objective applies "across all legal channels", i.e. even if the action competing with the declaratory action is to be brought or has already been brought before the civil court (also BVerwG, judgment of July 12, 2000 - 7 C 3/00 -, BVerwGE 111, 306). Furthermore, it has not yet been clarified whether Section 256 (2) ZPO in conjunction with Section 155 FGO is applicable in the fiscal court proceedings. § Section 155 of the FGO is applicable in the fiscal court proceedings and that it is therefore necessary to distinguish between the action for a declaratory judgment and the action for an interim declaratory judgment. § Section 256 (2) of the Code of Civil Procedure provides for the interim determination of a legal relationship that has become contentious in the course of the proceedings under certain conditions. The necessary prejudice of the legal relationship makes the declaratory interest dispensable (see Greger in: Zöller, ZPO, 34th ed. 2022, § 256 marginal no. 25). While the administrative courts affirm the question of the applicability of Sec. 256 (2) ZPO for their procedural rules (see BVerwG, judgment of February 14, 2011 - 7 B 49/10 -, juris; Schenke in Kopp/Schenke, VwGO, 27th ed. 2021, Sec. 43 marginal no. 33), the admissibility of an action for interim declaratory judgment within the scope of application of the FGO is predominantly denied. In justification, reference is made on the one hand to the fact that Section 41 FGO contains an independent and self-contained provision on the action for a declaratory judgment, so that a loophole that would open up the supplementary applicability of the provisions of the ZPO pursuant to Section 155 FGO does not exist (so also Teller in: Gräber, FGO, 9th ed. 2019, Section 41 marginal no. 44). On the other hand, reference is made to the basic decision under tax procedural law that the tax code provides for fixed and binding regulations for precedent legal relationships in the form of the basic decision and the subsequent decision, which is also taken into account in procedural law. The task of procedural law is not to change this initial situation, but rather to bring about clarity within the framework set by substantive tax law as to what is to be considered legal between the parties to the proceedings (see Krumm in: Tipke/Kruse, AO/FGO, 168th Lfg. (11/2021), § 41 FGO, marginal no. 31; Steinhauff in: Hübschmann/Hepp/Spitaler, AO/FGO, 266th Lfg. (11/2021), § 41 FGO Rn. 89 f.; Teller in: Gräber, VwGO, 9th ed. 2019, § 41 para. 43 ff; von Beckerath in: Gosch, Abgabenordnung/Finanzgerichtsordnung, 165th ed. (01/2018), § 41 marginal no. 116). The Senate agrees with this legal opinion. A different assessment also does not result from the new statutory regulation on the federal allocation of data protection proceedings pursuant to Section 33 (1) no. 4 FGO in conjunction with Section 32i (2) AO. § Section 32i (2) AO to the fiscal courts, because under Section 32i (4) AO the FGO remains applicable in all other respects. Taking into account the above legal principles, the Senate assumes that the applications directed against the defendant are admissible as general declaratory actions, since the disputed conduct of the defendant tax office is a real act (simple administrative action) and not an administrative act. The following results in detail for the declaratory motions directed against the defendant: 2.1 Insofar as the plaintiff seeks a declaratory judgment that the defendant has not complied with its duty to provide information pursuant to Art. 14 DSGVO, Sec. 33 BDSG, Sec. 46 BDSG, the action is inadmissible. a. The admissibility of the action for a declaratory judgment is subject to the general requirements for a decision on the merits, with the special feature that the action for a declaratory judgment is not dependent on compliance with a time limit (Sec. 47 FGO) or the unsuccessful conclusion of a preliminary out-of-court proceeding (Sec. 44 FGO). In addition to the general admissibility requirements, a decision on the merits requires that specific requirements for a decision on the merits are met: From the point of view of standing (§ 40 (2) FGO analogously), the plaintiff must substantiate and coherently submit that - assuming the correctness of the submission - a threat to the plaintiff's own rights appears possible (BFH, judgment of October 15, 1997 - I R 10/92 -, BFHE 184, 212; Teller in: Gräber, 9th ed. 2019, FGO § 41 marginal no. 7). A further prerequisite is a justified interest, not a legal interest as in § 256 ZPO, in the prompt determination, i.e. an ideal or economic interest worthy of protection is also sufficient. The determination of a legal situation under tax law in preparation for civil proceedings is regularly not sufficient to justify the admissibility of the action for a declaratory judgment, since the civil courts must decide preliminary tax issues themselves (cf. B. I. 2. above). The risk of repetition and an interest in rehabilitation, especially after a serious infringement of fundamental rights, can justify an interest in a declaratory judgment (BFH, judgment of 29 July 2003 - VII R 39, 43/02 -, BFHE 202, 411). This must be an interest of the plaintiff's own (Teller in: Gräber, FGO, 9th ed. 2019, § 41 marginal no. 28 f.; Steinhauff in: Hübschmann/Hepp/Spitaler, AO/FGO, 266th ed. (11/2021), § 41 FGO marginal no. 230 ff.). Finally, as a negative prerequisite, insofar as the nullity of an administrative decision is not in question, the possibility of obtaining legal protection by way of an action for a declaratory judgment or an action for performance must be excluded; this results from the subsidiarity clause of Section 41 (2) sentence 1 FGO (Teller in: Gräber, 9th ed. 2019, FGO Section 41 marginal no. 9). These substantive requirements for the general action for a declaratory judgment ensure that, on the one hand, the legal protection gap left by § 40 FGO with its concentration on the more practically significant types of action (action for avoidance, obligation and performance) is closed with regard to Article 19 (4) of the Basic Law and that, on the other hand, the requirement of a complaint and a special interest in legal protection (interest in a declaratory judgment) excludes popular actions. b. Based on these principles, the application for a declaratory judgment is already inadmissible due to the subsidiarity of the action for a declaratory judgment compared to the action for performance, because the claim for legal protection directed at the proper fulfillment of the information obligations could have been asserted primarily by a general action for performance. Pursuant to Sec. 41 (2) Sentence 1 FGO, a declaration of the existence or non-existence of a legal relationship cannot be sought if the plaintiff can or could have pursued his rights by an action for performance. § Section 41 (2) sentence 1 FGO, like the comparable provision in Section 43 (2) sentence 1 VwGO, must be interpreted and applied restrictively in accordance with its purpose (BVerwG, judgment of April 29, 1997 - 1 C 2/95 -, NJW 1997, 2534, under 4, with further references, to Section 43 (2) sentence 1 VwGO). For if there is no threat of circumvention of the provisions on time limits and preliminary proceedings applicable to actions for avoidance and commitment, Section 41 (2) sentence 1 FGO does not preclude the action for a declaratory judgment any more than in cases in which the latter offers the more effective legal protection. If the issue in dispute between the parties can be clarified properly and fully taking into account their interest in legal protection by the declaratory judgment expressly sought by the plaintiff, it is not possible to refer the plaintiff to an action for a declaratory judgment or an action for performance, in the context of which the legal relationship, in the independent determination of which the plaintiff has a legitimate interest, would only be a preliminary issue on the one hand, and on the other hand the other elements of the claim to be asserted would only be of subordinate importance (BFH, judgment of January 18, 2012 - II R 49/10 -, BFHE 235, 151 marginal no. 22). It is true that the relationship between a general action for performance and an action for a declaratory judgment does not pose the risk of circumventing applicable provisions on time limits and preliminary proceedings, because the general action for performance also does not require the conduct of preliminary proceedings and the observance of a time limit for filing an action. However, the Senate is convinced that the action for a declaratory judgment offers less effective legal protection than the action for performance from the point of view of procedural economy. The performance judgment is enforceable. If, on the other hand, the defendant tax office does not comply with a declaratory judgment, the plaintiff must enforce his claim by means of a further action for performance (also Steinhauff in: Hübschmann/Hepp/Spitaler, AO/FGO, 266th Lfg. (11/2021), § 41 FGO marginal no. 435). c. Moreover, the request would also not be justified, because the necessary information was provided to the plaintiff within the meaning of Art. 12 et seq. DSGVO to a sufficient extent. It is essential for the exercise of rights as a data subject under Chapter III of the GDPR (Art. 12 et seq. of the GDPR) that the data subject is informed that data relating to him or her is being collected. According to Art. 12(1) GDPR, the information "shall be provided in a precise, transparent, intelligible and easily accessible form, using clear and plain language". The transmission can take place in writing or in another form, if necessary also electronically (Schmidt-Wudy in: Wolf/Brink, BeckOK Datenschutzrecht, Art. 14 DSGVO Rn. 85). The provision of the necessary information by the controller requires active action (Knyrim in: Ehmann/Selmayr, Datenschutz-Grundverordnung, 2nd ed. 2018, Art. 14 Rn. 13; Bäcker in: Kühling/Buchner, DS-GVO BDSG, 3rd ed. 2020, Art. 12 DS-GVO Rn. 16). Active informing can be ensured by providing or purposefully leading to the information (Paal/Hennemann in: Paal/Pauly, DS-GVO BDSG, 3rd ed. 2021, Art. 14 DSGVO marginal no. 5). In this respect, the controller basically has discretion as to the form in which it provides the required information. In any case, the chosen form must actually provide the data subject with a sufficient opportunity to take note. This follows from Article 34 (3) (c) sentence 2 of the GDPR and can be inferred for other active information obligations from the accessibility requirement of Article 12 (1) sentence 1 of the GDPR (Bäcker in: Kühling/Buchner, DS-GVO BDSG, 3rd ed. 2020, Art. 12 DS-GVO marginal no. 16). Having said this, it is not objectionable that the defendant deposited the data protection notices in electronic form at the web address www.finanzamt.de. The defendant has referred to the data protection notices in this web address. The defendant has already referred to the data protection notices in its reply letter of 17.06.2020. There is also no doubt that the notices were retrievable for the plaintiff and thus sufficiently accessible. Calling up information from the Internet is now common practice and does not pose any special requirements. There are no indications to the contrary in the files, nor has the plaintiff asserted any. In terms of content, the extensively designed data protection notices explain, among other things, the purpose for which the personal data are processed (performance of duties; to assess and collect taxes uniformly in accordance with the provisions of the Fiscal Code and the tax laws) and that personal data may also be requested by third parties (cf. item 4 of the notices). In the overall view, the Senate has no doubts that the defendant has complied with the information obligations under Article 14 GDPR to a sufficient extent in this respect (so also FG Schleswig-Holstein, judgment of 23.08.2021 - 5 K 42/21 -, para. 54 et seq., juris). 2.2 To the extent that the plaintiff seeks a declaration that the defendant has not complied with the plaintiff's rights to information under Article 15 GDPR, the action is already inadmissible due to the subsidiarity of the action for a declaratory judgment vis-à-vis the action for performance. This is because the plaintiff's claim for legal protection directed at the provision of information is already the subject of a claim for performance (claim 1.1). The action for a declaratory judgment is subsidiary to this (Sec. 41 (2) sentence 1 FGO). 2.3 To the extent that the plaintiff seeks a declaration that the defendant has subsequently violated rights of the plaintiff under Chapter III "Rights of the data subject" of the GDPR, the action is already inadmissible due to the subsidiarity of the declaratory action vis-à-vis the action for performance. This is because the plaintiff's claim for legal protection directed at the enforcement of data subject rights under the GDPR is already partly the subject of claims for performance (claims 1.1, 1.2 and 1.3) and could otherwise have been pursued by claims for performance directed at the fulfillment of the respective other data subject rights. The action for a declaratory judgment is subsidiary to these (possible) applications for performance (Sec. 41 (2) sentence 1 FGO). 2.4 To the extent that the plaintiff seeks a declaratory judgment that the defendant has not created the necessary technical and organizational measures to safeguard the plaintiff's rights under the GDPR and the BDSG and has not tested these TOMS for their effectiveness, the action is inadmissible for lack of standing and for lack of declaratory interest on the part of the plaintiff. The plaintiff is only entitled to file an action (Section 40 (2) FGO analogously) if he substantiates and coherently submits that - assuming the correctness of the submission - a threat to the plaintiff's own rights appears to be possible. The obligation to implement appropriate technical and organizational measures enshrined in Art. 24 GDPR serves the purpose of being able to ensure and demonstrate that processing is carried out in compliance with the GDPR (Mantz in: Sydow, European General Data Protection Regulation, GDPR, 2nd ed. 2018, Art. 32 marginal no. 1). The principle of data protection through data security measures laid down in Art. 32 GDPR concretizes the data security measures generally regulated in Art. 24 GDPR when handling personal data. The Senate is convinced that the referenced provisions do not grant the plaintiff any individual subjective public rights, but pursue overriding objectives in the public interest (objective right). Furthermore, there is no interest in a declaratory judgment as a special requirement for a general action for a declaratory judgment. The plaintiff has neither shown nor is it evident from the contents of the file or otherwise known or recognizable to the Senate from which idealistic or economic interest worthy of protection could result a declaratory interest of the plaintiff with regard to the requested declaration. 2.5 Insofar as the plaintiff seeks a declaratory judgment that the defendant cannot provide the necessary qualified IT security in accordance with ISO 27001 (basic IT protection) at the time of the commencement of data processing (Art. 32 DSGVO in conjunction with Sec. 32h AO), the action is inadmissible due to the plaintiff's lack of standing and interest in a declaratory judgment. The plaintiff does not have standing (Sec. 40 (2) FGO analogously). Art. 32 GDPR substantiates the data security measures generally regulated in Art. 24 GDPR when handling personal data. Art. 32 GDPR aims at the prevention of data protection breaches, i.e., the violation of data protection rules in the form of the data security requirements of the GDPR (Kramer/Meints in: Auernhammer, DSGVO/BDSG, 7th ed. 2020, Art. 32 DSGVO marginal no. 1). The Senate is convinced that the referenced provisions do not grant the plaintiff any individual subjective public rights, but pursue overriding objectives in the public interest (objective right). Moreover, there is no interest in a declaratory judgment as a special requirement for a general action for a declaratory judgment. The plaintiff has neither shown nor is it evident from the contents of the file or otherwise known or recognizable to the Senate from which idealistic or economic interest worthy of protection could result a declaratory interest of the plaintiff with regard to the requested declaration. 2.6 Insofar as the plaintiff seeks a declaratory judgment that the defendant attempted to deprive the plaintiff of his legal options under Chapter VIII of the GDPR, Sections 36, 66 of the BDSG by providing no and false information, the action is already inadmissible due to the subsidiarity of the action for a declaratory judgment compared to the action for performance. This is because the plaintiff's claim for legal protection directed at the provision of information is already the subject of a claim for performance (claim 1.1). The action for a declaratory judgment is subsidiary to this (Sec. 41 (2) sentence 1 FGO). 2.7 To the extent that the plaintiff seeks a declaratory judgment that the defendant failed to provide the required notifications under the GDPR to the Federal Commissioner for Data Protection and Freedom of Information (BfDI) or failed to provide them in a timely manner (Art. 33 GDPR, Sec. 65 BDSG), the action is inadmissible for lack of standing and for lack of declaratory interest on the part of the plaintiff. The plaintiff does not have standing (Sec. 40 (2) FGO by analogy). The notification obligations in the event of a personal data breach, which are specified in Art. 33 GDPR, serve several protection principles of the GDPR. In general, they serve the transparency of data processing, in that information must be provided not only about the exact circumstances of proper data processing, but also about any data protection deficits that occur. In particular, the notification obligations lead to transparency of data processing vis-à-vis the supervisory authority (principle of accountability of the controller). Finally, the information obligations also have a preventive effect, since data processors - aware that data protection violations will become public knowledge due to these legal obligations - will endeavor to avoid data protection violations from the outset (cf. Jandt in: Kühling/Buchner, 3rd ed. 2020, DS-GVO Art. 33 marginal no. 1 with further references). The Senate is therefore convinced that the referenced provision on notification obligations in the event of data protection violations does not grant the plaintiff an individual subjective public right, but rather pursues overriding objectives in the public interest (objective right). Furthermore, there is no interest in a declaratory judgment as a special prerequisite for a general action for a declaratory judgment. The plaintiff has not shown, nor is it evident from the contents of the file or otherwise known or recognizable to the Senate, from which idealistic or economic interests worthy of protection could result a declaratory interest of the plaintiff with regard to the requested declaration. 2.8 Insofar as the plaintiff seeks a declaratory judgment that the defendant did not carry out the required data protection impact assessment (Section 67 BDSG), the action is inadmissible due to the plaintiff's lack of standing and interest in a declaratory judgment. The plaintiff does not have standing to bring an action (Section 40 (2) FGO by analogy). The obligation to conduct a data protection impact assessment referred to in Section 32h (2) AO has its basis in Article 35 of the GDPR, which makes it mandatory for the controller to conduct a data protection impact assessment for certain processing operations. The data protection impact assessment serves the overriding goal of ensuring that personal data is protected and that the provisions of the Regulation are complied with (Jandt in: Kühling/Buchner, DSGVO/BDSG, 3rd ed. 2020, Art. 35 DS-GVO Rn. 1). The data protection impact assessment aims to make the controller aware of the possible consequences of data processing in particularly sensitive areas through a structured procedure and is an expression of effective self-regulation and the accountability principle (Raum in: Auernhammer, DSGVO/BDSG, 7th ed. 2020, Art. 35 DSGVO Rn. 2). The Senate is convinced that the referenced provisions do not grant the plaintiff any individual subjective public rights, but pursue overriding objectives in the public interest (objective right). Moreover, there is no interest in a declaratory judgment as a special requirement for a general action for a declaratory judgment. The plaintiff has neither shown nor is it evident from the contents of the file or otherwise known or recognizable to the Senate from which idealistic or economic interest worthy of protection could result a declaratory interest of the plaintiff with regard to the requested declaration. 2.9 To the extent that the plaintiff seeks a declaratory judgment that the defendant has committed data protection violations pursuant to the GDPR and BDSG by collecting data of the plaintiff from third parties in the course of external audits without legal grounds and that there is no need for the defendant to do so, the action is already inadmissible due to the subsidiarity of the declaratory action vis-à-vis the action for performance. This is because the plaintiff's claim for legal protection directed at the enforcement of data subject rights under the GDPR is already partly the subject of claims for performance (claims 1.1, 1.2 and 1.3) and could otherwise have been pursued by claims for performance directed at the fulfillment of the respective other data subject rights. The action for a declaratory judgment is subsidiary to these (possible) applications for performance (Sec. 41 (2) sentence 1 FGO). 2.10 Insofar as the plaintiff seeks a declaratory judgment that the defendant has interfered with the plaintiff's fundamental right of informational self-determination (Art. 1 GG in conjunction with Art. 2 GG, Art. 8 GRCh, ECHR, Sec. 48 BDSG), the action is already inadmissible for lack of declaratory interest on the part of the plaintiff. With his action, the plaintiff seeks a declaratory judgment that the defendant tax office has interfered with the plaintiff's fundamental right of informational self-determination. The plaintiff thus seeks a declaration of a legal relationship. For a legal relationship within the meaning of the aforementioned provision is any legal relationship between persons or between persons and things that results from a specific fact and is governed by legal norms. The admissibility of an action for a declaratory judgment presupposes the existence of a justified interest in the requested declaratory judgment (Sec. 41 (1) FGO). According to established case law, any concrete interest worthy of protection of a legal, economic or non-material nature that can reasonably be recognized is sufficient for a legitimate interest within the meaning of the aforementioned provision, provided that the requested determination is suitable to lead to an improvement of the plaintiff's position in one of the aforementioned areas (BFH, judgment of 02. This must be substantiated by the party seeking legal protection (BFH, decision of 11.04.2000 - VII B 221/99 -, BFH/NV 2000, 1229; decision of 20.09.2000 - VII B 33/00 -, BFH/NV 2001, 458). Furthermore, an interest in a declaratory judgment can be considered independently of such an improvement in the plaintiff's position in cases of far-reaching encroachment on fundamental rights, above all in the case of orders which the Basic Law - GG - has reserved to the judge (BVerfG, order of July 15, 1998 - 2 BvR 446/98 -, NJW 1999, 273). The Senate is convinced that the present case does not involve such a far-reaching encroachment on fundamental rights. For the personal data named by the plaintiff are not of such a nature that they would affect the innermost sphere of private life or the plaintiff's private sphere or any other particularly sensitive sphere which is therefore more worthy of and in need of protection than his legal sphere in general. 2.11 Insofar as the plaintiff seeks a declaratory judgment that the defendant has interfered with the plaintiff's private conduct of life and thus violated his dignity (Article 1 of the Basic Law in conjunction with Article 2 of the Basic Law, Article 8 of the Charter), the action is already inadmissible due to the plaintiff's lack of interest in a declaratory judgment. Even assuming that all the plaintiff's submissions are correct, the Senate is unable to identify any far-reaching encroachment on fundamental rights which could give the plaintiff a legitimate interest in the requested declaration. 2.12 Insofar as the plaintiff seeks a declaration that the defendant is engaging in illegal data retention by not deleting illegally obtained data and by not preventing the exploitation of such data, the action is inadmissible as a popular action due to the plaintiff's lack of standing and interest in a declaratory judgment. The plaintiff only has standing (§ 40 (2) FGO analogously) if he substantiates and conclusively submits that - assuming the correctness of the submission - a threat to the plaintiff's own rights appears to be possible. The Senate is unable to recognize such a possibility of the plaintiff's own rights being affected. Furthermore, there is no interest in a declaratory judgment as a special prerequisite for a general action for a declaratory judgment. The plaintiff has neither shown nor is it evident from the contents of the file or otherwise known or recognizable to the Senate from which idealistic or economic interest worthy of protection could result a declaratory interest of the plaintiff with regard to the requested declaration. 2.13 Insofar as the Plaintiff seeks a declaratory judgment that employees of the Defendant have violated tax secrecy pursuant to § 30 of the German Fiscal Code (AO) in conjunction with § 355 StGB, the action is admissible but unfounded. a. The action is admissible. With his action, the plaintiff seeks a declaration that the defendant tax office violated tax secrecy. The plaintiff thus seeks a declaration of a legal relationship. For legal relationship in the sense of the aforementioned provision is any legal relationship between persons or between persons and things, which is based on a specific fact and is governed by legal norms. There is a (tax law) relationship between the defendant tax office and the plaintiff, which is established solely by the fact that the plaintiff has disclosed his economic or other circumstances to the tax office and the tax office is obliged to keep secret the facts about the plaintiff that have become known to it as a result or by way of official investigation. It is disputed between the parties whether the defendant tax office violated this obligation to maintain tax secrecy based on that legal relationship (Sec. 30 (1) AO) without having a justifiable reason for doing so under Sec. 30 (4) AO. According to § 41, Subsection 1, FGO, this can be requested by means of an action for a declaratory judgment. This is because an action for a declaratory judgment can permissibly relate to such a legal question arising from a legal relationship. According to established case law, any concrete interest worthy of protection of a legal, economic or non-material nature that can reasonably be recognized is sufficient for a legitimate interest within the meaning of the aforementioned provision, provided that the requested determination is suitable to lead to an improvement of the plaintiff's position in one of the aforementioned areas (BFH, judgment of 02. This must be substantiated by the party seeking legal protection (BFH, decision of 11.04.2000 - VII B 221/99 -, BFH/NV 2000, 1229; decision of 20.09.2000 - VII B 33/00 -, BFH/NV 2001, 458). Furthermore, an interest in a declaratory judgment can be considered independently of such an improvement in the plaintiff's position in cases of far-reaching encroachment on fundamental rights, especially in the case of orders that the GG has reserved to the judge (BVerfG, decision of July 15, 1998 - 2 BvR 446/98 -, NJW 1999, 273). The Senate is convinced that the present case does not involve such a profound encroachment on fundamental rights. Tax secrecy, which the plaintiff believes to have been violated, does enjoy constitutional protection insofar as it is an outflow of the right to informational self-determination recognized by the case law of the BVerfG (BVerfG, judgment of July 17, 1984 - 2 BvE 11, 15/83 -, BVerfGE 67, 100; judgment of December 15, 1983 - 1 BvR 209/83 et al.) However, the information to be kept secret on his account, subject to one of the numerous circumstances permitting its breach, is not as a rule of such a nature that its unauthorized disclosure would affect the innermost sphere of private life or the intimate sphere of the citizen or an otherwise particularly sensitive sphere which is therefore more worthy of and in need of protection than his legal sphere in general. Therefore, a violation of tax secrecy does not in itself constitute a profound encroachment on fundamental rights within the meaning of the aforementioned case law, which would always justify an interest in a declaratory judgment pursuant to § 41 FGO. Nevertheless, the Senate considers it necessary to grant the plaintiff an interest in a declaratory judgment. The plaintiff feels that his subjective right to the protection of his tax secrets has been violated by the FA. A taxpayer in this situation would be largely deprived of legal protection if he had to accept this alleged violation of rights without the possibility of a judicial review of the FA's actions. Such an alternative possibility of legal protection will usually not arise for him in the event of a breach of tax secrecy and is unlikely to exist for the plaintiff in particular. There will also generally be no danger of repetition from which an interest in a judicial determination of the unjustified breach of tax secrecy could be derived, nor will there be any liquidable consequential economic loss. Even where such conditions for the assumption of an interest in the determination of an infringement of rights are lacking, case law has, however, always recognized a justified interest in a considerable encroachment on the personal sphere of the person concerned in obtaining at least a certain degree of satisfaction for the injustice suffered by having this injustice determined (BFH, judgment of 5 December 2000 - VII R 18/00 -, BFHE 193, 234, BStBl II 2001, 263, with further references). This applies not only to measures of a discriminatory or defamatory nature, but has also been recognized by the BFH in the case of such violations of rights that otherwise have a special relationship to the right of the person concerned to be recognized as a personality with an inviolable core area of private life (cf. BFH, judgment of August 11, 1998 - VII R 72/97 -, BFHE 187, 159). The breach of tax secrecy may be a violation of rights of this kind (cf. BFH, judgment of July 29, 2003 - VII R 39, 43/02 -, BFHE 202, 411). b. However, the action is not well-founded. There is no violation of tax secrecy either by disclosure of protected data to the Senate Department for Finance or to the Federal Commissioner for Data Protection and Freedom of Information. Disclosure of protected data within the meaning of Section 30 of the German Fiscal Code (AO) is any conduct on the basis of which circumstances covered by tax secrecy become known or could become known to a third party. According to some opinions, the exchange of information within the financial department does not constitute disclosure; whereas, according to the prevailing opinion, disclosure can also be assumed in the case of the disclosure of protected data within the department to other officials, superiors, including the supervisory authorities, who are also involved in the matter on official business (see Alber in: Hübschmann/Hepp/Spitaler, AO/FGO, 266th Lfg. (11/2021), § 30 AO marginal no. 121 with further references). However, the Senate can leave this question open, because in any case the disclosure of the protected data is authorized, so that no violation of tax secrecy is to be seen. The authority to disclose data to supervisory authorities is derived from Section 30 (4) no. 1a in conjunction with Section 29c (1) sentence 1. § Section 29c (1) sentence 1 no. 6 AO (cf. Rüsken in: Klein, AO, 15th ed. 2020, Section 30 no. 60). The authority to pass on the data to the Federal Commissioner for Data Protection and Freedom of Information results from Section 30 (4) no. 2 AO in conjunction with. § Section 16 (3) sentence 1 no. 2 BDSG (see Rüsken in: Klein, AO, 15th ed. 2020, Section 30 marginal no. 117a). 2.14 Insofar as the plaintiff seeks a declaration that employees of the defendant have violated the BDSG, in particular also § 42 BDSG, the action is inadmissible. The plaintiff is only entitled to file an action (Section 40 (2) FGO analogously) if he substantiates and conclusively submits that - assuming the correctness of the submission - a threat to the plaintiff's own rights appears to be possible. The Senate is unable to recognize such a possibility of the plaintiff's own rights being affected. Furthermore, there is no interest in a declaratory judgment as a special prerequisite for a general action for a declaratory judgment. The plaintiff has not shown, nor is it apparent from the contents of the file or otherwise known or recognizable to the Senate, from which idealistic or economic interest worthy of protection could result a declaratory interest of the plaintiff with regard to the requested declaration. The Senate merely points out in addition that the provisions of the BDSG are essentially not applicable in the area of tax administration. Pursuant to Sec. 2a (1) Sentence 2 AO, the provisions of the Federal Data Protection Act or other federal data protection regulations as well as corresponding state laws apply to tax authorities only insofar as this is stipulated in the AO or the tax laws. 2.15 Insofar as the plaintiff seeks a declaratory judgment that the defendant has encroached upon medical secrecy pursuant to Section 203 of the German Criminal Code (StGB) and has thus caused lasting damage to the plaintiff's relationship of trust in the defendant's duties pursuant to Article 20 of the Basic Law, the action is already inadmissible. There is no interest in a declaratory judgment as a special prerequisite for a general action for a declaratory judgment. The plaintiff has not shown, nor is it apparent from the contents of the file or otherwise known or recognizable to the Senate, from which idealistic or economic interest worthy of protection could result a declaratory interest of the plaintiff with regard to the requested declaration. Even assuming that all the plaintiff's submissions are correct, the Senate is unable to identify any far-reaching encroachment on fundamental rights that could give the plaintiff a justified interest in the requested declaration. Moreover, the action would also be unfounded. This is because only the doctor is subject to medical confidentiality, not the tax office (see § 203 StGB). Therefore, the tax office cannot violate a doctor's duty of confidentiality. The medical confidentiality obligation continues in accordance with § 102 AO as the physician's right to refuse to provide information and § 104 para. 1 AO as the physician's right to refuse to produce documents. In this respect, too, only the physician (not the tax office) can infringe, because it is up to the physician to decide whether to invoke his right to refuse and to provide information or to hand over documents. 2.16 Insofar as the plaintiff seeks a declaratory judgment that the defendant has exploited particularly protected data pursuant to Art. 9 DSGVO, Sec. 22 BDSG without legal grounds, the action is inadmissible as a popular action for lack of standing and declaratory interest of the plaintiff. The plaintiff is only entitled to file an action (§ 40 (2) FGO analogously) if he substantiates and coherently submits that - assuming the correctness of the submission - a threat to the plaintiff's own rights appears to be possible. The Senate is unable to recognize such a possibility of the plaintiff's own rights being affected. Furthermore, there is no interest in a declaratory judgment as a special prerequisite for a general action for a declaratory judgment. The plaintiff has neither shown nor is it evident from the contents of the file or otherwise known or recognizable to the Senate from which idealistic or economic interest worthy of protection could result a declaratory interest of the plaintiff with regard to the requested declaration. 2.17 Insofar as the plaintiff seeks a declaration that the defendant is using illegally obtained data and information, reference is made to the files of the proceedings 2 K 2040/20, the action is also inadmissible as a popular action for lack of standing and declaratory interest of the plaintiff. The plaintiff only has standing (Sec. 40 (2) FGO analogously) if he substantiates and coherently submits that - assuming the correctness of the submission - a threat to the plaintiff's own rights appears to be possible. The Senate is unable to recognize such a possibility of the plaintiff's own rights being affected. Furthermore, there is no interest in a declaratory judgment as a special prerequisite for a general action for a declaratory judgment. The plaintiff has neither shown nor is it evident from the contents of the file or otherwise known or recognizable to the Senate from which idealistic or economic interest worthy of protection could result a declaratory interest of the plaintiff with regard to the requested declaration. 2.18 To the extent that the plaintiff seeks a declaratory judgment that the defendant violated tax secrecy and the GDPR by publishing the plaintiff's telephone number in an e-mail to the plaintiff's wife's practice, the action is already partially inadmissible for lack of a need for legal protection and otherwise unfounded. The defendant tax office admitted the existence of a data protection violation in a letter to the plaintiff's wife dated February 11, 2021, and arranged for appropriate notifications to the competent supervisory authorities. The plaintiff has no interest in legal protection and the action is inadmissible to this extent. There has been no violation of tax secrecy. Reference is made to the statements under B. I. 2.13 is referred to. In this respect, the action is unfounded. 2.19 Insofar as the plaintiff seeks a declaration that the defendant violated tax secrecy and the GDPR by publishing the plaintiff's telephone number to the Senate Department for Finance in a manner unknown to the plaintiff, the action is admissible but unfounded. Reference is made to the statements under B. I. 2.13 is referred to. Insofar as the plaintiff requested in writing and most recently at the hearing that the files of the Senate Administration and all correspondence between the defendant tax office and the Senate Administration be made available, there was no reason to comply with these requests for lack of relevance to the decision. 3 General Requests for Declaratory Rulings 3.1 Insofar as the plaintiff seeks a declaratory judgment that parts of the AO which impose information obligations on those affected from whom the data were not directly collected (data collection from third parties) are not compatible with higher-ranking law and, in particular, violate the Charter of Fundamental Rights, the ECHR and the Basic Law (namely, inter alia, §§ 32b, 32c, 32f AO), the action is inadmissible. The action for a declaratory judgment is already inadmissible. Pursuant to Sec. 41 (1) FGO, the requested declaratory judgment must be aimed at a legal relationship, i.e. at a specific legal relationship between persons or between persons and things resulting from a concrete factual situation and ordered on the basis of legal norms. However, the determination of the validity or legality of legal norms is not covered by Section 41 FGO, because the FGO does not provide for direct legal protection in this respect - unlike Section 47 VwGO (so also FG Baden-Württemberg, judgment of 27.11.2013 - 4 K 3798/10 -, marginal no. 30, juris; Teller in: Gräber, FGO, 9th ed. 2019, § 41 marginal no. 13; von Beckerath in: Gosch, Abgabenordnung/Finanzgerichtsordnung, 165th ed. (01/2018), § 41 marginal no. 31). Moreover, the defendant tax office would not be the correct defendant within the meaning of Sec. 63 (1) FGO. According to Sec. 63 (1) FGO, the proper defendant in an action for a declaratory judgment is the authority against which the determination of the existence or non-existence of a legal relationship is sought (also Herbert in Gräber, FGO, 9th ed. 2019, Sec. 63 no. 11). However, the defendant tax office cannot be a suitable respondent for a declaratory judgment under any legal aspect, since it was not involved in the enactment of the standards in question and is obligated to apply them without its own competence to examine and reject them due to the legal obligation of the administration. 3.2 Declaratory motions with regard to the proceedings 2 K 2040/20 Insofar as the plaintiff seeks a declaration that the judge at the Tax Court ... in the proceedings 2 K 2040/20 (plaintiff: D...; subject matter of the proceedings: audit order) - deprived the plaintiff here of the right to be heard (motion 3.2.1), - deprived the plaintiff here of his legal judge (request 3.2.2), - failed to apply the GDPR (motion 3.2.3) and - has not complied with the legal protection guarantee of the Basic Law by not summoning the plaintiff here (request 3.2.4), the action is inadmissible. The action for a declaratory judgment is already inadmissible. Pursuant to Sec. 41 (1) FGO, the requested declaratory judgment must be aimed at a legal relationship, i.e., at a specific legal relationship between persons or between persons and things resulting from a concrete factual situation and ordered on the basis of legal norms. The action to declare that the adjudicating body has performed certain acts and omitted others in the legal dispute referred to concerns a procedural legal relationship and judgment, and thus not a legal relationship within the meaning of Section 41(1) of the FGO. Furthermore, the defendant tax office would not even be the correct defendant within the meaning of § 63 (1) FGO. According to Sec. 63 (1) FGO, the correct defendant in an action for a declaratory judgment is the authority against which the determination of the existence or non-existence of a legal relationship is sought (also Herbert in Gräber, FGO, 9th ed. 2019, Sec. 63 no. 11). However, the defendant tax office cannot be a suitable respondent for a declaratory judgment from any legal point of view, since it was only involved in the legal dispute in question as a party. 4. 4 Insofar as the plaintiff requests the examination of all data by the Federal Commissioner for Data Protection and Freedom of Information (BfDI) pursuant to Sec. 32c (5) AO, the plaintiff must declare his request for the provision of information by the defendant tax office directly to the BfDI directly to the tax authority (Drüen in: Tipke/Kruse, AO/FGO, 168th ed. (11/2021), § 32c AO, marginal no. 27). The proceedings pursuant to Sec. 32c (5) AO have no effect on the proceedings here; in particular, the proceedings here are not to be suspended until the conclusion of these proceedings. Insofar as the plaintiff requests - to summon the head of the defendant FA personally to the appointment on 26.01.2022 in order to question him under oath on data concerning the plaintiff; - to summon the auditor Mrs. E... personally to the appointment on 26.01.2022, in order to clarify the course of events in relation to the release of the patient data in the context of the audit of his wife, - to summon the employees of the defendant tax office (Ms. E..., Ms. F..., Mr. G..., Ms. H..., Ms. I..., Ms. J..., head of the tax office Mr. K...) to the meeting on January 26, 2022 and to question them on the subject of "access to files and data during the AdV proceedings" - due to the lack of relevance for the decision, there was no reason to comply with these requests. Insofar as the plaintiff requested that the court take precautionary measures to prevent the defendant from spoiling the evidence, there was no reason to comply with this request, since a reason for ordering precautionary measures was not sufficiently demonstrated. In addition, the Senate points out that the plaintiff is requesting, among other things, the deletion of data. In this respect, it is surprising that provisional security measures are intended to prevent precisely the deletion of the plaintiff's data that is ultimately sought (spoilage of evidence). Insofar as the plaintiff has furthermore requested that the files of the company audit be requested with the evidentiary topic "How, when and by whom did access to files and data take place?" and that certain files of the Senate Administration be requested with the evidentiary topic "Information about the actual storage, processing and forwarding of data concerning the plaintiff and the utilization of the illegal data files", there was no reason to comply with these requests for lack of relevance to the decision. In all other respects, the contents of the file, the submissions to date and the motions of the parties do not give rise to any further action by the court to clarify or investigate the facts of the case. 5. (5) The proceedings are not to be stayed pursuant to Article 100 (1) sentence 1 GG in conjunction with Section 80 (1) BVerfGG. § Section 80 (1) BVerfGG and to obtain a decision of the BVerfG. The court has no objections to the constitutionality of the national provisions of the AO which are relevant to the decision and which were enacted to supplement and implement the provisions of the GDPR under European Union law. 6. (6) As a court of instance, there is no obligation on the part of the cognizant senate to refer the matter to the ECJ. Pursuant to Article 267 (2) TFEU, the tax courts are entitled, but not obliged, to refer questions of interpretation. The BFH has therefore ruled that there is no obligation on the part of the fiscal courts to make a referral for reasons of EU law, although no appeal without leave to appeal is possible (Levedag in: Gräber, FGO, 9th ed. 2019, Appendix, para. 171). However, if there is already no obligation to submit an appeal if the appeal is not admitted, this applies a fortiori if the court of instance admits the appeal. II. The decision on costs is based on Section 135 (1) FGO. III. The appeal was admitted pursuant to § 115, Subsection 2, No. 1, FGO. In particular, the content, scope and limits of the right to information under EU law pursuant to Article 15 (1) of the GDPR and the right to a copy of data under EU law pursuant to Article 15 (3) of the GDPR appear to be worthy of clarification and in need of clarification due to their expected broad impact. In this respect, there is also the special feature that the legal questions raised essentially concern the plaintiff's rights under data protection law with regard to the processing of personal data relating to the plaintiff by the defendant tax office in the context of carrying out the taxation of third parties in whose taxation proceedings the plaintiff himself is not involved. This gives rise to further specific questions that appear to be worthy of clarification and in need of clarification.